Hi Aparna, This can happen when the client does not send the SNI[1][2] to the server side to select the proper HTTPS virtual host. In this case NGINX reverse proxy created in the vhost. Most of the modern browsers send SNI to server, therefore you will not observe this when you make the request via a modern browser.
Most of the new Java HTTP client libraries also support SNI. As an example, Apache httpclient library support SNI from version 4.3.2 [3]. If you use a library which does not support SNI, you will get this error for HTTPS call going towards services hosted in virtual host environments. [1] https://en.wikipedia.org/wiki/Server_Name_Indication [2] https://www.ietf.org/rfc/rfc3546.txt [3] https://hc.apache.org/news.html On Fri, Oct 23, 2015 at 11:07 AM, Aparna Karunarathna <[email protected]> wrote: > Hi all, > > I have encountered a weird "hostname in certificate didn't match:" issue > when accessing IS dashboard. My setup details are as follows. > > *Setup Details* > *IS cluster* > - 3 nodes cluster > - Hostname - mgt.is.wso2.com > - Certificate CN - mgt.is.wso2.com > > *BPS cluster* > - 2 nodes cluster (manager/worker) > - Hostnames - Manager - mgt.bps.wso2.com / Worker - wrk.bps.wso2.com > - Certificate CN - *.bps.wso2.com > > * Both nodes are fronted by same Nginx plus load balancer. > > [1] > javax.net.ssl.SSLException: hostname in certificate didn't match: < > mgt.is.wso2.com> != <*.bps.wso2.com> > at > org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:238) > at > org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54) > .... > .... > > When we check the browser cookie, it gave correct certificate. ( > mgt.is.wso2.com), but when we check it from java client[2] it gives the > bps certificate (*.bps.wso2.com) instead of IS. > > [2] > https://darray.wordpress.com/2015/07/12/freak-vulnerability-and-disabling-weak-export-cipher-suites-in-wso2-carbon-4-2-0-based-products/ > > What is the reason for this? Is it my config issue or Nginx issue or our > product issue? > > -- > *Regards,* > > *Aparna Karunarathna.* > > > *Associate Technical Lead - QAWSO2 Inc.Mobile: 0714002533 <0714002533>* > -- Deependra Ariyadewa WSO2, Inc. http://wso2.com/ http://wso2.org email [email protected]; cell +94 71 403 5996 ; Blog http://risenfall.wordpress.com/ PGP info: KeyID: 'DC627E6F' *WSO2 - Lean . Enterprise . Middleware*
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
