证书<x.x.x.x>不匹配任何主题替代名称</x.x.x.x>
[英]Certificate for <x.x.x.x> doesn't match any of the subject alternative names
问题描述
I am using wso2 identity Server as a internal key manager of wso2 api manager and use Shared_db and start two server based on documentation here I got this error in api manager 
I am using wso2 identity Server as a internal key manager of wso2 api manager and use Shared_db and start two server based on documentation here I got this error in api manager
ERROR {org.wso2.carbon.apimgt.rest.api.util.exception.GlobalThrowableMapper} - An unknown exception has been captured by the global exception mapper. feign.RetryableException: Certificate for <x.x.x.x> doesn't match any of the subject alternative names: [localhost] executing GET https://x.x.x.x:9443/oauth2/token/.well-known/openid-configuration.
xxxx is The Identity Server ip. xxxx 是身份服务器 ip。
2 个解决方案
解决方案1
0 2022-09-06 14:23:42
The error simply indicated that the certificate you have for IS has the CN localhost and you are trying to access it with a different host(In this case IP) which causes the hostname verification to fail.该错误仅表明您拥有的 IS 证书具有 CN localhost ,并且您尝试使用不同的主机(在本例中为 IP)访问它,这会导致主机名验证失败。
The correct solution to resolve this issue is to create proper certificates with correct CN/SAN names and use one of them to access Identity Server.解决此问题的正确解决方案是使用正确的 CN/SAN 名称创建适当的证书,并使用其中一个来访问 Identity Server。
As a workaround, although it's not recommended, you can try disabling hostname verification by adding the following properties to the server startup script.(Not sure what's the exact parameter that will do the trick, but try following)作为一种解决方法,虽然不建议这样做,但您可以尝试通过将以下属性添加到服务器启动脚本来禁用主机名验证。(不确定确切的参数是什么,但请尝试以下操作)
-Dorg.opensaml.httpclient.https.disableHostnameVerification=true \
-Dhttpclient.hostnameVerifier=AllowAll \
-Dfeign.httpclient.disableSslValidation=true \
解决方案2
0 2022-09-14 08:34:02
We had the same issue when upgrading from IS 5.11.0 to 6.0.0.从 IS 5.11.0 升级到 6.0.0 时,我们遇到了同样的问题。
The SSL certificates generated with Letsencrypt didn't have localhost as a Security Alternative Name (SAN).使用 Letsencrypt 生成的 SSL 证书没有localhost作为安全备用名称 (SAN)。 The workaround with self-signed certificates that include localhost as SAN is ok, but not what we needed.使用包含localhost作为 SAN 的自签名证书的解决方法是可以的,但不是我们需要的。
We have bypassed it by adding the internal_hostname parameter under the [server] block inside the <IS_HOME>/repository/conf/deployment.toml config file:我们通过在<IS_HOME>/repository/conf/deployment.toml配置文件中的 [server] 块下添加internal_hostname参数来绕过它:
[server]
hostname = "is.wso2.com"
internal_hostname = "is.wso2.com"
Make sure you replace is.wso2.com with your DNS.确保将is.wso2.com替换为 DNS。 More details can be found here.更多详细信息可以在这里找到。 https://is.docs.wso2.com/en/latest/deploy/change-the-hostname/ https://is.docs.wso2.com/en/latest/deploy/change-the-hostname/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.