2016-09-16 78 views
2

我有兩臺服務器需要使用HTTPS相互通話。主機名稱與對等方提供的證書主題不匹配,但它完美匹配

在這種情況下,我們稱之爲'服務器'和'客戶端',其中'客戶端正在對'服務器'進行https呼叫。

在生產中,服務器將擁有有效的CA證書,但在測試時我們將使用自簽名證書。

據我所知,這是我們必須做的:

  1. 創建證書
  2. 將其添加到密鑰存儲在服務器上
  3. 將其添加到可信任的cacerts密鑰存儲在客戶端(使

    :當試圖進行HTTPS調用)

這是所有做,但在致電時我得到這個錯誤,它會接受這種自簽名的證書

Caused by: javax.net.ssl.SSLPeerUnverifiedException: Host name 'docker-abc-123' does not match the certificate subject provided by the peer (CN=docker-abc-123, OU=unit, O=org, L=city, ST=area, C=xx) 
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:465) [httpclient-4.5.jar:4.5] 
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:395) [httpclient-4.5.jar:4.5] 
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353) [httpclient-4.5.jar:4.5] 
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134) [httpclient-4.5.jar:4.5] 
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353) [httpclient-4.5.jar:4.5] 
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380) [httpclient-4.5.jar:4.5] 
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) [httpclient-4.5.jar:4.5] 
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184) [httpclient-4.5.jar:4.5] 
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88) [httpclient-4.5.jar:4.5] 
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) [httpclient-4.5.jar:4.5] 
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) [httpclient-4.5.jar:4.5] 
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) [httpclient-4.5.jar:4.5] 
at org.springframework.http.client.HttpComponentsClientHttpRequest.executeInternal(HttpComponentsClientHttpRequest.java:91) [spring-web-4.1.4.RELEASE.jar:4.1.4.RELEASE] 
at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48) [spring-web-4.1.4.RELEASE.jar:4.1.4.RELEASE] 
at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:53) [spring-web-4.1.4.RELEASE.jar:4.1.4.RELEASE] 
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:568) [spring-web-4.1.4.RELEASE.jar:4.1.4.RELEASE] 
... 10 more 

即使主機名與證書中的「公用名」完全匹配。什麼可能導致這種情況?任何想法都歡迎!

回答

5

如果證書中存在主題備用名稱擴展名,則忽略通用名稱,並且SAN必須包含主機的匹配標識符。

+0

我剛剛找到相同的東西,回來寫它,只是爲了找到你的答案,嘿嘿。我們在那裏只有其他名稱,但不是那裏的實際CN。當我確認它解決了問題時,我會嘗試並標記爲正確。 (更多信息在這裏:http://wiki.cacert.org/FAQ/subjectAltName) – JavaDevSweden

相關問題