Error when using custom truststore in java

51 views Asked by At

I am trying to test using a private certificate on a network load balancer issued through AWS Private CA.

It is a cross account setup. The app is calling a VPC endpoint (same account as app) which is linked to an endpoint service (different account). The endpoint service is behind a network load balancer. I have installed the private certificate on the NLB. The certificate has 2 domains listed which are used as private dns names for the endpoint and endpoint service.

I have created a custom jks truststore which holds the root certificate and created a custom web client to use https.

When the application is calling the private dns url, I see this error in the logs

"stack_trace": "j.n.s.SSLPeerUnverifiedException: Certificate for <private dns name> doesn't match any of the subject alternative names [sqs.ap-southeast-2.amazonaws.com, ap-southeast-2.queue.amazonaws.com,*.sqs.ap-southeast-2.vpce.amazonaws.com]\
\tato.a.h.c.h.s.DefaultHostnameVerifier.matchDNSName(DefaultHostnameVerifer.java:165\
\tato.a.h.c.h.s.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:120)\
\tato.a.h.c.h.s.TlsSessionValidator.verifySession(TlsSessionValidator.java:113)\
\tato.a.h.c.h.s.SSLConnectionSocketFactory.verifySession(SSLConnectionSocketFactory.java:340)\
\tato.a.h.c.h.s.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:329)\
\tato.a.h.c.h.s.SSLConnectionSocketFactory.executeHandshake(SSLConnectionSocketFactory.java:304)\
\tato.a.h.c.h.s.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:275)\
\tato.a.h.c.h.s.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:251)\
\tato.a.h.c.h.i.i.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:181)\
\tato.a.h.c.h.i.i.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:447)\
\tato.a.h.c.h.i.c.InternalExecRuntime.connectEndpoint(InternalExecRuntime.java:162)\
\tato.a.h.c.h.i.c.InternalExecRuntime.connectEndpoint(InternalExecRuntime.java:172)\
\tat o.a.h.c.h.i.c.ConnectExec.execute(ConnectExec.java:142)\
\tato.a.h.c.h.i.c.ExecChainElement.execute(ExecChainElement.java:51)\
\tat o.a.h.c.h.i.c.ProtocolExec.execute(ProtocolExec.java:192)\
\tato.a.h.c.h.i.c.ExecChainElement.execute(ExecChainElement.java:51)\
\tato.a.h.c.h.i.c.HttpRequestRetryExec.execute(HttpRequestRetryExec.java:96)\
\tato.a.h.c.h.i.c.ExecChainElement.execute(ExecChainElement.java:51)\
\tato.a.h.c.h.i.c.ContentCompressionExec.execute(ContentCompressionExec.java:152)\
\tato.a.h.c.h.i.c.ExecChainElement.execute(ExecChainElement.java:51)\
\tat o.a.h.c.h.i.c.RedirectExec.execute(RedirectExec.java:115)\
\tato.a.h.c.h.i.c.ExecChainElement.execute(ExecChainElement....\"
}

I am confused as to why it is giving me error for [sqs.ap-southeast-2.amazonaws.com, ap-southeast-2.queue.amazonaws.com, *.sqs.ap-southeast-2.vpce.amazonaws.com]

Anyone know what this error means and how to resolve this?

Thanks

0

There are 0 answers