wso2 AS SSL error with the no default localhost certificate

StackOverflow https://stackoverflow.com/questions/22968672

Pregunta

I’m trying to consume a secured web service hosted on WSO2 AS, so I created a new certificate in the existing wso2carbon.jks file of the server and add it to the client JVM cacerts but I’m getting this error:

java.security.cert.CertificateException: No subject alternative names present

Nevertheless if I create a brand new wso2carbon.jks and overwrite the old one in the server after add the new certificate to the client JVM cacerts I can consume the secured service but other things in AS stop working like datasources, I tried adding the new certificate to the client-truststore.jks in the server, but datasource still don’t work. I’m working with AS 5.0.0 Thanks in advance.

¿Fue útil?

Solución

When you add your own certificate, you need to modify the WSO2 configuration files to point to your certificate. Basically, you need to modify repository/conf/carbon.xml, and repository/conf/tomcat/catalina-server.xml. In case of ESB, you need to modify repository/conf/axis2/axis2.xml as well. The changes needed are described in this blog.

The error that you faced with data sources is because of the change of certificates. The reason is that, WSO2 encrypts the datasource passwords using the current keystore certificate at the time of datasource creation. To fix the error, you will need to remove your datasources, and re-add them. No need to re-create your data-services though.

Otros consejos

Have you changed the host name(in the carbon.xml) of the AS?

1st Case: In default wso2carbon.jks have its CN as localhost so you need to change the keystore if you are working with different host name or else you need to invoke hosted web service using localhost.

2nd Case: If you changed(created and replaced) the wso2carbon.jks of the AS with a appropriate CN, you need to extract its public certificate and import it into cacerts, and client-truststore.jks of all other carbon servers which contact with AS.

HTH,

DarRay

Your client is trying to check the domain name or IP of the server against the domain name or IP in the certificate to ensure that it is reaching the right server. You need to create a new certificate to use that has a subject alternative name equal to the domain name or IP of the server, whichever the client is using to connect.

Licenciado bajo: CC-BY-SA con atribución
No afiliado a StackOverflow
scroll top