vfraga
commented
3 months ago As per our documentation [1], the 'DefaultAndLocalhost' hostname verification option allows the hostnames localhost, localhost.localdomain, 127.0.0.1, and ::1 to be treated as valid along the SAN values in the SSL certificate. Moreover, if the SAN contains wildcards *, it will also treat all subdomains levels valid (i.e., '.foo.bar' accepts 'a.foo.bar' and 'a.b.foo.bar') – in contrast with 'Strict' which will only consider a single subdomain level per wildcard (i.e., '.foo.bar' accepts 'a.foo.bar' but not 'a.b.foo.bar').
We've followed the steps below to update the hostname and certificates:
- Created a fresh pack of the Identity Server 7.0.0 and updated to the latest update level (63 as of the date of this issue).
- Made the changes below to the
deployment.tomlfile:[server] hostname = "sub1.sub2.testdomain.com"
[keystore.tls] file_name = "newkeystore.jks" type = "JKS" password = "mypassword" alias = "newcert" key_password = "mypassword"
3. Mapped `sub1.sub2.testdomain.com` to `127.0.0.1` in the `/etc/hosts` file.
4. In the `repository/resources/security` directory, ran the below:
```sh
keytool -genkeypair -alias newcert -keyalg RSA -keysize 2048 -keystore newkeystore.jks -dname "CN=*.testdomain.com, OU=Test,O=Test,L=D1,S=State,C=US" -ext 'san=dns:*.testdomain.com,dns:testdomain.com' -ext 'keyUsage=digitalSignature,dataEncipherment' -storepass mypassword -keypass mypassword
keytool -exportcert -alias newcert -keystore newkeystore.jks -file newcert.cer -storepass mypassword
keytool -importcert -alias newcert -file newcert.cer -keystore wso2carbon.jks -storepass wso2carbon -noprompt
keytool -export -alias newcert -keystore newkeystore.jks -file pkn.pem
keytool -import -alias newcert -file pkn.pem -keystore client-truststore.jks -storepass wso2carbon- Made the changes below to the
repository/deployment/server/webapps/authenticationendpoint/includes/branding-preferences.jspfile (around L641) to allow the exception to be thrown and appear in the carbon logs:} catch (BrandingPreferenceRetrievalClientException e) { throw e; // Exception is ignored and the variable will use the fallbacks. // TODO: Move the duplicated logic to a common place. } finally { - Started the server.
- Tried accessing the console or myaccount applications but got a 500 status code.
- Observed the exception in the
wso2carbon.logfile:Caused by: org.wso2.carbon.identity.mgt.endpoint.util.client.BrandingPreferenceRetrievalClientException: Error while getting branding preference for tenant : carbon.super at org.wso2.carbon.identity.mgt.endpoint.util.client.BrandingPreferenceRetrievalClient.getPreference(BrandingPreferenceRetrievalClient.java:126) at org.apache.jsp.generic_002dexception_002dresponse_jsp._jspService(generic_002dexception_002dresponse_jsp.java:1086) ... 42 more Caused by: javax.net.ssl.SSLPeerUnverifiedException: Certificate for <localhost> doesn't match any of the subject alternative names: [*.testdomain.com, testdomain.com] at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:507) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:437) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108) at org.wso2.carbon.identity.mgt.endpoint.util.client.BrandingPreferenceRetrievalClient.getPreference(BrandingPreferenceRetrievalClient.java:108) ... 43 more
If you set the value of server.internal_hostname to the same as server.hostname (e.g., sub1.sub2.testdomain.com), you'd instead get the below error:
Caused by: org.wso2.carbon.identity.mgt.endpoint.util.client.BrandingPreferenceRetrievalClientException: Error while getting branding preference for tenant : carbon.super
at org.wso2.carbon.identity.mgt.endpoint.util.client.BrandingPreferenceRetrievalClient.getPreference(BrandingPreferenceRetrievalClient.java:126)
at org.apache.jsp.generic_002dexception_002dresponse_jsp._jspService(generic_002dexception_002dresponse_jsp.java:1086)
... 42 more
Caused by: javax.net.ssl.SSLPeerUnverifiedException: Certificate for <sub1.sub2.testdomain.com> doesn't match any of the subject alternative names: [*.testdomain.com, testdomain.com]
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:507)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:437)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
at org.wso2.carbon.identity.mgt.endpoint.util.client.BrandingPreferenceRetrievalClient.getPreference(BrandingPreferenceRetrievalClient.java:108)
... 43 moreI think we might need to address this through an update similar to [2].
[1] https://is.docs.wso2.com/en/latest/deploy/enable-hostname-verification/#:~:text=hostname%20verification%20options.-,DefaultAndLocalhost,-%3A%20This%20is [2] https://github.com/wso2/carbon-identity-framework/pull/4262
Describe the issue: I have created the new keystore and added my ssl certificate and changed the value for peimary and tls keystore in deployment file. After adding the key the tls and certificate succefully refelecting but changing in UI branding doesn't. If I revert the process and keep the default keystore parameter it's getting all the UI branding changes. Even If I configuring the nginx reverse proxy it is routing the unsecured browser certificate doesn't reflects.
How to reproduce: I followed the the keytool commands to create the new keystore and importing the sssl certificate generated by CA authority(zerossl).
Expected behavior: Same , but in myaccount application all the changes gets effect excpet the /console page/portal of WSO2IS
Environment information :