Edmund
Edmund

Reputation: 71

SSL Certificate configuration for WSO2 API 3.2

I'm currently trying to configure our WSO2 API Manager 3.2 to use our SSL certificate. I followed the documentation "Creating a New Keystore" and "Configuring Keystores in API Manager".

I have updated the deployment.toml file:

[server]<br>
hostname = "myserver001.internal.net"
....

[keystore.tls]
file_name =  "myKeystore.jks"
type =  "JKS"
password =  "secretpassword"
alias =  "myserver001.internal.net"
key_password =  "secretpassword"

[keystore.primary]
file_name =  "wso2carbon.jks"
type =  "JKS"
password =  "wso2carbon"
alias =  "wso2carbon"
key_password =  "wso2carbon"

The servername is set to myserver001.
The domain name myserver001.internal.net is set in the host file.

After restarting the WSO2 APIM server an exception message is thrown:

SSLException: hostname in certificate didn't match:

  <localhost> != <myserver001.internal.net> OR <myserver001.internal.net>

Does anyone knows what I have to change additionally, to come around this error or where I can find additional documentation?

Any help is appreciated

Upvotes: 2

Views: 1641

Answers (2)

Johnson
Johnson

Reputation: 116

I was in the exact same situation :

  • Migration from v2.6.0 to v3.2.0
  • Valid certificate
  • SSLException: hostname in certificate didn't match

I tried a lot of things, but after a lot of researches, I'd say that there is two possibilities :

  • It's a bug
  • It's a documentation problem, and we have to edit more things to make our certificate work

I believe that you changed the Dhttpclient.hostnameVerifier to another value than "AllowAll". See the doc about hostname verification.

It's just a workaround and it's probably not that secure, but you'll have to put back the default value for Dhttpclient.hostnameVerifier to avoid this error :

service wso2am-3.2.0 stop
nano /usr/lib/wso2/wso2am/3.2.0/bin/wso2server.sh

-Dhttpclient.hostnameVerifier=AllowAll \

service wso2am-3.2.0 start

Upvotes: 0

ruks
ruks

Reputation: 376

Looks this is due to the missing service_url of TM/Event hub config. So can you add/update the following config?

[apim.throttling]
...
service_url = "https://myserver001.internal.net:9443/services/"

Upvotes: 1

Related Questions