I am using the Apache CXF plugin (I have tried both 1.5.6 and 1.6.1) with Grails (2.2.3) to call a web service over SSL.
I am sometimes getting the error "The https URL hostname does not match the Common Name (CN) on the server certificate in the client's truststore. Make sure server certificate is correct, or to disable this check (NOT recommended for production) set the CXF client TLS configuration property "disableCNCheck" to true."
However, it doesn't always occur. Usually it will work a few times, and then I will start getting the error. I am starting to suspect that the error message does not reflect the actual problem. I have set disableCNCheck to true in Config.groovy, but I still see the same behavior:
cxf {
client {
requestClient {
clientInterface = gov.agency.RequestPortType
serviceEndpointAddress = "https://agency.gov/service"
secureSocketProtocol = CxfClientConstants.SSL_PROTOCOL_TLSV1
tlsClientParameters = [disableCNCheck: true]
}
}
}
Any thoughts?
Here is a snippet of the debug output from the plugin:
2014-05-06 09:32:36,507 [http-bio-8080-exec-9] DEBUG phase.PhaseInterceptorChain - Invoking handleMessage on interceptor org.apache.cxf.interceptor.BareOutInterceptor@464ea113
2014-05-06 09:32:36,507 [http-bio-8080-exec-9] DEBUG http.Headers - Accept: */*
2014-05-06 09:32:36,507 [http-bio-8080-exec-9] DEBUG http.Headers - SOAPAction: "tns:ProvideAndRegisterDocumentSet-bRequest"
2014-05-06 09:32:36,507 [http-bio-8080-exec-9] DEBUG http.TrustDecisionUtil - No Trust Decider for Conduit '{urn:ihe:iti:xdr:async:request:2007}XDRRequest_PortTypePort.http-conduit'. An afirmative Trust Decision is assumed.
2014-05-06 09:32:36,621 [http-bio-8080-exec-9] DEBUG phase.PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.interceptor.BareOutInterceptor@464ea113
2014-05-06 09:32:36,621 [http-bio-8080-exec-9] DEBUG phase.PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor@5fa570da
2014-05-06 09:32:36,621 [http-bio-8080-exec-9] DEBUG phase.PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.interceptor.StaxOutInterceptor@111ad6e7
2014-05-06 09:32:36,621 [http-bio-8080-exec-9] DEBUG phase.PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.interceptor.AttachmentOutInterceptor@1de6a407
2014-05-06 09:32:36,621 [http-bio-8080-exec-9] DEBUG phase.PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.interceptor.LoggingOutInterceptor@15024134
2014-05-06 09:32:36,621 [http-bio-8080-exec-9] DEBUG phase.PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.interceptor.MessageSenderInterceptor@4706c7b2
2014-05-06 09:32:36,621 [http-bio-8080-exec-9] DEBUG phase.PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.binding.soap.interceptor.SoapPreProtocolOutInterceptor@54310a74
2014-05-06 09:32:36,621 [http-bio-8080-exec-9] DEBUG phase.PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.binding.soap.interceptor.SoapHeaderOutFilterInterceptor@7912e076
2014-05-06 09:32:36,621 [http-bio-8080-exec-9] DEBUG phase.PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.jaxws.interceptors.WrapperClassOutInterceptor@7ec40b92
2014-05-06 09:32:36,621 [http-bio-8080-exec-9] DEBUG phase.PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.jaxws.interceptors.SwAOutInterceptor@e209b8c
2014-05-06 09:32:36,621 [http-bio-8080-exec-9] DEBUG phase.PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.jaxws.interceptors.HolderOutInterceptor@78d3df42
2014-05-06 09:32:36,621 [http-bio-8080-exec-9] DEBUG phase.PhaseInterceptorChain - Invoking handleFault on interceptor org.apache.cxf.ws.policy.PolicyOutInterceptor@295cf1bb
2014-05-06 09:32:36,626 [http-bio-8080-exec-9] WARN phase.PhaseInterceptorChain - Interceptor for {urn:ihe:iti:xdr:async:request:2007}XDRRequestPortTypeService#{urn:ihe:iti:xdr:async:request:2007}ProvideAndRegisterDocumentSet-bRequest has thrown exception, unwinding now
Message: The https URL hostname does not match the Common Name (CN) on the server certificate in the client's truststore. Make sure server certificate is correct, or to disable this check (NOT recommended for production) set the CXF client TLS configuration property "disableCNCheck" to true.
Line | Method
->> 101 | writeParts in org.apache.cxf.interceptor.AbstractOutDatabindingInterceptor
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| 68 | handleMessage in org.apache.cxf.interceptor.BareOutInterceptor
| 262 | doIntercept . . . in org.apache.cxf.phase.PhaseInterceptorChain
| 531 | doInvoke in org.apache.cxf.endpoint.ClientImpl
| 464 | invoke . . . . . in ''
| 367 | invoke in ''
| 320 | invoke . . . . . in ''
| 89 | invokeSync in org.apache.cxf.frontend.ClientProxy
| 134 | invoke . . . . . in org.apache.cxf.jaxws.JaxWsClientProxy
| 424 | invoke in com.grails.cxf.client.WebServiceClientFactoryImpl$WSClientInvocationHandler