Could not extract DNS names from the first key's certificate

171 views
Skip to first unread message

Rupesh Kumar

unread,
Feb 3, 2016, 2:12:20 PM2/3/16
to membrane-monitor
Hello,

I am trying to create a serviceProxy which terminates ssl requests and redirects to a local service.

However, I am getting the following error on starting membrane: 

Could not extract DNS names from the first key's certificate in keystore.jks

Here is an extract from my proxies.xml:

<serviceProxy port="443">
                        <ssl>
                                <keystore location="keystore.jks" password="changeit" />
                                <truststore location="keystore.jks" password="changeit" />
                        </ssl>
                        <wsdlRewriter protocol="https" />
                        <target host="localhost" port="8095" />
</serviceProxy>

I see that the certificate is being recognised with debug on:

Subject: CN=ddddd, OU=Domain Control Validated
  Issuer:  CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
  Algorithm: RSA; Serial number: dddd
  Valid from ...

Any pointers?

Best,
Rupesh

Rupesh Kumar

unread,
Feb 4, 2016, 1:51:15 PM2/4/16
to membrane-monitor
When I extracted the code for getDNSNames from SSLContext and ran it as a standalone program, the program was able to read the dnsName from the original certificate. 

So something is not right with my setup? Any pointers would be appreciated.

Best,
Rupesh

Tobias Polley

unread,
Feb 5, 2016, 11:05:24 AM2/5/16
to membrane-monitor
Hi Rupesh,

your issues could have several causes. The first that come to mind are:
  • Does your keystore contain more than one key? This is not supported. You can check this by running "keytool.exe -list -keystore keystore.jks" and counting the "PrivateKeyEntry"s in the output.
  • The certificate you are using does not have a subjectAlternateName set. You can check this by running "keytool.exe -list -keystore keystore.jks -v" which may or may not include a section "#8: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName" listing your domain names. If it does not, please give us feedback: This is a case currently not implemented in the Membrane Service Proxy source code.
  • You keystore contains your key with a self-signed certificate attached (which is autogenerated when you generate the key using keytool) and contains also a second entry with your official certificate. The problem here is that they are not same keystore entry. You basically have to get rid of the self-signed cert. My advice would be to use a keystore which contains only one (!) entry at all. This entry should be a PrivateKeyEntry containing your key and official certificate. (If you have problems creating such a keystore, I would suggest trying this with a GUI for editing keystores, but I forgot its name.)
  • Somehow you are using the wrong keystore.jks. What the snippet from proxies.xml you pasted is supposed to do is to read "keystore.jks" from the same directory "proxies.xml" is located in.
Best, Tobias

Rupesh Kumar

unread,
Feb 5, 2016, 2:07:53 PM2/5/16
to membrane-monitor
Thanks Tobias. The issue was indeed related to point 3 mentioned by you. I was able to use the Keystore Explorer GUI to create a compatible keystore.

Best,
Rupesh
Reply all
Reply to author
Forward
0 new messages