When making call to the backend server from the NodeJS code, we get a 500 Internal Server Error. When we checked the NodeJS logs, we saw the following error:
stdout svr.760 error = 500 stdout svr.760 error = Error: Hostname/IP doesn't match certificate's altnames
Can you please help to resolve this issue ?
Solved! Go to Solution.
The "Error:Hostname/IP doesn't match certificate's altnames" ccould be caused due to multiple reasons. In this specific case, I found the cause to be SNI enabled backend as follows:
1. When I ran the direct call to the specific backend server from the Message Processor, I got 200 successful response.
2. I ran the openssl command against the backend server with and without the servername options as follows:
openssl s_client -connect <backendserver>:443
openssl s_client -connect <backendserver>:443 -servername <backendserver>
Without the servername, the openssl failed with handshake failure. With the servername, I was able to get the server certificate information.
4. This showed that the backend server was SNI enabled.
5. By default, on the MPs, SNI property is disabled. So, we were seeing this issue.
6. Enabled the SNI property jsse.enableSNIExtension to true on the MP
jsse.enableSNIExtension=true
With this, we were able to get the API calls working through NodeJS code.
The "Error:Hostname/IP doesn't match certificate's altnames" ccould be caused due to multiple reasons. In this specific case, I found the cause to be SNI enabled backend as follows:
1. When I ran the direct call to the specific backend server from the Message Processor, I got 200 successful response.
2. I ran the openssl command against the backend server with and without the servername options as follows:
openssl s_client -connect <backendserver>:443
openssl s_client -connect <backendserver>:443 -servername <backendserver>
Without the servername, the openssl failed with handshake failure. With the servername, I was able to get the server certificate information.
4. This showed that the backend server was SNI enabled.
5. By default, on the MPs, SNI property is disabled. So, we were seeing this issue.
6. Enabled the SNI property jsse.enableSNIExtension to true on the MP
jsse.enableSNIExtension=true
With this, we were able to get the API calls working through NodeJS code.
Could you explain how to enable SNI on MP step-by-step?
I cannot figure out where to set it up.
Here are the steps to enable SNI on Message Processor(s):
/opt/apigee/customer/application/message-processor.properties
file (if it does not exist already).conf_system_jsse.enableSNIExtension=true
chown apigee:apigee /opt/apigee/customer/application/message-processor.properties
/opt/apigee/apigee-service/bin/apigee-service message-processor restart
Oh, I see, this is for private cloud version, right?
I'm using SaaS version of Apigee and MP settings should be updated by Apigee support, right?
Yes if you are using SaaS version then contact Apigee Support.
User | Count |
---|---|
7 | |
2 | |
2 | |
1 | |
1 |