Java CertificateException "No subject alternative names matching IP address ... found"

Your certificate should include that ip value as a subject alternative name value (of type IPAddress : key=7).

http://web.archive.org/web/20160201235032/http://www.jroller.com/hasant/entry/no_subject_alternative_names_matching


The reason why this fails is because the hostname of the target endpoint and the certificate common name (CN in certification Subject does not match).

For e.g., from a JVM, when trying to connect to an IP address (WW.XX.YY.ZZ) and not the DNS name (https://stackoverflow.com), the HTTPS connection will fail because the certificate stored in the java truststore cacerts expects common name to match the target address.

To mitigate this HostnameVerifier needs to be verify the connection despite the mismatch https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#HostnameVerifier

    HttpsURLConnection urlConnection = (HttpsURLConnection) new URL("https://test.test/api").openConnection();
    urlConnection.setSSLSocketFactory(buildSocketFactory());
    urlConnection.setDoOutput(true);
    urlConnection.setRequestMethod("get");
    urlConnection.setHostnameVerifier(new HostnameVerifier() {
        @Override
        public boolean verify(String hostname, SSLSession sslSession) {
            return true;
        }
    });
    urlConnection.getOutputStream();