Django raising error - hostname doesnot match.

[Rahul Paul]

Hi, 

I am using requests package to send a post request to an API within my application.

I am using the request as : 

requests.post("https://xx.xxx.xxx.xxx/my-admin/api/api2", data=data)

where "xx.xxx.xxx.xxx" is the IP of my server on which this API is hosted.

When I am trying to call this API from my application, django is raising an  exception as follows:

SSLError: hostname 'xx.xxx.xxx.xxx' doesn't match 'xxx.com'

But when I put the domain name in the request i.e. "xxx.com", it gives me proper result. Also when I put verify=False along with the request, my application gives me proper result even with IP addess in the request. However the very same API is returning proper result with both --- IP address and domain name.

My server has a CA signed certificate but the DNS have forward entry but doesnot have a PTR entry. I have also verified with digicert.com and found that when I am entering the domain name, it is giving proper IP address but when I am giving IP address, it is not able to resolve the domain name. 

This API was functioning working correctly with IP address when we had self signed certificate.

Also I am using nginx-gunicorn to run my application.

Please help me with understanding why this is happening and what are the best possible solutions for this problem.

Thanks in advance.

[Rahul Paul]

In some place I wrote that "However the very same API is returning proper result with both --- IP address and domain name". I would like to correct hat this scenario is working when I am hitting the API from POSTMAN.

[James Schneider]

On Nov 10, 2017 3:45 AM, "Rahul Paul" <rahulp...@gmail.com> wrote:

Hi, 

I am using requests package to send a post request to an API within my application.

I am using the request as : 

requests.post("https://xx.xxx.xxx.xxx/my-admin/api/api2", data=data)

where "xx.xxx.xxx.xxx" is the IP of my server on which this API is hosted.

When I am trying to call this API from my application, django is raising an  exception as follows:

SSLError: hostname 'xx.xxx.xxx.xxx' doesn't match 'xxx.com'

But when I put the domain name in the request i.e. "xxx.com", it gives me proper result. Also when I put verify=False along with the request, my application gives me proper result even with IP addess in the request. However the very same API is returning proper result with both --- IP address and domain name.

This is how SSL/TLS works. The certificate is based on the domain name in the CN or SAN fields. It will never work with just an IP address and a valid publicity signed certificate. If your CA is signing certificates with IP's instead of or in addition to names, I would start a campaign to have them shut down.

My server has a CA signed certificate but the DNS have forward entry but doesnot have a PTR entry. I have also verified with digicert.com and found that when I am entering the domain name, it is giving proper IP address but when I am giving IP address, it is not able to resolve the domain name. 

This API was functioning working correctly with IP address when we had self signed certificate.

No, it didn't. That would indicate that you imported the self-signed CA certificate into your trusted CA store. It would also mean that the certificate was generated using the IP as the value of the CN or SAN. No SSL library does that without a lot of coaxing, if it's even possible anymore. 

Also I am using nginx-gunicorn to run my application.

Please help me with understanding why this is happening and what are the best possible solutions for this problem.

There is no problem to solve, you are just experiencing the joys of SSL, and there are many. ;-)

Just make it a point to use the name.

-James

[Rahul Paul]

Thanks James for your suggestion. So according to you, I must use the domain name and not the IP address anymore in my request. Thanks again.