12
  curl -X GET --header 'Accept: application/json' --header 'Authorization: Bearer 90d2c018-73d1-324b-b121-a162cf870ac0' 'https://172.17.0.1:8243/V1.0.2/stock/getNA?name=te'

The terminal prompted

"curl: (51) SSL: certificate subject name (localhost) does not match target host name '172.17.0.1' "

However, after I changed the "172.17.0.1" to "localhost", it worked and I got the result.

Why? Is there a wrong configuration somewhere? Meanwhile, there isn't any log information in file http_access.log.

Peter Mortensen
  • 28,342
  • 21
  • 95
  • 123
Mike
  • 369
  • 1
  • 3
  • 15

4 Answers4

10

When SSL handshake happens client will verify the server certificate. In the verification process client will try to match the Common Name (CN) of certificate with the domain name in the URL. if both are different host name verification will fail. In your case certificate has CN as local host and when you try to invoke using IP address, it fails. When you create the cert you can have single host name / multiple host name / wild card host name as CN value

For more details, see:

Peter Mortensen
  • 28,342
  • 21
  • 95
  • 123
Jenananthan
  • 1,191
  • 2
  • 9
  • 17
  • Then, The official's API Console can do the curl command successfully. I just do it as the official step and change wso2carbon.jks to .pem file and copy the content of .pem file to /etc/ssl/certs/ca-certificates.crt. Then what happned is the above. I wonder why it did not work even though they are both the same. – Mike Dec 29 '16 at 13:58
  • If I generat the cert which there is a new hostname, how can I use it ?Is not like this : I put the cert in ca-certification.crt and change the .pem cert to jks and append the content of .jks file to API MANAGER's wso2carbon.jks? – Mike Dec 29 '16 at 14:26
3

CN of the default WSO2 certificate is localhost. Therefore you have to use localhost as the hostname when you send requests. Otherwise, the hostname verification fails.

If you want to use any other hostname, you should generate a certificate with that hostname, as Jena has mentioned.

Peter Mortensen
  • 28,342
  • 21
  • 95
  • 123
Bee
  • 11,225
  • 8
  • 39
  • 68
  • Then, The official's API Console can do the curl command successfully. I just do it as the official step and change wso2carbon.jks to .pem file and copy the content of .pem file to /etc/ssl/certs/ca-certificates.crt. Then what happned is the above. I wonder why it did not work even though they are both the same – Mike Dec 29 '16 at 14:14
  • If I generat the cert which there is a new hostname, how can I use it ?Is not like this : I put the cert in ca-certification.crt and change the .pem cert to jks and append the content of .jks file to API MANAGER's wso2carbon.jks? – Mike Dec 29 '16 at 14:26
  • Is there anyway which I invoke with IP address?@Bhathiya – Mike Dec 30 '16 at 02:48
  • No, if you need to use something other than localhost, you have to generate a new cert. read https://docs.wso2.com/display/ADMIN44x/Creating+New+Keystores#CreatingNewKeystores-Creatingakeystoreusinganewcertificate – Bee Dec 30 '16 at 05:10
1

I actually had this problem and found a fix:

I was requesting a URI like 'http://some.example', but the variable for HTTPS was set to '1'

Peter Mortensen
  • 28,342
  • 21
  • 95
  • 123
Shia Masaki
  • 123
  • 1
  • 10
  • Helped because I changed my password in my organisation and for some reason this approach let to insert a new password in terminal which then brought success. I used "https" and changed to "http". – Matthis Kohli Jun 06 '18 at 15:02
0

I had this problem when trying to pull from a Git directory after I'd added a new SSH key and my Git repository moved.

In the fray, Git's CN got confused. The solution for me was to delete the git directory and re-clone it via SSH. As the other users hinted at, you can't change the CN of a website's certificate, so you'll have to change the setting on your computer that has the wrong CN, or avoid using HTTPS (and use SSH like I did).

Peter Mortensen
  • 28,342
  • 21
  • 95
  • 123
mikeLundquist
  • 604
  • 7
  • 21