To solve it on my client node.js app I needed to put a subjectAltName on my server_extension with the following value: Īnd then I use -extension when I create and sign the certificate. I had the same issue about my server certificate on my client request. But even if we change localhost for 127.0.0.1 or any other IP we'll get error Hostname/IP doesn't match certificate's altnames on node.js or SSL handshake failed on QT. We don't have this problem if we are testing our client request with localhost destination address ( host or hostname on node.js) and our server common name is CN = localhost in the server cert. R('', opts, function (error, response, body) = response If you have the CA cert that is used to generate the certificate you're using (usually the case when using self-signed certificates), this can be provided with var r = require('request') Hostname/IP doesn't match certificate's altnames If the certificate has Subject Alternative Names and the hostname is not listed, you'll see the error message described: This is in the checkServerIdentity function. If you are using node >= 0.11.x, you can also specify a checkServerIdentity: function(host, cert) function to the tls module, which should return undefined if you want to allow the connection and throw an exception otherwise (although I don't know if request will proxy this flag through to tls for you.) It can be handy to declare such a function and console.log(host, cert) to figure out what the heck is going on.Īfter verifying that the certificate is issued by a known Certificate Authority (CA), the Subject Alternative Names will be checked, or the Common Name will be checked, to verify that the hostname matches. Setting the rejectUnauthorized flag to false will get around this check, but first of all if the server is giving you different credentials than you are expecting, something fishy is going on, and second this will also bypass other checks - it's not a good idea if you're connecting over the Internet. Note that, in node 0.10.x, if you connect using an IP, the IP address has to be in the altnames - node.js will not try to verify the IP against the CN. When node.js connects to a server, node.js fetches this certificate, and then verifies that the domain name it thinks it's connecting to () matches either the subject's CN or one of the altnames. When you connect to a server using SSL, the first thing the server does is present a certificate which says "I am ." The certificate has a "subject" and the subject has a "CN" (short for "common name".) The certificate may also have one or more "subjectAltNames".
A slightly updated answer (since I ran into this problem in different circumstances.)
0 kommentar(er)
