Troubleshooting Guide
- Former user (Deleted)
How can I fix the javax.net.ssl.SSLException: hostname in certificate didn't match: <ip addrees> != <localhost> exception?
Reason for occurrence
The javax.net.ssl.SSLException: hostname in certificate didn't match: <ip addrees> != <localhost> exception is a very common exception that occurs whenever the WSO2 product server is accessed using a different IP address (e.g., https://10.100.0.77:9443/portal) except localhost (e.g., https://localhost:9443/portal).
The reason that the latter mentioned exception occurs is because the self-signed certificate that is shipped with WSO2 products is configured using the hostname as localhost, as a result, Apache Shindig does not allow any other HTTP requests that originate from other hostnames/IP addresses other than localhost.
Overcoming the issue
You have to create and add a certificate for the IP/domain name in order to overcome this issue.portal
Follow the instructions below to overcome this issue:
In the following instructions, it is assumed that you are attempting to add a self-signed certificate for the following domain - foo.com
Step 1 - Create a self-signed Java KeyStore file and include your domain as the Common Name (CN)
Open a terminal and type the following command to generate a KeyStore.
keytool -genkey -alias test.foo.com -keyalg RSA -keystore foo.jks -keysize 2048
Specify a preferred KeyStore password when prompted.
Enter keystore password: <keystore_password> Re-enter new password: <keystore_password>
Enter the first name and last name as
*.foo.comand fill out the other information accordingly when prompted.ExampleWhat is your first and last name? [Unknown]: <new_host_name> What is the name of your organizational unit? [Unknown]: What is the name of your organization? [Unknown]: WSO2 What is the name of your City or Locality? [Unknown]: Mountain View What is the name of your State or Province? [Unknown]: CA What is the two-letter country code for this unit? [Unknown]: US Is CN=*.foo.com, OU=Unknown, O=WSO2, L=Mountain View, ST=CA, C=US correct? [no]: yes
Specify a preferred private Key password when prompted.
Enter key password for <keystore_password> (RETURN if same as keystore password): <key_password> Re-enter new password: <key_password><key_password>- Enter the key password that you provided in step 1.2.
This will generate a KeyStore with a private key and a public certificate with CN as
*.foo.com
Step 2 - Configure the SSL KeyStore
Follow the instructions to configure the WSO2 product with the generated KeyStore:
- Copy the generated self-signed keystore, namely
foo.jks, which was created in step 1, into the<PRODUCT_HOME>/repository/resources/securitydirectory. - Export the public certificate from the keystore and import that certificate to the
client-truststore.jksfile.- Navigate to the
<PRODUCT_HOME>/repository/resources/securitydirectory. Export the public certificate from the primary KeyStore.
keytool -export -alias test.foo.com -file test.foo.com -keystore foo.jks -storepass <KEYSTORE_PASSWORD_GIVEN_ABOVE>
Import the certificate to the
client-truststore.jksfile.keytool -import -alias test.foo.com -file test.foo.com -keystore client-truststore.jks -storepass wso2carbon
- Navigate to the
Step 3 - Update the KeyStoreFile and KeyStorePass parameters of the Tomcat HTTPS connector
Change the
keystoreFileandkeystorePassparameter of theServer.Service.Connectorconfiguration with regard to port 9443 in the<PRODUCT_HOME>/repository/conf/tomcat/catalinaserver.xmlfile as follows, in order to locate the new SSL KeyStore.<Connector protocol=”org.apache.coyote.http11.Http11NioProtocol” port=”9443" bindOnInit=”false” sslProtocol=”TLS” sslEnabledProtocols=”TLSv1,TLSv1.1,TLSv1.2" maxHttpHeaderSize=”8192" acceptorThreadCount=”2" maxThreads=”250" minSpareThreads=”50" disableUploadTimeout=”false” enableLookups=”false” connectionUploadTimeout=”120000" maxKeepAliveRequests=”200" acceptCount=”200" server=”WSO2 Carbon Server” clientAuth=”false” compression=”on” scheme=”https” secure=”true” SSLEnabled=”true” compressionMinSize=”2048" noCompressionUserAgents=”gozilla, traviata” compressableMimeType=”text/html,text/javascript,application/x- javascript,application/javascript,application/xml,text/css,application/xslt+xml,text/xsl,image/gif,image/jpg,image/jpeg” keystoreFile=”${carbon.home}/repository/resources/security/foo.jks” keystorePass=”<KEYSTORE_PASSWORD_GIVEN_ABOVE>” URIEncoding=”UTF-8"/>- Restart the server for the changes to be applicable.
Step 4 - Configure the dashboard
Update the
<Password>, <KeyAlias>, <KeyPassword>values under the<KeyStore>field in the<PRODUCT_HOME>/repository/conf/carbon.xmlfile based on your new key store configuration.<KeyStore> <!-- Keystore file location--> <Location>${carbon.home}/repository/resources/security/foo.jks</Location> <!-- Keystore type (JKS/PKCS12 etc.)--> <Type>JKS</Type> <!-- Keystore password--> <Password><KEYSTORE_PASSWORD></Password> <!-- Private Key alias--> <KeyAlias><NAME_OF_THE_ALIAS></KeyAlias> <!-- Private Key password--> <KeyPassword><KEY_PASSWORD></KeyPassword> </KeyStore>Update the
portal.jsonfile.Navigate to the
<PRODUCT_HOME>/repository/deployment/server/jaggeryapps/portal.jsonfile.Change the value of the
identityAliasproperty under thessoobject in the<PRODUCT_HOME>/repository/deployment/server/jaggeryapps/portal.jsonto the new alias name as follows:Code Snippet"sso": { "attributes": { "issuer": "portal", "identityProviderURL": "https://localhost:9443/samlsso", "responseSigningEnabled": false, "acs": "https://localhost:9444/portal/acs", "identityAlias": "wso2carbon", "defaultNameIDPolicy": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified", "useTenantKey": false, "isPassive": false } }, "basic": { "attributes": {} } } }Change the value of the
hostname, under thehostobject, to the new hostname (IP address) as follow:"host":{ "hostname":"<new_host_name>", "port":"", "protocol":"" }