Getting the Error: Hostname/IP doesn't match certificate's altnames from NodeJS

When making call to the backend server from the NodeJS code, we get a 500 Internal Server Error. When we checked the NodeJS logs, we saw the following error:

stdout	svr.760	error = 500
stdout  svr.760	error = Error: Hostname/IP doesn't match certificate's altnames

Can you please help to resolve this issue ?

Solved Solved
0 5 5,521
1 ACCEPTED SOLUTION

The "Error:Hostname/IP doesn't match certificate's altnames" ccould be caused due to multiple reasons. In this specific case, I found the cause to be SNI enabled backend as follows:

1. When I ran the direct call to the specific backend server from the Message Processor, I got 200 successful response.

2. I ran the openssl command against the backend server with and without the servername options as follows:

openssl s_client -connect <backendserver>:443
openssl s_client -connect <backendserver>:443 -servername <backendserver>

Without the servername, the openssl failed with handshake failure. With the servername, I was able to get the server certificate information.

4. This showed that the backend server was SNI enabled.

5. By default, on the MPs, SNI property is disabled. So, we were seeing this issue.

6. Enabled the SNI property jsse.enableSNIExtension to true on the MP

jsse.enableSNIExtension=true

With this, we were able to get the API calls working through NodeJS code.

View solution in original post

5 REPLIES 5

The "Error:Hostname/IP doesn't match certificate's altnames" ccould be caused due to multiple reasons. In this specific case, I found the cause to be SNI enabled backend as follows:

1. When I ran the direct call to the specific backend server from the Message Processor, I got 200 successful response.

2. I ran the openssl command against the backend server with and without the servername options as follows:

openssl s_client -connect <backendserver>:443
openssl s_client -connect <backendserver>:443 -servername <backendserver>

Without the servername, the openssl failed with handshake failure. With the servername, I was able to get the server certificate information.

4. This showed that the backend server was SNI enabled.

5. By default, on the MPs, SNI property is disabled. So, we were seeing this issue.

6. Enabled the SNI property jsse.enableSNIExtension to true on the MP

jsse.enableSNIExtension=true

With this, we were able to get the API calls working through NodeJS code.

Could you explain how to enable SNI on MP step-by-step?

I cannot figure out where to set it up.

@Sergei Smolnikov

Here are the steps to enable SNI on Message Processor(s):

  1. Create the /opt/apigee/customer/application/message-processor.properties file (if it does not exist already).
  2. Add the following line into this file:
    conf_system_jsse.enableSNIExtension=true
    	
  3. Chown the owner of this file to apigee:apigee.
    chown apigee:apigee /opt/apigee/customer/application/message-processor.properties
    	
  4. Restart the Message Processor.
    /opt/apigee/apigee-service/bin/apigee-service message-processor restart
    	
  5. If you have more than one Message Processor, repeat the steps #1 through #4 on all the Message Processors.

Oh, I see, this is for private cloud version, right?

I'm using SaaS version of Apigee and MP settings should be updated by Apigee support, right?

@Sergei Smolnikov,

Yes if you are using SaaS version then contact Apigee Support.