1

I am getting the certificate exception below. How do I check the CN of the self signed certificate after I've created it? I am pretty sure that I used the IP address of the development server and I don't understand what could be wrong.

Exception in thread "main" javax.xml.ws.WebServiceException: Failed to access the WSDL at: https://xx.x.x.xxx:yyyy/myappname/myservleturl?wsdl. It failed with: 
java.security.cert.CertificateException: No subject alternative names present.
at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.tryWithMex(RuntimeWSDLParser.java:151)
at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:133)
at com.sun.xml.internal.ws.client.WSServiceDelegate.parseWSDL(WSServiceDelegate.java:234)
at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:197)
at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:145)
at com.sun.xml.internal.ws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:93)
at javax.xml.ws.Service.<init>(Service.java:56)
at javax.xml.ws.Service.create(Service.java:680)
at com.mycompanyname.st.client.Client.main(Client.java:32)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1747)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1209)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:135)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:943)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1188)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1215)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1199)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1195)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
at java.net.URL.openStream(URL.java:1010)
at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.createReader(RuntimeWSDLParser.java:793)
at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.resolveWSDL(RuntimeWSDLParser.java:251)
at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:118)
... 7 more
Caused by: java.security.cert.CertificateException: No subject alternative names present
at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:142)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:75)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:264)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:250)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1188)
... 22 more

Edited part starts here:

Thank you to @My-Name-Is, I did the following:

keytool -printcert -v -file serverdev.cer

And got this result:

Owner: CN=xx.x.x.xxx, OU=it, O=companyname, L=cityname, ST=provincename, C=ca
Issuer: CN=xx.x.x.xxx, OU=it, O=companyname, L=cityname, ST=provincename, C=ca
Serial number: somestringhere
Valid from: Fri Feb 28 16:11:14 EST 2014 until: Thu May 29 17:11:14 EDT 2014
Certificate fingerprints:
     MD5:  someotherstringhere
     SHA1: andyetanotherstringhere

Please note that I verified that the CN xx.x.x.xxx matches the ip address of the development server. So, what could be wrong exactly?

javagirl
  • 117
  • 2
  • 2
  • 9
  • Take a look at: http://shib.kuleuven.be/docs/ssl_commands.shtml – My-Name-Is Feb 28 '14 at 22:43
  • @My-Name-Is, please see my edited post above. – javagirl Mar 03 '14 at 15:32
  • How do you access the server? Via ip or host name? – My-Name-Is Mar 03 '14 at 16:23
  • 1
    @My-Name-Is, via ip but I figured out the problem. I found the solution here: [link]http://stackoverflow.com/questions/8443081/how-are-ssl-certificate-server-names-resolved-can-i-add-alternative-names-using/8444863#8444863 – javagirl Mar 03 '14 at 16:49
  • @javagirl Yes, the issue `No subject alternative names present` is resolved by adding a SAN DNS or IP entry. In your case you would add `subjectAltName=IP:xx.x.x.xxx`. Please create an answer with the solution you found and accept it. – simlev Aug 27 '18 at 12:41

1 Answers1

1

You can resolve it using a simple solution in your operating system by mapping the DNS found on the certificate with the IP address you actually access. for example if the certificate issued for DNS mydomain.com and you are accessing this ip address 10.10.10.0 then add the following record on hosts file found here (if you are using windows)

C:\WINDOWS\system32\drivers\etc

add this line

10.10.10.0 mydomain.com

then change the URL you are accessing to use this domain mydomain.com instead of IP address, now Windows will replace mydomain.com with your IP address 10.10.10.0 for all requests.

A. Shaheen
  • 105
  • 13
  • Alternatives include creating an A record on own DNS server or in a controlled zone. OP would still need to add a SAN to the certificate. – simlev Aug 27 '18 at 12:51