1. 首页
  2. 问答
  3. 主机名称与对等方提供的证书主题不匹配,但它完美匹配

主机名称与对等方提供的证书主题不匹配,但它完美匹配

2016-09-16 173 views
2

我有两台服务器需要使用HTTPS相互通话。主机名称与对等方提供的证书主题不匹配,但它完美匹配

在这种情况下,我们称之为'服务器'和'客户端',其中'客户端正在对'服务器'进行https呼叫。

在生产中,服务器将拥有有效的CA证书,但在测试时我们将使用自签名证书。

据我所知,这是我们必须做的:

  1. 创建证书
  2. 将其添加到密钥存储在服务器上
  3. 将其添加到可信任的cacerts密钥存储在客户端(使

    :当试图进行HTTPS调用)

这是所有做,但在致电时我得到这个错误,它会接受这种自签名的证书 

Caused by: javax.net.ssl.SSLPeerUnverifiedException: Host name 'docker-abc-123' does not match the certificate subject provided by the peer (CN=docker-abc-123, OU=unit, O=org, L=city, ST=area, C=xx) 
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:465) [httpclient-4.5.jar:4.5] 
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:395) [httpclient-4.5.jar:4.5] 
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353) [httpclient-4.5.jar:4.5] 
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134) [httpclient-4.5.jar:4.5] 
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353) [httpclient-4.5.jar:4.5] 
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380) [httpclient-4.5.jar:4.5] 
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) [httpclient-4.5.jar:4.5] 
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184) [httpclient-4.5.jar:4.5] 
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88) [httpclient-4.5.jar:4.5] 
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) [httpclient-4.5.jar:4.5] 
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) [httpclient-4.5.jar:4.5] 
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) [httpclient-4.5.jar:4.5] 
at org.springframework.http.client.HttpComponentsClientHttpRequest.executeInternal(HttpComponentsClientHttpRequest.java:91) [spring-web-4.1.4.RELEASE.jar:4.1.4.RELEASE] 
at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48) [spring-web-4.1.4.RELEASE.jar:4.1.4.RELEASE] 
at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:53) [spring-web-4.1.4.RELEASE.jar:4.1.4.RELEASE] 
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:568) [spring-web-4.1.4.RELEASE.jar:4.1.4.RELEASE] 
... 10 more

即使主机名与证书中的“公用名”完全匹配。什么可能导致这种情况?任何想法都欢迎!

来源

2016-09-16 JavaDevSweden

回答

5

如果证书中存在主题备用名称扩展名,则忽略通用名称,并且SAN必须包含主机的匹配标识符。

来源

2016-09-16 14:38:32 erickson

+0

我刚刚找到相同的东西,回来写它,只是为了找到你的答案,嘿嘿。我们在那里只有其他名称,但不是那里的实际CN。当我确认它解决了问题时,我会尝试并标记为正确。 (更多信息在这里:http://wiki.cacert.org/FAQ/subjectAltName) – JavaDevSweden

相关问题

 相关问题