-1

I'm connecting to a host using an IP address (ex. 123.123.123.123) rather than a hostname and I get this exception:

javax.net.ssl.SSLException: Certificate for <123.123.123.123> doesn't match common name of the certificate subject: abcdef.test.group

I can see the actual hostname of 123.123.123.123 in the debug output under 'peer alternative names' so I am guessing that the problem is because I am using the IP address and it's unable to resolve this to a hostname and so match against the peer host list.

I'm using the IP address because the local DNS has not been setup, and before I ask admins to update the /etc/hosts file to map that IP to a host I want to check that the problem is indeed that I am using an IP address.

As I've typed this in I've convinced myself that it is - but it would be good if someone else agreed.

Dave Richardson
  • 4,880
  • 7
  • 32
  • 47
  • 1
    Certificates are always for names and never for IP addresses. That's just the way it is. If you want the certificate to work, you need to use an URL that uses the name of the host. – Joachim Sauer Nov 27 '19 at 10:57
  • @JoachimSauer, no, IP can be used, but its rare situation: https://stackoverflow.com/questions/2043617/is-it-possible-to-have-ssl-certificate-for-ip-address-not-domain-name – Romeo Ninov Nov 27 '19 at 12:02
  • Does this answer your question? [Is it possible to have SSL certificate for IP address, not domain name?](https://stackoverflow.com/questions/2043617/is-it-possible-to-have-ssl-certificate-for-ip-address-not-domain-name) – Romeo Ninov Nov 27 '19 at 12:02

1 Answers1

0

After update of /etc/hosts file with the IP/hostname mapping all is well.

Dave Richardson
  • 4,880
  • 7
  • 32
  • 47