All geek questions in one place

No alternate DNS names were found for ex.ample.com

For my application running on ex.ample.com, I have the following certificate from StartSSL / StartCom:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 163069 (0x27cfd)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA
        Validity
            Not Before: Nov 27 21:26:01 2010 GMT
            Not After : Nov 29 15:32:05 2011 GMT
        Subject: description=303703-Sv1xMdnmzg6garMt, C=NL, O=Persona Not Validated, OU=StartCom Free Certificate Member, CN=ex.ample.com/emailAddress=postmaster@ex.ample.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    ....
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Subject Key Identifier: 
                31:68:B2:7B:A2:7C:79:54:B7:3E:66:FD:12:04:18:FC:FB:9B:34:64
            X509v3 Authority Key Identifier: 
                keyid:EB:42:34:D0:98:B0:AB:9F:F4:1B:6B:08:F7:CC:64:2E:EF:0E:2C:45

            X509v3 Subject Alternative Name: 
                DNS:ex.ample.com, DNS:ample.com
            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.23223.1.2.2
                  CPS: http://www.startssl.com/policy.pdf
                  CPS: http://www.startssl.com/intermediate.pdf
                  User Notice:
                    Organization: StartCom Ltd.
                    Number: 1
                    Explicit Text: Limited Liability, see section *Legal Limitations* of the StartCom Certification Authority Policy available at http://www.startssl.com/policy.pdf

            X509v3 CRL Distribution Points: 
                URI:http://www.startssl.com/crt1-crl.crl
                URI:http://crl.startssl.com/crt1-crl.crl

            Authority Information Access: 
                OCSP - URI:http://ocsp.startssl.com/sub/class1/server/ca
                CA Issuers - URI:http://www.startssl.com/certs/sub.class1.server.ca.crt

            X509v3 Issuer Alternative Name: 
                URI:http://www.startssl.com/
    Signature Algorithm: sha1WithRSAEncryption
        .....

I have this certificate installed correctly. It works when I open the application using Firefox. When I use Java HttpURLConnectionto retrieve a page from it, I get the following error:

Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching ex.ample.com found.
    at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:208)
    at sun.security.util.HostnameChecker.match(HostnameChecker.java:94)
    at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:285)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:271)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1012)
    ... 14 more

I do not understand why this is happening. ex.ample.comis the common name (CN) in the certificate and is also indicated on the SAN. I have imported StarSLL certificates into my trusted network, so no problem here.

+4
source share
1 answer

, . !

, DNS /, . -. , DNS .

0

Source: https://habr.com/ru/post/1777306/

More articles:


All Articles