How can I resolve the error "certificate subject name does not match target host name"?

92.6k views Asked by At
  curl -X GET --header 'Accept: application/json' --header 'Authorization: Bearer 90d2c018-73d1-324b-b121-a162cf870ac0' 'https://172.17.0.1:8243/V1.0.2/stock/getNA?name=te'

The terminal prompted

"curl: (51) SSL: certificate subject name (localhost) does not match target host name '172.17.0.1' "

However, after I changed the "172.17.0.1" to "localhost", it worked and I got the result.

Why? Is there a wrong configuration somewhere? Meanwhile, there isn't any log information in file http_access.log.

5

There are 5 answers

2
Jenananthan On

When SSL handshake happens client will verify the server certificate. In the verification process client will try to match the Common Name (CN) of certificate with the domain name in the URL. if both are different host name verification will fail. In your case certificate has CN as local host and when you try to invoke using IP address, it fails. When you create the cert you can have single host name / multiple host name / wild card host name as CN value

For more details, see:

4
Bee On

CN of the default WSO2 certificate is localhost. Therefore you have to use localhost as the hostname when you send requests. Otherwise, the hostname verification fails.

If you want to use any other hostname, you should generate a certificate with that hostname, as Jena has mentioned.

1
Shia Masaki On

I actually had this problem and found a fix:

I was requesting a URI like 'http://some.example', but the variable for HTTPS was set to '1'

0
mikeLundquist On

I had this problem when trying to pull from a Git directory after I'd added a new SSH key and my Git repository moved.

In the fray, Git's CN got confused. The solution for me was to delete the git directory and re-clone it via SSH. As the other users hinted at, you can't change the CN of a website's certificate, so you'll have to change the setting on your computer that has the wrong CN, or avoid using HTTPS (and use SSH like I did).

0
ostergaard On

As others have hinted, this is failing because the TLS negotiation checks that the cert matches the hostname in the URL.

What's new is that curl now supports this scenario via a connect-to option. So, if your curl is sufficiently new (v7.18.1) this should work:

curl -X GET 'https://localhost/V1.0.2/stock/getNA?name=te' \
    --header 'Authorization: Bearer 90d2c018-73d1-324b-b121-a162cf870ac0' \
    --header 'Accept: application/json'  \
    --connect-to localhost:443:172.17.0.1:8243 

Credit: https://stackoverflow.com/a/50279590/1662031

Similarly you may be able to leverage curls resolve option:

curl -X GET 'https://localhost:8243/V1.0.2/stock/getNA?name=te' \
    --header 'Authorization: Bearer 90d2c018-73d1-324b-b121-a162cf870ac0' \
    --header 'Accept: application/json'  \
    --resolve localhost:443:172.17.0.1