the

the

关注
发信
LINQ查询列表包含列表
新的Andr​​oid SDK的Eclipse项目属性窗口中缺少" Java编译器>注释处理"标签
MongoDB:匹配数组中的非空文档
Firestore按日期范围查询
ORA-14551:无法在查询中执行DML操作
自动域名注册
使用Massagebox进入asp.net
的ConnectionString获取一个Excel文件的问题
无法在网格更新中绑定组合框字段的ID
如何将C#Rijndael加密转换为PHP?
使用FileUpload1.SaveAs后保留会话值
获取每个组的前/后n条记录
强制将记录字段视为字符数据
用于成组执行TESTNG测试的Gradle命令语法
修复mysql查询以返回子组内的随机行

<localhost> 的证书不匹配任何主题替代名称

扫码查看
本文介绍了<localhost> 的证书不匹配任何主题替代名称的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

错误:

javax.net.ssl.SSLException:  的证书不匹配任何主题替代名称:[xxxxxxx.xxx.xxxxxx.xxx]

我在我的 localhost 中运行了一个 Spring Boot 应用程序.我还有一个通过 putty 到服务器的隧道 ssh.

我做过的事情:

  • 我手动创建/导入了所有方式的密钥/证书.
  • 我使用 keytool 中的 -ext 将 dns 地址和本地主机添加到 SAN.
  • 我还使用了

    如您所见,它还包含其他 dns 值.通过这种方式,网站所有者可以为多个网站/子域等使用相同的证书.

    The Error:

    javax.net.ssl.SSLException: Certificate for <localhost> doesn't match any of the subject alternative names: [xxxxxxx.xxx.xxxxxx.xxx]

    I have a Spring Boot App running in my localhost. I also have a tunnel ssh via putty to a server.

    Things I have done:

    • I manually created/imported keys/certificates of all ways.
    • I used -ext from keytool to add the dns addr and the localhost to SAN.
    • I also used a openSource java file to install the cert.
    • I changed the hosts files to: 127.0.0.1 xxx.xxx.xxxxxxx.xxx (if I ping the dns name it responds to the localhost address)
    • I used the VM Arguments -Djavax.net.debug=ssl to check if the certs are loading properly.

    What am I missing? BTW, I'm also using a VPN.

    解决方案

    You need to provide localhost as a subject alternative name when creating your certificate. You can do that by provide the following additional parameter: -ext "SAN:c=DNS:localhost,IP:127.0.0.1"

    So something like this: 

    keytool -genkeypair -keyalg RSA -keysize 2048 -alias stackoverflow -dname "CN=stackoverflow,OU=Hakan,O=Hakan,C=NL" -ext "SAN:c=DNS:localhost,IP:127.0.0.1" -validity 3650 -keystore identity.jks -storepass secret -keypass secret -deststoretype pkcs12

    Some explanation:

    The SAN field will be used to match the hostname which will be provided in the request. So when you are running your application on localhost, lets say https://localhost:443 and you also want to make a request to that specific host than that hostname should also be available within the SAN field or else it will fail during the handshake process.

    Let's grab Stackoverflow as an example. To be able to reach stackoverflow over https we would expect that the certificate should contain at least an entry of stackoverflow.com

    Below is the certificate SAN value of stackoverflow with the specific DNS highlighted for this example:

    As you can see already it contains also other dns values. In this way websites owners can use the same certificate for multiple websites/subdomains etc.

    这篇关于&lt;localhost&gt; 的证书不匹配任何主题替代名称的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

09-13 10:58
查看更多
Powered by LMLPHP ©2025 the 0.025359