We ran into a problem on my most recent project with a weird error popping up when installing a wildcard SSL cert into an Apache webserver. We had previously been using a self-signed cert and the Java clients attempting to connect to this site had the old self-signed cert installed into their keystores. Once the new cert was installed, however, we started seeing an issue for all the Java clients attempting to connect to the site:

javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name

Crucially, no other clients were having trouble connecting to this site, including web browsers, curl, chef, etc. This and a bit of googling quickly sent us down the wrong path, believing the issue was that Java wouldn’t recognize the wildcard cert for whatever reason. So for a long while we just added the SSL ignore option to our Java clients and left it at that:

 -Djsse.enableSNIExtension=false 

The truth is, this is totally unnecessary. This problem arises from a really simple misconfiguration and it’s just as easily resolved. In our case, the Apache configuration had been updated to point at the new cert, but the ServerName attribute of the VirtualHost configuration hadn’t changed, it was still referring to the machine by its old hostname. Most clients don’t care about this, as long as the site is reachable via the correct domain (e.g. https://sub.domain.com), they will validate the certificate. Java, however, is stricter and requires that the ServerName reported by the webserver also match the certificate’s valid domain.

This problem is a bit tough to Google for, since if you search for wildcard certs and Java, you won’t find your way to this simple fix. You’ll be told to just turn off SSL validation, which effectively just ignores the problem. The real fix is even simpler and hopefully this post makes it easier to find for anyone else who runs into the same issue.

tl;dr: Check your Apache VirtualHost configuration: you likely have the ServerName misconfigured and only Java cares.

Leave a comment

Your email address will not be published. Required fields are marked *

X