Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address x.x.x.x:10009 found

Question

Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address x.x.x.x:10009 found

Closed this issue 6 years ago · 9 comments

Subject of the issue

Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 18.179.20.192 found

Your environment

0.52-Beta
java version "1.8.0_171"
Mac OS

Steps to reproduce

SynchronousLndAPI api = new SynchronousLndAPI("ipaddress", 10009, new File("/Users/.../Desktop/lnd/tls.cert"), new File("/Users/.../Desktop/lnd/admin.macaroon"));
GetInfoResponse info = api.getInfo();

Actual behaviour

18:47:33.001 [grpc-default-worker-ELG-1-2] DEBUG io.netty.channel.AbstractChannelHandlerContext - An exception java.lang.NoSuchMethodError: io.grpc.netty.AbstractNettyHandler.onError(Lio/netty/channel/ChannelHandlerContext;Ljava/lang/Throwable;)V
	at io.grpc.netty.AbstractNettyHandler.exceptionCaught(AbstractNettyHandler.java:83)
	at io.netty.channel.AbstractChannelHandlerContext.invokeExceptionCaught(AbstractChannelHandlerContext.java:285)
	at io.netty.channel.AbstractChannelHandlerContext.invokeExceptionCaught(AbstractChannelHandlerContext.java:264)
	at io.netty.channel.AbstractChannelHandlerContext.fireExceptionCaught(AbstractChannelHandlerContext.java:256)
	at io.netty.handler.ssl.SslHandler.exceptionCaught(SslHandler.java:1070)
	at io.netty.channel.AbstractChannelHandlerContext.invokeExceptionCaught(AbstractChannelHandlerContext.java:285)
	at io.netty.channel.AbstractChannelHandlerContext.notifyHandlerException(AbstractChannelHandlerContext.java:856)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:364)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965)
	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:648)
	at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:583)
	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:500)
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:462)
	at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:897)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.lang.Thread.run(Thread.java:748)
was thrown by a user handler's exceptionCaught() method while handling the following exception:
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:472)
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965)
	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:648)
	at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:583)
	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:500)
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:462)
	at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:897)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
	at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:665)
	at io.netty.internal.tcnative.SSL.readFromSSL(Native Method)
	at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.readPlaintextData(ReferenceCountedOpenSslEngine.java:565)
	at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1114)
	at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1226)
	at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1269)
	at io.netty.handler.ssl.SslHandler$SslEngineType$1.unwrap(SslHandler.java:216)
	at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1297)
	at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1199)
	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1243)
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502)
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441)
	... 16 common frames omitted
Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 18.179.20.192 found
	at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:168)
	at sun.security.util.HostnameChecker.match(HostnameChecker.java:94)
	at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
	at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
	at io.netty.handler.ssl.OpenSslTlsv13X509ExtendedTrustManager.checkServerTrusted(OpenSslTlsv13X509ExtendedTrustManager.java:239)
	at io.netty.handler.ssl.ReferenceCountedOpenSslClientContext$ExtendedTrustManagerVerifyCallback.verify(ReferenceCountedOpenSslClientContext.java:242)
	at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:661)
	... 27 common frames omitted

Answer 1 · 2019-02-25T14:13:20.000Z

Hi

I think you have to regenerate you tls certificate with an extra IP option. I think by default is only localhost added to the tls certificate when starting up LND. To generate is usually just removing the exiting and restart LND with --externalip option enough.

--externalip= Add an ip:port to the list of local addresses we claim to listen on to peers. If a port is not specified, the default (9735) will be used regardless of other parameters

It is possible to check the IP addresses added to the TLS certificate with the command:

openssl x509 -in -text

Answer 2 · 2019-02-26T02:50:40.000Z

@herrvendil
Thank you for your answer.
I think the problem I encountered may not be very clear.

Lightning network I deployed on the server of 18.179.20.192
I wrote the test code on a different machine.
This is my lnd.conf

# LND Mainnet: lnd configuration
# /root/.lnd/lnd.conf

[Application Options]
datadir=/disk2/lnd/datadir/data
logdir=/disk2/lnd/datadir/logs
adminmacaroonpath=/disk2/lnd/datadir/data/chain/bitcoin/mainnet/admin.macaroon

debuglevel=info
debughtlc=false
maxpendingchannels=20
alias=GAME
color=#68F442
rpclisten=0.0.0.0:10009
externalip=18.179.20.192

[Bitcoin]
bitcoin.active=1

# enable either testnet or mainnet
#bitcoin.testnet=1
bitcoin.mainnet=1
bitcoin.node=bitcoind

[autopilot]
#autopilot.active=0
#autopilot.maxchannels=5
#autopilot.allocation=0.1
~

I don't know where it is wrong.

Answer 3 · 2019-02-26T08:17:15.000Z

Can you parse LND tls certificate with openssl and paste the result here, just to check that the extra IP address have been added to the certificate correctly?

Answer 4 · 2019-02-26T08:24:24.000Z

@herrvendil

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            4d:a1:04:9d:e9:e8:f9:72:4f:6e:e4:9b:64:99:bc:fd
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: O = lnd autogenerated cert, CN = ip-172-31-20-14
        Validity
            Not Before: Feb 25 02:54:57 2019 GMT
            Not After : Apr 21 02:54:57 2020 GMT
        Subject: O = lnd autogenerated cert, CN = ip-172-31-20-14
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:1a:23:ac:c4:5c:cc:51:a4:04:5a:84:ff:b9:6e:
                    92:88:09:07:9f:c9:41:a4:3b:0a:da:0b:13:a5:07:
                    17:96:10:fc:95:d6:3f:98:23:14:94:64:e5:b8:79:
                    e7:4b:3c:01:25:e3:61:7a:0f:5b:d2:12:26:01:7e:
                    e4:87:21:16:97
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Certificate Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Alternative Name: 
                DNS:ip-172-31-20-14, DNS:localhost, DNS:unix, DNS:unixpacket, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, IP Address:172.31.20.14, IP Address:FE80:0:0:0:4F5:B0FF:FE85:2D7A, IP Address:113.251.21.83
    Signature Algorithm: ecdsa-with-SHA256
         30:45:02:20:44:e6:d0:4b:09:cd:44:f4:bd:16:c8:b2:32:e0:
         bb:75:ef:c8:4e:72:38:0b:20:07:ae:cd:1a:9e:c5:f9:47:4e:
         02:21:00:d4:41:f3:b0:44:19:c1:fe:6f:4d:62:2b:ff:8e:45:
         d2:f2:d4:30:5e:4f:5b:8d:f7:93:5c:28:8c:72:fb:db:f5

113.251.21.83 is the machine IP address of my test.

Answer 5 · 2019-02-26T08:30:53.000Z

I just deployed my test code on the node server. It works fine. So I can be sure that the problem is indeed on the tls.cert.

Answer 6 · 2019-02-26T08:37:04.000Z

Good that you got it working!

Answer 7 · 2019-02-26T08:40:14.000Z

@herrvendil

If you connect to the lnd server remotely, this problem still exists.

Answer 8 · 2019-02-26T09:49:26.000Z

Have you regenerated the tls.cert and is 18.179.20.192 included in the list of X509v3 Subject Alternative Name, and you still have this problem?

Answer 9 · 2019-02-26T10:47:46.000Z

@herrvendil
This problem has been solved.

Modified the lnd.conf file
add: tlsextradomain=test.com
Modify the test machine's /etc/hosts
add: x.x.x.x test.com
x.x.x.x is lnd server IP

Thank you for your answer.