I/O Exception: Name in certificate does not match host name

[hofar...@houseoffusion.com]

Hi Guys,

Some time ago I posted a question about an error we were getting with MX7.1

http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:353955

I have a similar problem but I believe the client is using a widlcard certificate so I get the error:

I/O Exception: Name in certificate `*.domain.net' does not match host name `prerelease-api.anotherdomain.com'

The difference this time is the '*.domain.net', previously it was for a determined sub domain so an aaddition to the host file resolved it.

I've trid a number of things with the host file but as it's a wildcard I don't see what I would add to the hosts as any number of subdomains on domain.net could resovle to a number of IP's.

Any ideas?

Regards,

Ian.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion
Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360425

[hofar...@houseoffusion.com]

I think you'll need to update the hosts file so that:

prerelease-api.anotherdomain.com

...points to the right IP and then refer to:

prerelease-api.anotherdomain.com

...in your code. That should make everything "line up."

On Wed, Apr 8, 2015 at 5:23 AM, Ian Chapman <ian.c...@melodimedia.co.uk>
wrote:

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360426

[hofar...@houseoffusion.com]

Think what you might need is to add the SSL certificate to the java cacerts
file as a trusted certificate. Then any sub-name for the domain will work.

https://helpx.adobe.com/coldfusion/kb/import-certificates-certificate-stores-coldfusion.html

This is a nice plugin for the CF Administrator to manage the cacerts, as
opposed to messing with the command line.

http://certman.riaforge.org/

~Byron

On Wed, Apr 8, 2015 at 5:23 AM, Ian Chapman <ian.c...@melodimedia.co.uk>
wrote:

>

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360427

[hofar...@houseoffusion.com]

> I think you'll need to update the hosts file so that:
>
> prerelease-api.anotherdomain.com
>
> ...points to the right IP and then refer to:
>
> prerelease-api.anotherdomain.com
>
> ...in your code. That should make everything "line up."

I think this is nearly right, except that you'll need to find the IP
address for prerelease-api.anotherdomain.com and create a hosts entry
for prerelease-api.domain.com that points to this IP address.

Dave Watts, CTO, Fig Leaf Software
1-202-527-9569
http://www.figleaf.com/
http://training.figleaf.com/

Fig Leaf Software is a Service-Disabled Veteran-Owned Small Business
(SDVOSB) on GSA Schedule, and provides the highest caliber vendor-
authorized instruction at our training centers, online, or onsite.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360428

[hofar...@houseoffusion.com]

What Dave said.

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360429

[hofar...@houseoffusion.com]

I've tried it that way but no dice, let show you what I have tried:

1) Exported the cert and imported into the Truststore (this should not have
been needed as it is a Thawte issued certificate which is already in the
trsutstore and lack of record in the truststore causes a different IO
error). This caused no change.


2) The live API is api.domain2.com initially this gave the error:

(note: real domain names replaced with "domain1" and "domain2")

I/O Exception: Name in certificate `api.domain1.net' does not match host
name `api.domain2.com'

So I added to the hosts:

xx.xxx.xxx.xxx api.domain1.net

where xx.xxx.xxx.xxx is the resolving IP address of api.domain2.com

restarted CF and called api.domain1.net in my CFHTTP request and this works
and I can connect to the live API when the time comes.


3) The dev API is (real domain names replaced with "domain1" and domain2)
prerelease-api.domain2.com initially this gave the error:

I/O Exception: Name in certificate `*.domain1.net' does not match host name
`prelease-api.domain2.com'

I tried adding to the hosts:

xx.xxx.xxx.xxx prelease-api.domain1.net

where xx.xxx.xxx.xxx is the resolving IP address of prelease-api.domain2.com

restarted CF and called prelease-api.domain1.net in my CFHTTP request and I
get a 404 error, so I no longer get the IO error but I'm not hitting the
correct server/application

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360430

[hofar...@houseoffusion.com]

> 3) The dev API is (real domain names replaced with "domain1" and domain2)
> prerelease-api.domain2.com initially this gave the error:
>
> I/O Exception: Name in certificate `*.domain1.net' does not match host name
> `prelease-api.domain2.com'
>
> I tried adding to the hosts:
>
> xx.xxx.xxx.xxx prelease-api.domain1.net
>
> where xx.xxx.xxx.xxx is the resolving IP address of prelease-api.domain2.com
>
> restarted CF and called prelease-api.domain1.net in my CFHTTP request and I
> get a 404 error, so I no longer get the IO error but I'm not hitting the
> correct server/application

It's possible they're looking for host headers to figure out how to
resolve requests. You might be able to specify the host header
separately within your CFHTTP request, but I've never tried it to be
honest.

Dave Watts, CTO, Fig Leaf Software
1-202-527-9569
http://www.figleaf.com/
http://training.figleaf.com/

Fig Leaf Software is a Service-Disabled Veteran-Owned Small Business
(SDVOSB) on GSA Schedule, and provides the highest caliber vendor-
authorized instruction at our training centers, online, or onsite.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
Order the Adobe Coldfusion Anthology now!
http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360431

[hofar...@houseoffusion.com]

Ok thanks Dave I'll look into that idea.

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360438

[hofar...@houseoffusion.com]

Ok we've worked out the issue to this. It is caused by SNI certificates
which the current JVM does not support. Even latest default install of Railo
on Tomcat does not support this.

It seems we need to be running a JVM 1.7 or higher to support SNI which
MX7.1 will never support.

Anybody using an IIS7 + Tomcat + Railo stack running 1.7 or above?

Any advice on that setup and nay issues would be appreciated.

-----Original Message-----
From: Dave Watts [mailto:dwa...@figleaf.com]
Sent: 08 April 2015 22:47
To: cf-talk

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360440

[hofar...@houseoffusion.com]

Great article here on this btw:

http://www.coldfusionmuse.com/index.cfm/2013/7/22/coldfusion.iis8.cfhttp

Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:360441