How can I resolve the error "certificate subject name does not match target host name"?

Question

How can I resolve the error "certificate subject name does not match target host name"?

92.6k views Asked by Mike At 29 December 2016 at 09:45

  curl -X GET --header 'Accept: application/json' --header 'Authorization: Bearer 90d2c018-73d1-324b-b121-a162cf870ac0' 'https://172.17.0.1:8243/V1.0.2/stock/getNA?name=te'

The terminal prompted

"curl: (51) SSL: certificate subject name (localhost) does not match target host name '172.17.0.1' "

However, after I changed the "172.17.0.1" to "localhost", it worked and I got the result.

Why? Is there a wrong configuration somewhere? Meanwhile, there isn't any log information in file http_access.log.

Original Q&A

There are 5 answers

**Jenananthan** · Answer 1 · 2016-12-29 10:09:09

When SSL handshake happens client will verify the server certificate. In the verification process client will try to match the Common Name (CN) of certificate with the domain name in the URL. if both are different host name verification will fail. In your case certificate has CN as local host and when you try to invoke using IP address, it fails. When you create the cert you can have single host name / multiple host name / wild card host name as CN value

For more details, see:

**Bee** · Answer 2 · 2016-12-29 13:07:52

CN of the default WSO2 certificate is localhost. Therefore you have to use localhost as the hostname when you send requests. Otherwise, the hostname verification fails.

If you want to use any other hostname, you should generate a certificate with that hostname, as Jena has mentioned.

**Shia Masaki** · Answer 3 · 2017-09-14 14:50:11

Shia Masaki On 14 September 2017 at 14:50

I actually had this problem and found a fix:

I was requesting a URI like 'http://some.example', but the variable for HTTPS was set to '1'

**mikeLundquist** · Answer 4 · 2018-01-16 17:06:40

I had this problem when trying to pull from a Git directory after I'd added a new SSH key and my Git repository moved.

In the fray, Git's CN got confused. The solution for me was to delete the git directory and re-clone it via SSH. As the other users hinted at, you can't change the CN of a website's certificate, so you'll have to change the setting on your computer that has the wrong CN, or avoid using HTTPS (and use SSH like I did).

**ostergaard** · Answer 5 · 2022-02-26 06:54:52

As others have hinted, this is failing because the TLS negotiation checks that the cert matches the hostname in the URL.

What's new is that curl now supports this scenario via a connect-to option. So, if your curl is sufficiently new (v7.18.1) this should work:

curl -X GET 'https://localhost/V1.0.2/stock/getNA?name=te' \
    --header 'Authorization: Bearer 90d2c018-73d1-324b-b121-a162cf870ac0' \
    --header 'Accept: application/json'  \
    --connect-to localhost:443:172.17.0.1:8243

Credit: https://stackoverflow.com/a/50279590/1662031

Similarly you may be able to leverage curls resolve option:

curl -X GET 'https://localhost:8243/V1.0.2/stock/getNA?name=te' \
    --header 'Authorization: Bearer 90d2c018-73d1-324b-b121-a162cf870ac0' \
    --header 'Accept: application/json'  \
    --resolve localhost:443:172.17.0.1

TechQA.

How can I resolve the error "certificate subject name does not match target host name"?

There are 5 answers

Related Questions in WSO2-API-MANAGER

Related Questions in WSO2

Related Questions in API-MANAGER

Related Questions in WSO2-ESB

Popular Questions

Popular Tags

Trending Questions