Login/Register
How can I resolve the error "certificate subject name does not match target host name"?
Asked Answered
wso2-api-managerwso2api-managerwso2-esb
P

5

15
  curl -X GET --header 'Accept: application/json' --header 'Authorization: Bearer 90d2c018-73d1-324b-b121-a162cf870ac0' 'https://172.17.0.1:8243/V1.0.2/stock/getNA?name=te'

The terminal prompted

"curl: (51) SSL: certificate subject name (localhost) does not match target host name '172.17.0.1' "

However, after I changed the "172.17.0.1" to "localhost", it worked and I got the result.

Why? Is there a wrong configuration somewhere? Meanwhile, there isn't any log information in file http_access.log.

Peoria answered 29/12, 2016 at 9:45 Comment(0)
P
12

When SSL handshake happens client will verify the server certificate. In the verification process client will try to match the Common Name (CN) of certificate with the domain name in the URL. if both are different host name verification will fail. In your case certificate has CN as local host and when you try to invoke using IP address, it fails. When you create the cert you can have single host name / multiple host name / wild card host name as CN value

For more details, see:

Premillennialism answered 29/12, 2016 at 10:9 Comment(2)
Then, The official's API Console can do the curl command successfully. I just do it as the official step and change wso2carbon.jks to .pem file and copy the content of .pem file to /etc/ssl/certs/ca-certificates.crt. Then what happned is the above. I wonder why it did not work even though they are both the same.Peoria
If I generat the cert which there is a new hostname, how can I use it ?Is not like this : I put the cert in ca-certification.crt and change the .pem cert to jks and append the content of .jks file to API MANAGER's wso2carbon.jks?Peoria
P
5

CN of the default WSO2 certificate is localhost. Therefore you have to use localhost as the hostname when you send requests. Otherwise, the hostname verification fails.

If you want to use any other hostname, you should generate a certificate with that hostname, as Jena has mentioned.

Prize answered 29/12, 2016 at 13:7 Comment(4)
Then, The official's API Console can do the curl command successfully. I just do it as the official step and change wso2carbon.jks to .pem file and copy the content of .pem file to /etc/ssl/certs/ca-certificates.crt. Then what happned is the above. I wonder why it did not work even though they are both the samePeoria
If I generat the cert which there is a new hostname, how can I use it ?Is not like this : I put the cert in ca-certification.crt and change the .pem cert to jks and append the content of .jks file to API MANAGER's wso2carbon.jks?Peoria
Is there anyway which I invoke with IP address?@BhathiyaPeoria
No, if you need to use something other than localhost, you have to generate a new cert. read docs.wso2.com/display/ADMIN44x/…Prize
H
1

I actually had this problem and found a fix:

I was requesting a URI like 'http://some.example', but the variable for HTTPS was set to '1'

Heptagonal answered 14/9, 2017 at 14:50 Comment(1)
Helped because I changed my password in my organisation and for some reason this approach let to insert a new password in terminal which then brought success. I used "https" and changed to "http".Mingrelian
W
0

I had this problem when trying to pull from a Git directory after I'd added a new SSH key and my Git repository moved.

In the fray, Git's CN got confused. The solution for me was to delete the git directory and re-clone it via SSH. As the other users hinted at, you can't change the CN of a website's certificate, so you'll have to change the setting on your computer that has the wrong CN, or avoid using HTTPS (and use SSH like I did).

Witham answered 16/1, 2018 at 17:6 Comment(0)
G
0

As others have hinted, this is failing because the TLS negotiation checks that the cert matches the hostname in the URL.

What's new is that curl now supports this scenario via a connect-to option. So, if your curl is sufficiently new (v7.18.1) this should work:

curl -X GET 'https://localhost/V1.0.2/stock/getNA?name=te' \
    --header 'Authorization: Bearer 90d2c018-73d1-324b-b121-a162cf870ac0' \
    --header 'Accept: application/json'  \
    --connect-to localhost:443:172.17.0.1:8243

Credit: https://mcmap.net/q/824583/-curl-how-to-specify-target-hostname-for-https-request

Similarly you may be able to leverage curls resolve option:

curl -X GET 'https://localhost:8243/V1.0.2/stock/getNA?name=te' \
    --header 'Authorization: Bearer 90d2c018-73d1-324b-b121-a162cf870ac0' \
    --header 'Accept: application/json'  \
    --resolve localhost:443:172.17.0.1
Grow answered 26/2, 2022 at 6:54 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.