Certificate for doesn't match any of the subject alternative names

Question

I am using wso2 identity Server as a internal key manager of wso2 api manager and use Shared_db and start two server based on documentation here I got this error in api manager

 ERROR {org.wso2.carbon.apimgt.rest.api.util.exception.GlobalThrowableMapper} - An unknown exception has been captured by the global exception mapper. feign.RetryableException: Certificate for <x.x.x.x> doesn't match any of the subject alternative names: [localhost] executing GET https://x.x.x.x:9443/oauth2/token/.well-known/openid-configuration.

x.x.x.x is The Identity Server ip.

Answer 1

The error simply indicated that the certificate you have for IS has the CN localhost and you are trying to access it with a different host(In this case IP) which causes the hostname verification to fail.

The correct solution to resolve this issue is to create proper certificates with correct CN/SAN names and use one of them to access Identity Server.

As a workaround, although it's not recommended, you can try disabling hostname verification by adding the following properties to the server startup script.(Not sure what's the exact parameter that will do the trick, but try following)

-Dorg.opensaml.httpclient.https.disableHostnameVerification=true \
-Dhttpclient.hostnameVerifier=AllowAll \
-Dfeign.httpclient.disableSslValidation=true \

Answer 2

We had the same issue when upgrading from IS 5.11.0 to 6.0.0.

The SSL certificates generated with Letsencrypt didn't have localhost as a Security Alternative Name (SAN). The workaround with self-signed certificates that include localhost as SAN is ok, but not what we needed.

We have bypassed it by adding the internal_hostname parameter under the [server] block inside the <IS_HOME>/repository/conf/deployment.toml config file:

[server]
hostname = "is.wso2.com"
internal_hostname = "is.wso2.com"

Make sure you replace is.wso2.com with your DNS. More details can be found here. https://is.docs.wso2.com/en/latest/deploy/change-the-hostname/