HTTPWebRequest Remote Certificate Name Mistmatch
-
19-08-2019 - |
Question
I'm trying to make an SSL call using HTTPWebRequest
and its continually failing saying it can't establish trust. I've added a callback to ServicePointManager.ServerCertificateValidationCallback
and returning true
always works. However, I'd like things to be a little more secure than that. Looking at the SslPolicyErrors
in the validation method it appears that I'm getting a RemoteCertificateNameMismatch
error. What isn't matching up correctly to cause this kind of error?
(edit: see comments in the answer) The site I'm accessing uses HTTPBasic over SSL and an URL something like v1.api.serviceprovider.com, with a certificate issued to *.serviceprovider.com.
Solution
General certificate issues:
- certificate not issued by a trusted certificate provider (must be in your trust chain)
- certificate expired
This specific error usually means that the certificate isn't issued for the site you are hitting. Examples:
- difference between "www.yoursite.com" and "yoursite.com" (they are different; some big names get this wrong, which really annoys me...)
- accessing as an IP address instead of the name on the cert; or v/v
- a load balancer redirecting you to "server1,yoursite.com" but giving you the cert from "yoursite.com"
- a load balancer silently passing you to "server1", which is issuing certificates for "server1", not the site
- (edit see comments) a wildcard certificate issued for multiple levels - i.e. issued to *.somesite.org, when you are hitting foo.bar.somesite.org
Most of these are readily identifiable by navigating to the site and reading the warnings that your browser gives you, and inspecting the certificate that got issued.