问题：

SSLPeerUnverifiedException-用于的证书与证书主题的通用名称不匹配

胥玮

2023-03-14

当我们试图从zuul访问安全的https REST点时，我们得到了以下异常。

2017-10-27 08:26:08.499 DEBUG 15708 --- [http-nio-9092-exec-1] o.a.h.c.ssl.SSLConnectionSocketFactory   : Secure session established
2017-10-27 08:26:08.500 DEBUG 15708 --- [http-nio-9092-exec-1] o.a.h.c.ssl.SSLConnectionSocketFactory   :  negotiated protocol: TLSv1.2
2017-10-27 08:26:08.500 DEBUG 15708 --- [http-nio-9092-exec-1] o.a.h.c.ssl.SSLConnectionSocketFactory   :  negotiated cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
2017-10-27 08:26:08.501 DEBUG 15708 --- [http-nio-9092-exec-1] o.a.h.c.ssl.SSLConnectionSocketFactory   :  peer principal: CN=10.xxx.xx.xx, OU=xxx, O=xxx, L=xxx, ST=xx, C=xx
2017-10-27 08:26:08.502 DEBUG 15708 --- [http-nio-9092-exec-1] o.a.h.c.ssl.SSLConnectionSocketFactory   :  issuer principal: CN=10.xxx.xx.xx, OU=xxx, O=xxx, L=xxx, ST=xx, C=xx
2017-10-27 08:26:08.516 DEBUG 15708 --- [http-nio-9092-exec-1] o.a.h.conn.ssl.DefaultHostnameVerifier   : Certificate for  doesn't match common name of the certificate subject: 10.xxx.xx.xx
javax.net.ssl.SSLPeerUnverifiedException: Certificate for  doesn't match common name of the certificate subject
    at org.apache.http.conn.ssl.DefaultHostnameVerifier.matchCN(DefaultHostnameVerifier.java:186)
    at org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:133)
    at org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:99)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:463)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:397)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
    at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
    at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:359)
    at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
    at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
    at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
    at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
    at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
    at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
    at org.springframework.cloud.netflix.ribbon.apache.RibbonLoadBalancingHttpClient.execute(RibbonLoadBalancingHttpClient.java:94)
    at org.springframework.cloud.netflix.ribbon.apache.RibbonLoadBalancingHttpClient.execute(RibbonLoadBalancingHttpClient.java:43)
    at com.netflix.client.AbstractLoadBalancerAwareClient$1.call(AbstractLoadBalancerAwareClient.java:109)
    at com.netflix.loadbalancer.reactive.LoadBalancerCommand$3$1.call(LoadBalancerCommand.java:303)
    at com.netflix.loadbalancer.reactive.LoadBalancerCommand$3$1.call(LoadBalancerCommand.java:287)
    at rx.internal.util.ScalarSynchronousObservable$3.call(ScalarSynchronousObservable.java:231)
    at rx.internal.util.ScalarSynchronousObservable$3.call(ScalarSynchronousObservable.java:228)
    at rx.Observable.unsafeSubscribe(Observable.java:10211)
    at rx.internal.operators.OnSubscribeConcatMap$ConcatMapSubscriber.drain(OnSubscribeConcatMap.java:286)
    at rx.internal.operators.OnSubscribeConcatMap$ConcatMapSubscriber.onNext(OnSubscribeConcatMap.java:144)
    at com.netflix.loadbalancer.reactive.LoadBalancerCommand$1.call(LoadBalancerCommand.java:185)
    at com.netflix.loadbalancer.reactive.LoadBalancerCommand$1.call(LoadBalancerCommand.java:180)
...

服务通过POST请求在eureka注册。请找到下面的示例POST请求。


    spring:
      application:
        name: gateway 
    server:
      port: 9092
      ssl:    
        enabled: true
        clientAuth: want
        key-store: classpath:keystore.jks
        key-store-password: password
        key-password: password   
        key-alias: xxxx
    eureka:
      instance:
        nonSecurePortEnabled: false
        securePortEnabled: true
      client:
        serviceUrl:
          defaultZone: ${EUREKA_URI:http://localhost:8761/eureka}
        registry-fetch-interval-seconds: 15
        register-with-eureka: true
        fetch-registry: true
        heartbeat-executor-thread-pool-size: 5
        eureka-service-url-poll-interval-seconds: 10
    zuul:
      prefix: /tree
      routes:
        serv:
          path: /cxf/**
          strip-prefix: false
          serviceId: serv
    ribbon:
      IsSecure: true
      IsHostnameValidationRequired: false

该服务通过POST请求向eureka注册。请查看下面的发帖请求示例。


    {
    "instance": {
        "hostName": "xxx",
        "app": "appname",
        "vipAddress": "appname",
        "secureVipAddress": "appname",
        "ipAddr": "10.xxx.xx.xxx",
        "status": "UP",
        "port": {"$": "8181", "@enabled": "true"},
        "securePort": {"$": "8443", "@enabled": "true"},
        "healthCheckUrl": "http://localhost:8000/cat",
        "statusPageUrl": "http://localhost:8000/cat",
        "homePageUrl": "http://localhost:8000/cat",
        "dataCenterInfo": {
            "@class": "com.netflix.appinfo.InstanceInfo$DefaultDataCenterInfo", 
            "name": "MyOwn"
        }
    }

如果我在上面的zuul配置中用相应的url替换serviceId，它可以正常工作。

密钥库。jks一直处于src/main/resources之下。此外，还将密钥存储条目导入$JDK_HOME/jre/lib/security/cacerts下的证书。我们是否缺少其他配置？

注意：RESTendpoint是一个OSGI服务。Spring开机版本：v1。5.7.我们使用嵌入式tomcat。

共有1个答案

姜羽

2023-03-14

出现上述问题的原因是证书不包含“SubjectAlternativeName”字段。在创建了带有字段“SubjectAlternativeName”的证书后，问题得到了解决。字段“SubjectAlternativeName”又包括CN（通用名）和IP详细信息。我们还需要建立信任库。

对于正在寻找html" target="_blank">解决方案的人来说，希望以下步骤能有所帮助。

1.生成服务器密钥和自签名服务器证书keytool-genkey-alias serverkey-keyalg RSA-storetype PKCS12-keystore serverkeystore。p12-ext SAN=dns:abc。com，dns:localhost，ip:127.0.0.1

2.生成客户端密钥和自签名客户端证书keytool-genkey-alias clientkey-keyalg RSA-storetype PKCS12-keystore clientkeystore。p12-ext SAN=dns:def。com，dns:localhost，ip:127.0.0.1

3.导出服务器证书keytool-Export-alias serverkey-file servercert。cer-密钥库服务器密钥库。p12

4、导出客户端证书keyool-export-alias clientkey-fileclientcert.cer-keystore clientkeystore. p12

5.将证书导入$JAVA_HOME/jre/lib/security sudo keytool-Import-trustcacerts-alias localhost-file localhost。crt-keystore$JAVA_HOME/jre/lib/security/cacerts

应用网关的yml：

spring:
  application:
    name: gateway
server:
  port: 8443
  ssl:
    enabled: true
    key-store: classpath:serverkeystore.p12
    key-store-password: server
    key-alias: serverkey
eureka:
  instance:
    securePort: ${server.port}
    nonSecurePortEnabled: false
    securePortEnabled: true
    leaseRenewalIntervalInSeconds: 7
    leaseExpirationDurationInSeconds: 9
  client:
    serviceUrl:
      defaultZone: ${EUREKA_URI:http://localhost.com:8761/eureka/}
    registry-fetch-interval-seconds: 5
    register-with-eureka: true
    fetch-registry: true
    heartbeat-executor-thread-pool-size: 5
    eureka-service-url-poll-interval-seconds: 10
zuul:
  prefix: /service
  routes:
    producer:
      path: /employee/**
      strip-prefix: false
      serviceId: producer
ribbon:
  IsSecure: true
logging:
 file: logs/gateway.log
 level.root: INFO
 level.com.fujitsu.fnc.sdnfw.msvc: DEBUG

类似资料：

主机名/ IP与证书的altname不匹配

问题内容：我正在尝试使用带有自签名证书的Node.js 0.8.8创建TLS服务器/客户端设置。基本的服务器代码如下所示现在，当我尝试连接到该服务器时，我使用以下代码：如果我删除线从客户端代码，Node.js抛出一个错误告诉我。据我了解，这是由于它是一个自签名证书，并且没有其他方信任此证书。如果我删除同样，错误也消失了-但等于错误，实际上意味着我的连接未加密。无论如何，使用我可以访问
的证书主题不包含通用名称，也不具有替代名称

我已经通过终端在远程ubuntu机器中逐一使用以下命令生成了一个SSL自签名证书： T我已经将添加到本地计算机的cacerts中，使用命令提示符中的keytool作为admin。还将添加到“受信任的根证书颁发机构”中。他发出对Postman上的远程ubuntu机器服务器的HTTPS请求可以正常工作，但在IntelliJ上就不行了，我可以放心地得到：
证书中的主机名不匹配？

问题内容：我尝试使用自签名证书连接到服务器。我使用此代码接受所有证书。但是尽管如此，我收到以下错误：我确定我的证书代码已执行，那么可能是什么问题？问题答案：您可以使用
Node.js主机名/ IP与证书的altname不匹配

问题内容：我有代码：当我在带有Node 0.9.4的桌面上运行它时，我在控制台中得到了这个：当我在带有节点0.6.12的Netbook上运行它时，它们都可以正常运行而没有错误（302响应-我认为是正确的）。有问题的Node.js主机名/ IP与证书的altnames不匹配，Rojuinex写道：“是的，浏览器问题…对不起”。“浏览器问题”是什么意思？ UPD。在节点v0.8上回滚后，此问
尽管两个名称都有证书，但certbot中的SSL证书主机名不匹配

我被困在如何修复这个SSL错误上—— 我的SSL证书在Chrome上运行良好，但在Safari和Firefox上，如果我去www.domain.com而不是domain.com，就会出现主机名不匹配的错误我已经使用Certbot为我的domain.com和www.domain.com域设置了SSL证书当我在nginx上检查以确保证书存在时，我运行< code>sudo certbot - ng
SSLException：证书中的主机名不匹配:！=

我试图从java调用Heroku的开发人员api，但是我得到了以下异常：我的代码如下所示： https://stackoverflow.com/a/7266768 https://stackoverflow.com/a/3904473 https://stackoverflow.com/a/25356821 建议我应该重写证书主机名检查，这肯定违背了这一点（当然生产还没有准备好）？

SSLPeerUnverifiedException-用于的证书与证书主题的通用名称不匹配

共有1个答案

相关问答

相关文章

相关阅读

相关工具

相关文档