Spring Boot App, Spring Cloud Services for VMware Tanzu Instance, or Spring Cloud Data Flow for VMware Tanzu throws error 'Certificate for <internal-domain> doesn't match any of the subject alternative names'
Article ID: 297210
Updated On:
Products
Support Only for Spring
Issue/Introduction
This issue can affect the following products when used with an internal or private domain which does not have a valid publix suffix, such as
Although the error refers to a certificate issue, it is caused by the internal domain suffix as mentioned above. This can be confirmed by comparing the address in the error to the valid domains also listed in the error message - there should be a match, indicating the error is misleading.
This certificate error affects these products in the following way:
Spring Boot Apps
my-company.intra or my-company.local:- Spring Boot apps
- Spring Cloud Services (SCS) for VMware Tanzu service instances
- Spring Cloud Data Flow (SCDF) for VMware Tanzu shell
Apache HttpClient (made in v4.5.9). This change causes HTTPS requests made to non-valid public-suffix domains to fail with the following error:
Certificate for <xyz.my-company.local> doesn't match any of the subject alternative names: [list-of-valid-domains-for-cert]
Although the error refers to a certificate issue, it is caused by the internal domain suffix as mentioned above. This can be confirmed by comparing the address in the error to the valid domains also listed in the error message - there should be a match, indicating the error is misleading.
This certificate error affects these products in the following way:
Spring Boot Apps
- Requests made via a
RestTemplatefor example to a https:// internal address will fail. The error will be thrown in the application log.
- When clicking the '
Manage' button for a service instance in Apps Manager, the error will be thrown in the SI backing application and on the browser page.
- When issuing commands from the dataflow shell, such as '
stream list', the error will be thrown in the shell.
Environment
Product Version: Other
Resolution
A change was made to the next Apache HttpClient version (v4.5.10), which better handles non-valid public suffixes.
This dependency version was included in the following product versions:
Apache HttpClient:
This dependency version was included in the following product versions:
- Spring Boot 2.1.9+
- SCS Tile 3.1.3+
- Spring Cloud Data Flow for VMware Tanzu Tile 1.6.3+ (OSS v2.2.2)
Additional Info
Apache HttpClient:- Jira issue: https://issues.apache.org/jira/browse/HTTPCLIENT-1997
- Release notes: https://www.apache.org/dist/httpcomponents/httpclient/RELEASE_NOTES-4.5.x.txt
Feedback
Yes
No
Powered by
