0

This may be an apache/server configuration, or it might require a Java solution. On my server I have a few subdomains. I force https on all subdomains and I have a wildcard ssl certificate that is used for all subdomains.

When I go to https://myapp1.myvendor.com and view the certificate in the browser I see the following common name:

CN = *.myvendor.com

I also have a Java program that posts to https://myapp1.myvendor.com/post.php however when I post from Java using:

org.apache.http.client.methods.HttpPost httpPost = new HttpPost("https://myapp1.myvendor.com/post.php");
HttpResponse response = httpClient.execute(httpPost);

I get the following error:

javax.net.ssl.SSLException: hostname in certificate didn't match: 
<myapp1.myvendor.com> != <myvendor.com> OR <myvendor.com> OR <www.myvendor.com>

What strikes me as odd is that it is trying to match myvendor.com or www.myvendor.com not *.myvendor.com. I do have a certificate installed for myvendor.com, but I stopped using it in favor of the wildcard cert.

Any suggestions? Do you need more information?

Apache Config:

<VirtualHost *:443>
 SSLEngine On
 SSLCertificateFile /etc/pki/tls/certs/27c7d7842bf94d.crt
 SSLCertificateKeyFile /etc/pki/tls/private/mydomain.key
 SSLCACertificateFile /etc/pki/tls/certs/my_cert.crt

 ServerName myapp1.myvendor.com
 DocumentRoot /var/www/myvendor/myapp1/src/
 ErrorLog /var/www/logs/myapp1/error.log
 CustomLog /var/www/logs/myapp1/access.log combined
 <Directory /var/www/myvendor/myapp1/src/>
         AllowOverride All
 </Directory>
</VirtualHost>

I also found this in a different config file that IS loaded:

<VirtualHost _default_:443>
 SSLCertificateFile /etc/pki/tls/certs/local.crt
 SSLCertificateKeyFile /etc/pki/tls/private/local.key
 SSLCACertificateFile /etc/pki/tls/certs/my_local_cert.crt
</VirtualHost>

I think it is getting this cert because this cert has:

subject Alternative name:
 DNS Name=myvendor.com
 DNS Name=www.myvendor.com

which matches the error from Java. If this is the case my question is why is Java getting this cert as opposed to the one that the browser gets?

ajon
  • 7,868
  • 11
  • 48
  • 86
  • 95% your myapp1.myvendor.com points to server you don't expect. I.e. your proxy settings/hosts file make domain to point somewhere else... Or myapp1.myvendor.com is configured to use different cert than you expect. – Alexei Levenkov Mar 28 '14 at 20:15
  • Or your server does SNI and Java isn't giving it the info it needs to choose the right cert. – Ian Roberts Mar 28 '14 at 20:22
  • @AlexeiLevenkov See my edit. Does my edit make sense? – ajon Mar 28 '14 at 22:55

1 Answers1

0

It looks like you are using SNI, e.g. multiple https servers on the same IP with different certificates. In this case have a look at Server Name Indication (SNI) on Java how to use SNI in Java.

Community
  • 1
  • 1
Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172