证书中的主机名与通配符证书不匹配
[英]Hostname in certificate didn't match on wildcard cert
问题描述
This may be an apache/server configuration, or it might require a Java solution. 
这可能是apache /服务器配置,或者可能需要Java解决方案。 On my server I have a few subdomains. 在我的服务器上,我有几个子域。 I force https on all subdomains and I have a wildcard ssl certificate that is used for all subdomains. 我在所有子域上强制使用https,并且我拥有用于所有子域的通配符ssl证书。
When I go to https://myapp1.myvendor.com and view the certificate in the browser I see the following common name: 当我转到https://myapp1.myvendor.com并在浏览器中查看证书时,我看到以下通用名称:
CN = *.myvendor.com CN = * .myvendor.com
I also have a Java program that posts to https://myapp1.myvendor.com/post.php however when I post from Java using: 我也有一个Java程序发布到https://myapp1.myvendor.com/post.php,但是当我使用以下方法从Java发布时:
org.apache.http.client.methods.HttpPost httpPost = new HttpPost("https://myapp1.myvendor.com/post.php");
HttpResponse response = httpClient.execute(httpPost);
I get the following error: 我收到以下错误:
javax.net.ssl.SSLException: hostname in certificate didn't match:
<myapp1.myvendor.com> != <myvendor.com> OR <myvendor.com> OR <www.myvendor.com>
What strikes me as odd is that it is trying to match myvendor.com or www.myvendor.com not *.myvendor.com. 让我感到奇怪的是,它试图匹配myvendor.com或www.myvendor.com而不是* .myvendor.com。 I do have a certificate installed for myvendor.com, but I stopped using it in favor of the wildcard cert. 我确实为myvendor.com安装了证书,但为了通配符证书而停止使用它。
Any suggestions? 有什么建议么? Do you need more information? 你需要更多的信息?
Apache Config: Apache Config:
<VirtualHost *:443>
SSLEngine On
SSLCertificateFile /etc/pki/tls/certs/27c7d7842bf94d.crt
SSLCertificateKeyFile /etc/pki/tls/private/mydomain.key
SSLCACertificateFile /etc/pki/tls/certs/my_cert.crt
ServerName myapp1.myvendor.com
DocumentRoot /var/www/myvendor/myapp1/src/
ErrorLog /var/www/logs/myapp1/error.log
CustomLog /var/www/logs/myapp1/access.log combined
<Directory /var/www/myvendor/myapp1/src/>
AllowOverride All
</Directory>
</VirtualHost>
I also found this in a different config file that IS loaded: 我也在加载的另一个配置文件中找到了这个:
<VirtualHost _default_:443>
SSLCertificateFile /etc/pki/tls/certs/local.crt
SSLCertificateKeyFile /etc/pki/tls/private/local.key
SSLCACertificateFile /etc/pki/tls/certs/my_local_cert.crt
</VirtualHost>
I think it is getting this cert because this cert has: 我认为它正在获得此证书,因为该证书具有:
subject Alternative name:
DNS Name=myvendor.com
DNS Name=www.myvendor.com
which matches the error from Java. 匹配来自Java的错误。 If this is the case my question is why is Java getting this cert as opposed to the one that the browser gets? 如果是这种情况,我的问题是,为什么Java获得此证书而不是浏览器获得的证书?
1 个解决方案
解决方案1
0 2014-03-29 06:01:53
It looks like you are using SNI, eg multiple https servers on the same IP with different certificates. 看起来您正在使用SNI,例如,同一IP上具有不同证书的多个https服务器。 In this case have a look at Server Name Indication (SNI) on Java how to use SNI in Java. 在这种情况下,请查看Java上的服务器名称指示(SNI),以及如何在Java中使用SNI。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.