Hostname in certificate didn't match in OAuth request

Question

I have created certificate through openssl

Openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc"

and import tls.crt through keytool in java as well

keytool -import -file C:\Code_Base\Certificates\NGINX_150\tls.crt -storepass changeit -keystore "C:\Program Files\Java\jdk1.8.0_152\jre\lib\security\cacerts"

But i am getting

16:30:21,046 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) failed to turn code into token: javax.net.ssl.SSLException: hostname in certificate didn't match: <135.209.100.150> != at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:238) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:159) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:140) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.conn.ssl.SSLSocketFactory.verifyHostname(SSLSocketFactory.java:561) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:536) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFactory.java:109) [keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final] at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:403) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107) [keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final] at org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:327) [keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final] at org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:273) [keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final] at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:130) [keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final] at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:208) [keycloak-tomcat-core-adapter-2.4.0.Final.jar:2.4.0.Final] at org.keycloak.adapters.jbossweb.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:39) [keycloak-as7-adapter-2.4.0.Final.jar:2.4.0.Final] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:187) [keycloak-tomcat-core-adapter-2.4.0.Final.jar:2.4.0.Final] at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:150) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:854) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at java.lang.Thread.run(Thread.java:748) [rt.jar:1.8.0_152]

Answer 1

A common name mismatch error occurs when the common name (or SANs) of your SSL/TLS certificate does not match the host + domain name that another service connects to when trying to reach your service.

Your CommonName (CN=nginxsvc) should match the host and domain name / IP of the service. So if your service is at nginxservice.yourdomain.com, the certificate commonname should also be nginxservice.yourdomain.com. If you are using an IP just for development purposes, you can also use that until you have a DNS entry for your service.