0

Below is an exception that gets thrown by Java when checking the hostname for a certificate stored in a keystore. I believe it's checking a JKS formatted keystore. I'd like to write a very simple Java program to get the hostname as Java gets the hostname in this exception.

What line of code would get the hostname in Java so it's equivelant to this exception?

http://java.globinch.com/enterprise-java/security/fix-java-security-certificate-exception-no-matching-localhost-found/

Specific exception:

com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching shr-test.hosp.org found : com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching shr-test.hosp.org found at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:155) at com.sun.jersey.api.client.Client.handle(Client.java:652) at com.sun.jersey.api.client.WebResource.handle(WebResource.java:682) at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74) at com.sun.jersey.api.client.WebResource$Builder.post(WebResource.java:560) at net.shrine.client.JerseyHttpClient.post(JerseyHttpClient.scala:63) at net.shrine.client.Poster.post(Poster.scala:10) at net.shrine.adapter.client.RemoteAdapterClient$$anonfun$query$2$$anonfun$apply$1.apply(RemoteAdapterClient.scala:56) at net.shrine.adapter.client.RemoteAdapterClient$$anonfun$query$2$$anonfun$apply$1.apply(RemoteAdapterClient.scala:54) at scala.concurrent.impl.ExecutionContextImpl$DefaultThreadFactory$$anon$2$$anon$4.block(ExecutionContextImpl.scala:48) at scala.concurrent.forkjoin.ForkJoinPool.managedBlock(ForkJoinPool.java:3640) at scala.concurrent.impl.ExecutionContextImpl$DefaultThreadFactory$$anon$2.blockOn(ExecutionContextImpl.scala:45) at scala.concurrent.package$.blocking(package.scala:54) at net.shrine.adapter.client.RemoteAdapterClient$$anonfun$query$2.apply(RemoteAdapterClient.scala:54) at net.shrine.adapter.client.RemoteAdapterClient$$anonfun$query$2.apply(RemoteAdapterClient.scala:54) at scala.concurrent.impl.Future$PromiseCompletingRunnable.liftedTree1$1(Future.scala:24) at scala.concurrent.impl.Future$PromiseCompletingRunnable.run(Future.scala:24) at scala.concurrent.impl.ExecutionContextImpl$AdaptedForkJoinTask.exec(ExecutionContextImpl.scala:121) at scala.concurrent.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260) at scala.concurrent.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339) at scala.concurrent.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979) at scala.concurrent.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107) Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching shr-test.hosp.org found at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) at sun.security.ssl.Handshaker.process_record(Handshaker.java:804) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1091) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250) at com.sun.jersey.client.urlconnection.URLConnectionClientHandler$1$1.getOutputStream(URLConnectionClientHandler.java:238) at com.sun.jersey.api.client.CommittingOutputStream.commitStream(CommittingOutputStream.java:117) at com.sun.jersey.api.client.CommittingOutputStream.write(CommittingOutputStream.java:89) at sun.nio.cs.StreamEncoder.writeBytes(StreamEncoder.java:221) at sun.nio.cs.StreamEncoder.implFlushBuffer(StreamEncoder.java:291) at sun.nio.cs.StreamEncoder.implFlush(StreamEncoder.java:295) at sun.nio.cs.StreamEncoder.flush(StreamEncoder.java:141) at java.io.OutputStreamWriter.flush(OutputStreamWriter.java:229) at java.io.BufferedWriter.flush(BufferedWriter.java:254) at com.sun.jersey.core.util.ReaderWriter.writeToAsString(ReaderWriter.java:191) at com.sun.jersey.core.provider.AbstractMessageReaderWriterProvider.writeToAsString(AbstractMessageReaderWriterProvider.java:128) at com.sun.jersey.core.impl.provider.entity.StringProvider.writeTo(StringProvider.java:88) at com.sun.jersey.core.impl.provider.entity.StringProvider.writeTo(StringProvider.java:58) at com.sun.jersey.api.client.RequestWriter.writeRequestEntity(RequestWriter.java:300) at com.sun.jersey.client.urlconnection.URLConnectionClientHandler._invoke(URLConnectionClientHandler.java:217) at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:153) ... 21 more Caused by: java.security.cert.CertificateException: No name matching shr-test.hosp.org found at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:208) at sun.security.util.HostnameChecker.match(HostnameChecker.java:93) at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:347) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:203) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323) ... 48 more

The reason I ask is because my operating system has two different hostname values. A system hostname and a VServer hostname. I'm able to control the system hostname with a hierarchy of configuration. And they are in fact different. And in order for the certificate to match what Java is seeing, I need to avoid this exception and have them match.

See this question for reference:

https://serverfault.com/questions/793689/getting-hostname-on-centos-6-6-from-command-line

and this...

https://serverfault.com/questions/793689/getting-hostname-on-centos-6-6-from-command-line

Community
  • 1
  • 1
JustBeingHelpful
  • 18,332
  • 38
  • 160
  • 245
  • Are you sure it has anything to do with your host name? In a cursory look, it seems you are trying to connect to a service using hostname A, and getting a certificate which is for hostname B. So you should instead connect to hostname B, if it resolves to the same address. – RealSkeptic Aug 17 '16 at 14:16
  • What I'm ultimately after is how this Java class get the two hostname values? I imagine it gets the certificate hostname from the JKS using some JKS function. But how does it get the other hostname value in the value comparison in this class? ... java.security.cert.CertificateException: – JustBeingHelpful Aug 17 '16 at 14:21
  • It gets the certificate directly from the SSL server when it makes the connection. That's part of SSL (or rather TLS, I suppose) negotiation. And I think it compares that to the hostname that you passed in the URL. – RealSkeptic Aug 17 '16 at 14:39
  • Might be more than two, maybe? 1.) hostname in the URL being called from the client 2.) hostname in the JKS keystore on server, 3.) hostname on the server itself. I wonder which of the values is the value coming after the phrase "No name matching"? – JustBeingHelpful Aug 17 '16 at 14:45
  • This looks promising... http://www.jroller.com/hasant/entry/no_subject_alternative_names_matching – JustBeingHelpful Aug 17 '16 at 14:50

1 Answers1

1

I had typed my name in the CN (Common Name) field. So when it did the JKS keystore lookup, it found "MacGyver" and not the CNAME.

The root cause is a software bug when creating a non-third party (aka self-signed SSL certificate using a custom CA) keystore. One of the prompts asks "What is your first and last name?", when it should be asking "What is the Common Name of the certificate?" When finished, and you run the keytool -list command on the keystore, this value gets put into the "CN" field. See below for the incorrect value entered, and notice the "CN" value when finished. Just be careful with this.

keytool -genkey -keyalg RSA -alias shrine-snow -keystore shrine.keystore -storepass XXXXX! -validity 360 -keysize 2048

What is your first and last name?
  [Unknown]:  Angus MacGyver
What is the name of your organizational unit?
  [Unknown]:  Criminal Investigation
What is the name of your organization?
  [Unknown]:  Phoenix Foundation
What is the name of your City or Locality?
  [Unknown]:  Madison
What is the name of your State or Province?
  [Unknown]:  Wisconsin
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=Angus MacGyver, OU=Criminal Investigation, O=Phoenix Foundation, L=Madison, ST=Wisconsin, C=US correct?
  [no]:  yes

Enter key password for <selfsigned>
        (RETURN if same as keystore password):XXXXX!
Re-enter new password:XXXXX!

You can check the contents of the store using this:

keytool -v -list -keystore shrine.keystore
JustBeingHelpful
  • 18,332
  • 38
  • 160
  • 245