我使用Java消費某網站一個Restful API時,遇到這個錯誤:
21:31:16.383 [main] DEBUG org.springframework.web.client.RestTemplate - Created GET request for “https://127.0.0.1:5031/commerce/product” 21:31:16.388 [main] DEBUG org.springframework.web.client.RestTemplate - Setting request Accept header to [text/plain, application/json, application/*+json, /] Exception in thread “main” org.springframework.web.client.ResourceAccessException: I/O error on GET request for “https://127.0.0.1:5031/commerce/product”: java.security.cert.CertificateException: No subject alternative names present; nested exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:673) at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:620) at org.springframework.web.client.RestTemplate.getForEntity(RestTemplate.java:319) at com.sap.prolikeService.service.impl.CommerceProductService.getProductDetailByID(CommerceProductService.java:23) at com.sap.prolikeService.sandbox.SandboxTest.getProductDetailTest(SandboxTest.java:45) at com.sap.prolikeService.sandbox.SandboxTest.main(SandboxTest.java:49) Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1506) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153) at org.springframework.http.client.SimpleBufferingClientHttpRequest.executeInternal(SimpleBufferingClientHttpRequest.java:78) at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48) at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:53) at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:659) … 5 more Caused by: java.security.cert.CertificateException: No subject alternative names present at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:144) at sun.security.util.HostnameChecker.match(HostnameChecker.java:93) at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455) at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:200) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1488) … 19 more
錯誤的核心就一句:No subject alternative names present
解決方案:重新生成證書,将缺失的IP位址包含在證書的extension部分即可。指令行如下:
keytool -genkey -alias tomcat2 -keyalg RSA -keystore ./jerry2.keystore -ext SAN=dns:test.abc.com,ip:127.0.0.1
證書生成後,在Subject Alternative names區域能看到IP位址:
之後原始的錯誤就消失了:
