Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Certificate for <x.x.x.x> doesn't match any of the subject alternative names

Tags:

wso2

wso2-identity-server

wso2-api-manager

I am using wso2 identity Server as a internal key manager of wso2 api manager and use Shared_db and start two server based on documentation here I got this error in api manager

 ERROR {org.wso2.carbon.apimgt.rest.api.util.exception.GlobalThrowableMapper} - An unknown exception has been captured by the global exception mapper. feign.RetryableException: Certificate for <x.x.x.x> doesn't match any of the subject alternative names: [localhost] executing GET https://x.x.x.x:9443/oauth2/token/.well-known/openid-configuration.

x.x.x.x is The Identity Server ip.

like image 375
behzad Avatar asked Nov 15 '25 16:11

behzad

2 Answers

We had the same issue when upgrading from IS 5.11.0 to 6.0.0.

The SSL certificates generated with Letsencrypt didn't have localhost as a Security Alternative Name (SAN). The workaround with self-signed certificates that include localhost as SAN is ok, but not what we needed.

We have bypassed it by adding the internal_hostname parameter under the [server] block inside the <IS_HOME>/repository/conf/deployment.toml config file:

[server]
hostname = "is.wso2.com"
internal_hostname = "is.wso2.com"

Make sure you replace is.wso2.com with your DNS. More details can be found here. https://is.docs.wso2.com/en/latest/deploy/change-the-hostname/

like image 193
Bobi Lungu Avatar answered Nov 17 '25 08:11

Bobi Lungu

The error simply indicated that the certificate you have for IS has the CN localhost and you are trying to access it with a different host(In this case IP) which causes the hostname verification to fail.

The correct solution to resolve this issue is to create proper certificates with correct CN/SAN names and use one of them to access Identity Server.

As a workaround, although it's not recommended, you can try disabling hostname verification by adding the following properties to the server startup script.(Not sure what's the exact parameter that will do the trick, but try following)

-Dorg.opensaml.httpclient.https.disableHostnameVerification=true \
-Dhttpclient.hostnameVerifier=AllowAll \
-Dfeign.httpclient.disableSslValidation=true \
like image 21
ycr Avatar answered Nov 17 '25 09:11

ycr
Sign in to Comment

Related questions

How to convert 24 hour format time in to 12 hour Format as a Property in the WSO2 ESB
how to change wso2 api manager(3.2.0) jwt default algorithm from RS256 to S512?
How do you get the type of a variable in Ballerina?
Prevent WSO2 AM of dropping authorization token from request

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!