Issue
I am executing this curl command and it works well.
curl --tlsv1.2 -k -iv -X POST -H "Content-Type:text/xml" --key node-key.key --cert node.crt --data-raw 'PAYLOAD' https://IP_ADDRESS:PORT/uri -u "test:test"
I made a p12 file from the key and cert :
openssl pkcs12 -export -in node.crt -inkey node-key.key -out node-store.p12
and fetch the self sign cert from the server by this command (then save output in node-self-sign.pem):
openssl s_client -connect IP_ADDRESS:PORT 2>/dev/null </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
and generate jks for the node-self-sign.pem using this command :
keytool -keystore node-KeyStore.jks -alias selfsigncert -import -file node-self-sign.pem
and use jks file and p12 file in the following spring boot code :
@PostConstruct
public void initEcwConnection() {
try {
File cert = new File(ecwCertPath);
SSLContext sslContext = SSLContextBuilder.create()
.loadTrustMaterial(jks,pass.toCharArray())
.loadKeyMaterial(p12, pass.toCharArray(),pass.toCharArray())
.build();
CloseableHttpClient client = HttpClients.custom().setSSLContext(sslContext).build();
requestFactory = new HttpComponentsClientHttpRequestFactory();
requestFactory.setHttpClient(client);
} catch (Exception exp) {
LOGGER.error(exp.getMessage(), exp);
}
}
and use restTemplate as following
HttpHeaders headers = new HttpHeaders();
File file = new File("paybundle.xml");
FileInputStream fis = new FileInputStream(file);
String payload = new String(fis.readAllBytes());
HttpEntity<String> entity = new HttpEntity<String>(payload, headers);
ResponseEntity<String> response = ecwTemplate.exchange("https://IP_ADDRESS:8010/vsl/preapproval",HttpMethod.POST, entity,String.class);
System.out.println(response.getBody());
OUTPUT:
Caused by: javax.net.ssl.SSLPeerUnverifiedException: Certificate for <IP_ADDRESS> doesn't match any of the subject alternative names: []
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:507) ~[httpclient-4.5.13.jar:4.5.13]
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:437) ~[httpclient-4.5.13.jar:4.5.13]
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384) ~[httpclient-4.5.13.jar:4.5.13]
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) ~[httpclient-4.5.13.jar:4.5.13]
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376) ~[httpclient-4.5.13.jar:4.5.13]
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393) ~[httpclient-4.5.13.jar:4.5.13]
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) ~[httpclient-4.5.13.jar:4.5.13]
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186) ~[httpclient-4.5.13.jar:4.5.13]
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) ~[httpclient-4.5.13.jar:4.5.13]
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) ~[httpclient-4.5.13.jar:4.5.13]
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) ~[httpclient-4.5.13.jar:4.5.13]
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) ~[httpclient-4.5.13.jar:4.5.13]
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56) ~[httpclient-4.5.13.jar:4.5.13]
at org.springframework.http.client.HttpComponentsClientHttpRequest.executeInternal(HttpComponentsClientHttpRequest.java:87) ~[spring-web-5.3.19.jar:5.3.19]
at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48) ~[spring-web-5.3.19.jar:5.3.19]
at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:66) ~[spring-web-5.3.19.jar:5.3.19]
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:776) ~[spring-web-5.3.19.jar:5.3.19]
enter code here
Solution
your almost done just check the CN in your certificate file using
openssl x509 -noout -subject -in node-self-sign.pem
and use the CN to connect to the server
Answered By - nawar alnaami
Answer Checked By - Katrina (JavaFixing Volunteer)