Reputation: 419
How can I resolve the error "certificate subject name does not match target host name"?
curl -X GET --header 'Accept: application/json' --header 'Authorization: Bearer 90d2c018-73d1-324b-b121-a162cf870ac0' 'https://172.17.0.1:8243/V1.0.2/stock/getNA?name=te'
The terminal prompted
"curl: (51) SSL: certificate subject name (localhost) does not match target host name '172.17.0.1' "
However, after I changed the "172.17.0.1" to "localhost", it worked and I got the result.
Why? Is there a wrong configuration somewhere? Meanwhile, there isn't any log information in file http_access.log.
Upvotes: 15
Views: 102631
Answers (5)
Reputation: 3507
As others have hinted, this is failing because the TLS negotiation checks that the cert matches the hostname in the URL.
What's new is that curl now supports this scenario via a connect-to option. So, if your curl is sufficiently new (v7.18.1) this should work:
curl -X GET 'https://localhost/V1.0.2/stock/getNA?name=te' \
--header 'Authorization: Bearer 90d2c018-73d1-324b-b121-a162cf870ac0' \
--header 'Accept: application/json' \
--connect-to localhost:443:172.17.0.1:8243
Credit: https://stackoverflow.com/a/50279590/1662031
Similarly you may be able to leverage curls resolve option:
curl -X GET 'https://localhost:8243/V1.0.2/stock/getNA?name=te' \
--header 'Authorization: Bearer 90d2c018-73d1-324b-b121-a162cf870ac0' \
--header 'Accept: application/json' \
--resolve localhost:443:172.17.0.1
Upvotes: 0
Reputation: 1009
I had this problem when trying to pull from a Git directory after I'd added a new SSH key and my Git repository moved.
In the fray, Git's CN got confused. The solution for me was to delete the git directory and re-clone it via SSH. As the other users hinted at, you can't change the CN of a website's certificate, so you'll have to change the setting on your computer that has the wrong CN, or avoid using HTTPS (and use SSH like I did).
Upvotes: 0
Reputation: 141
I actually had this problem and found a fix:
I was requesting a URI like 'http://some.example', but the variable for HTTPS was set to '1'
Upvotes: 1
Reputation: 12513
CN of the default WSO2 certificate is localhost. Therefore you have to use localhost as the hostname when you send requests. Otherwise, the hostname verification fails.
If you want to use any other hostname, you should generate a certificate with that hostname, as Jena has mentioned.
Upvotes: 5
Reputation: 1401
When SSL handshake happens client will verify the server certificate. In the verification process client will try to match the Common Name (CN) of certificate with the domain name in the URL. if both are different host name verification will fail. In your case certificate has CN as local host and when you try to invoke using IP address, it fails. When you create the cert you can have single host name / multiple host name / wild card host name as CN value
For more details, see:
Upvotes: 12
Related Questions
- java.security.cert.CertificateException: No subject alternative names present;
- WSO2 api manager analytics : CertificateException: No subject alternative names matching IP address found executing
- hostname in certificate didn't match:<>!=<> WSO2 APIM
- javax.net.ssl.SSLPeerUnverifiedException: Host name does not match the certificate subject provided by the peer
- WSO2 ESB Axis2 Service throwing Host name verification failed for host
- WSO2 API Manager, invalid. unable to find valid certification path to requested target
- SSL-Connection causes javax.net.ssl.SSLException: hostname in certificate didn't match (WSO2 Api Manager / Tomcat)
- WSO2 ESB SSL handshake failure
- WSO2 Enterprise Store 1.0.0: setting hostname
- 'Localhost' used as Common name in the default WSo2 certificate creates No Subject Alternative Name found