[英]Certificate for <x.x.x.x> doesn't match any of the subject alternative names
I am using wso2 identity Server as a internal key manager of wso2 api manager and use Shared_db and start two server based on documentation here I got this error in api manager I am using wso2 identity Server as a internal key manager of wso2 api manager and use Shared_db and start two server based on documentation here I got this error in api manager
ERROR {org.wso2.carbon.apimgt.rest.api.util.exception.GlobalThrowableMapper} - An unknown exception has been captured by the global exception mapper. feign.RetryableException: Certificate for <x.x.x.x> doesn't match any of the subject alternative names: [localhost] executing GET https://x.x.x.x:9443/oauth2/token/.well-known/openid-configuration.
xxxx is The Identity Server ip. xxxx 是身份服务器 ip。
The error simply indicated that the certificate you have for IS has the CN localhost
and you are trying to access it with a different host(In this case IP) which causes the hostname verification to fail.该错误仅表明您拥有的 IS 证书具有 CN
localhost
,并且您尝试使用不同的主机(在本例中为 IP)访问它,这会导致主机名验证失败。
The correct solution to resolve this issue is to create proper certificates with correct CN/SAN names and use one of them to access Identity Server.解决此问题的正确解决方案是使用正确的 CN/SAN 名称创建适当的证书,并使用其中一个来访问 Identity Server。
As a workaround, although it's not recommended, you can try disabling hostname verification by adding the following properties to the server startup script.(Not sure what's the exact parameter that will do the trick, but try following)作为一种解决方法,虽然不建议这样做,但您可以尝试通过将以下属性添加到服务器启动脚本来禁用主机名验证。(不确定确切的参数是什么,但请尝试以下操作)
-Dorg.opensaml.httpclient.https.disableHostnameVerification=true \
-Dhttpclient.hostnameVerifier=AllowAll \
-Dfeign.httpclient.disableSslValidation=true \
We had the same issue when upgrading from IS 5.11.0 to 6.0.0.从 IS 5.11.0 升级到 6.0.0 时,我们遇到了同样的问题。
The SSL certificates generated with Letsencrypt didn't have localhost
as a Security Alternative Name (SAN).使用 Letsencrypt 生成的 SSL 证书没有
localhost
作为安全备用名称 (SAN)。 The workaround with self-signed certificates that include localhost
as SAN is ok, but not what we needed.使用包含
localhost
作为 SAN 的自签名证书的解决方法是可以的,但不是我们需要的。
We have bypassed it by adding the internal_hostname
parameter under the [server] block inside the <IS_HOME>/repository/conf/deployment.toml
config file:我们通过在
<IS_HOME>/repository/conf/deployment.toml
配置文件中的 [server] 块下添加internal_hostname
参数来绕过它:
[server]
hostname = "is.wso2.com"
internal_hostname = "is.wso2.com"
Make sure you replace is.wso2.com
with your DNS.确保将
is.wso2.com
替换为 DNS。 More details can be found here.更多详细信息可以在这里找到。 https://is.docs.wso2.com/en/latest/deploy/change-the-hostname/
https://is.docs.wso2.com/en/latest/deploy/change-the-hostname/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.