主机名与对等方提供的证书主题不匹配,但这是完美匹配 [英] Host name does not match the certificate subject provided by the peer, but it's a perfect match
问题描述
我有两个需要使用HTTPS进行对话的服务器。
I have two servers that need to speak with each other using HTTPS.
在这种情况下,我们称其为服务器和客户端,其中客户端正在
Let's call them 'server' and 'client' in this case where 'client is making an https call to 'server'.
在生产中,服务器将具有有效的CA证书,但是在测试过程中,我们将使用自签名证书。
In production the server will have a valid CA certificate but while testing we will use a self-signed certificate.
据我所知,这是我们要做的事情:
As I understand it this is what we have to do:
- 创建证书
- 将其添加到服务器上的密钥库中
- 将其添加到客户端上的受信任cacerts密钥库中(这样,当尝试进行创建时,它将接受此自签名证书https通话)
这一切都完成了,但是在拨打电话时出现此错误:
this is all done, but when making the call I get this error:
Caused by: javax.net.ssl.SSLPeerUnverifiedException: Host name 'docker-abc-123' does not match the certificate subject provided by the peer (CN=docker-abc-123, OU=unit, O=org, L=city, ST=area, C=xx)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:465) [httpclient-4.5.jar:4.5]
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:395) [httpclient-4.5.jar:4.5]
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353) [httpclient-4.5.jar:4.5]
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134) [httpclient-4.5.jar:4.5]
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353) [httpclient-4.5.jar:4.5]
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380) [httpclient-4.5.jar:4.5]
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) [httpclient-4.5.jar:4.5]
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184) [httpclient-4.5.jar:4.5]
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88) [httpclient-4.5.jar:4.5]
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) [httpclient-4.5.jar:4.5]
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) [httpclient-4.5.jar:4.5]
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) [httpclient-4.5.jar:4.5]
at org.springframework.http.client.HttpComponentsClientHttpRequest.executeInternal(HttpComponentsClientHttpRequest.java:91) [spring-web-4.1.4.RELEASE.jar:4.1.4.RELEASE]
at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48) [spring-web-4.1.4.RELEASE.jar:4.1.4.RELEASE]
at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:53) [spring-web-4.1.4.RELEASE.jar:4.1.4.RELEASE]
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:568) [spring-web-4.1.4.RELEASE.jar:4.1.4.RELEASE]
... 10 more
即使主机名与证书中的公用名完全匹配。可能是什么原因造成的?欢迎任何想法!
Even though the host name exactly matches the "Common Name" in the certificate. What can possibly cause this? Any ideas are welcome!
推荐答案
如果证书中有使用者备用名称扩展名,则将忽略通用名称,并且SAN必须包含主机的匹配标识符。
If there is a Subject Alternative Names extension in the certificate, the common name is ignored, and the SAN must include a matching identifier for your host.
这篇关于主机名与对等方提供的证书主题不匹配,但这是完美匹配的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
