Hyperledger Fabric-sdk-java unable to connect with orderer(No subject alternative DNS name matching localhost found)

Question

I am using balance-transfer sample to spin up a fabric network. The sample has generated crypto-material. I am using the same references of artifact folder and network-config.yaml in my Fabric-SDK-JAVA integration.

I am able to enroll/register users, query chaincode and even all the transactions are getting endorsed successfully by all the peers of the channel.

But, transaction submit to orderer for commit fails with an error:

Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching localhost found.
at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:214) ~[na:1.8.0_181]
at sun.security.util.HostnameChecker.match(HostnameChecker.java:96) ~[na:1.8.0_181]
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455) ~[na:1.8.0_181]
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436) ~[na:1.8.0_181]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252) ~[na:1.8.0_181]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) ~[na:1.8.0_181]
at io.netty.handler.ssl.OpenSslTlsv13X509ExtendedTrustManager.checkServerTrusted(OpenSslTlsv13X509ExtendedTrustManager.java:239) ~[netty-handler-4.1.36.Final.jar:4.1.36.Final]
at io.netty.handler.ssl.ReferenceCountedOpenSslClientContext$ExtendedTrustManagerVerifyCallback.verify(ReferenceCountedOpenSslClientContext.java:247) ~[netty-handler-4.1.36.Final.jar:4.1.36.Final]
at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:697) ~[netty-handler-4.1.36.Final.jar:4.1.36.Final]
at io.netty.internal.tcnative.SSL.readFromSSL(Native Method) ~[netty-tcnative-boringssl-static-2.0.25.Final.jar:2.0.25.Final]
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.readPlaintextData(ReferenceCountedOpenSslEngine.java:570) ~[netty-handler-4.1.36.Final.jar:4.1.36.Final]
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1146) ~[netty-handler-4.1.36.Final.jar:4.1.36.Final]
... 25 common frames omitted

Strange thing is that the same network works perfectly with Node SDK. I am not sure if I am missing some required configuration to work with SSL(as it's enabled by default in a sample network of balance-transfer).

I have added host entries in my host file.

You should find out what hostnames is your certificate is good for, and use one of those names instead if 'localhost'. — Lorinczy Zsigmond, Jun 03 '19 at 05:12
@LorinczyZsigmond Thanks for the suggestion. It worked like a charm. Please add this to the answer. — Nitish Bhardwaj, Jun 03 '19 at 05:31

score 2 · Accepted Answer · answered Jun 03 '19 at 09:24

2

Even if it is the local host, you have to use a hostname that is covered by the certificate (ie it is one of the Subject Alternative Names). (In more complicated cases you can use an own javax.net.ssl.hostnameVerifier, but now it is not needed.)

answered Jun 03 '19 at 09:24

Lorinczy Zsigmond

1,749
1
14
21

Agreed. Thanks for the input. I didn't knew that localhost wasn't being used to generate the certificate along with the hostName. – Nitish Bhardwaj Jun 04 '19 at 04:18

Hyperledger Fabric-sdk-java unable to connect with orderer(No subject alternative DNS name matching localhost found)

1 Answers1