The first bit is slightly more nuanced meaning there is another possibility (which is what actually occurred in ARTEMIS-3421), so I would state it a little differently:
Change the hostname value that is being connected to in the broker config, so it can match against the existing certificate offered, or change the certificate (e.g adding appropriate subject alternative names) so that it can match whatever hostname value is being connected to. If not those then you would need to consider verifyHost=false (<obligatory warning here>) to permit the mismatch. On Mon, 23 Aug 2021 at 02:51, Justin Bertram <jbert...@apache.org> wrote: > > The change in question is from ARTEMIS-3367 [1]. Since the hostname defined > in the SSL cert on your broker can't be verified then you should either get > a new cert for your broker for which the hostname *can* be verified or set > verifyHost=false on the connector for the cluster-connection. > > I'll make this more clear in the relevant documentation [1]. > > > Justin > > [1] https://issues.apache.org/jira/browse/ARTEMIS-3367 > [2] > https://activemq.apache.org/components/artemis/documentation/latest/versions.html > > On Sun, Aug 22, 2021 at 8:09 PM Dondorp, Erwin <erwin.dond...@cgi.com> > wrote: > > > Hello! > > > > Since Artemis 2.18.0, the broker-broker connections (for clustering) > > refuse to connect due to "Caused by: > > java.security.cert.CertificateException: No name matching [hostname] > > found". I did not try any client connections yet, so these might just have > > the same problem. > > My setup is the simplest possible SSL with self-signed certificates since > > it is a development system. > > While looking through the release notes (and zooming in on some of the > > Jira issues), I did not quickly spot a change that would cause this. > > I did not have this problem when using the snapshot versions of 2.18.0, > > but the last version I actually checked was > > apache-artemis-2.18.0-20210730.150450-205-bin.tar.gz. > > So the question is: what was actually changed? (or is broken? can't > > believe that). > > > > thx, > > Erwin > >
