Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address x.x.x.x:10009 found
Closed this issue · 9 comments
Subject of the issue
Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 18.179.20.192 found
Your environment
- 0.52-Beta
- java version "1.8.0_171"
- Mac OS
Steps to reproduce
SynchronousLndAPI api = new SynchronousLndAPI("ipaddress", 10009, new File("/Users/.../Desktop/lnd/tls.cert"), new File("/Users/.../Desktop/lnd/admin.macaroon"));
GetInfoResponse info = api.getInfo();
Actual behaviour
18:47:33.001 [grpc-default-worker-ELG-1-2] DEBUG io.netty.channel.AbstractChannelHandlerContext - An exception java.lang.NoSuchMethodError: io.grpc.netty.AbstractNettyHandler.onError(Lio/netty/channel/ChannelHandlerContext;Ljava/lang/Throwable;)V
at io.grpc.netty.AbstractNettyHandler.exceptionCaught(AbstractNettyHandler.java:83)
at io.netty.channel.AbstractChannelHandlerContext.invokeExceptionCaught(AbstractChannelHandlerContext.java:285)
at io.netty.channel.AbstractChannelHandlerContext.invokeExceptionCaught(AbstractChannelHandlerContext.java:264)
at io.netty.channel.AbstractChannelHandlerContext.fireExceptionCaught(AbstractChannelHandlerContext.java:256)
at io.netty.handler.ssl.SslHandler.exceptionCaught(SslHandler.java:1070)
at io.netty.channel.AbstractChannelHandlerContext.invokeExceptionCaught(AbstractChannelHandlerContext.java:285)
at io.netty.channel.AbstractChannelHandlerContext.notifyHandlerException(AbstractChannelHandlerContext.java:856)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:364)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:648)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:583)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:500)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:462)
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:897)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.lang.Thread.run(Thread.java:748)
was thrown by a user handler's exceptionCaught() method while handling the following exception:
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:472)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:648)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:583)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:500)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:462)
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:897)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:665)
at io.netty.internal.tcnative.SSL.readFromSSL(Native Method)
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.readPlaintextData(ReferenceCountedOpenSslEngine.java:565)
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1114)
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1226)
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1269)
at io.netty.handler.ssl.SslHandler$SslEngineType$1.unwrap(SslHandler.java:216)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1297)
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1199)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1243)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441)
... 16 common frames omitted
Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 18.179.20.192 found
at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:168)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:94)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
at io.netty.handler.ssl.OpenSslTlsv13X509ExtendedTrustManager.checkServerTrusted(OpenSslTlsv13X509ExtendedTrustManager.java:239)
at io.netty.handler.ssl.ReferenceCountedOpenSslClientContext$ExtendedTrustManagerVerifyCallback.verify(ReferenceCountedOpenSslClientContext.java:242)
at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:661)
... 27 common frames omitted
Hi
I think you have to regenerate you tls certificate with an extra IP option. I think by default is only localhost added to the tls certificate when starting up LND. To generate is usually just removing the exiting and restart LND with --externalip option enough.
--externalip= Add an ip:port to the list of local addresses we claim to listen on to peers. If a port is not specified, the default (9735) will be used regardless of other parameters
It is possible to check the IP addresses added to the TLS certificate with the command:
openssl x509 -in -text
@herrvendil
Thank you for your answer.
I think the problem I encountered may not be very clear.
- Lightning network I deployed on the server of 18.179.20.192
- I wrote the test code on a different machine.
- This is my lnd.conf
# LND Mainnet: lnd configuration
# /root/.lnd/lnd.conf
[Application Options]
datadir=/disk2/lnd/datadir/data
logdir=/disk2/lnd/datadir/logs
adminmacaroonpath=/disk2/lnd/datadir/data/chain/bitcoin/mainnet/admin.macaroon
debuglevel=info
debughtlc=false
maxpendingchannels=20
alias=GAME
color=#68F442
rpclisten=0.0.0.0:10009
externalip=18.179.20.192
[Bitcoin]
bitcoin.active=1
# enable either testnet or mainnet
#bitcoin.testnet=1
bitcoin.mainnet=1
bitcoin.node=bitcoind
[autopilot]
#autopilot.active=0
#autopilot.maxchannels=5
#autopilot.allocation=0.1
~
I don't know where it is wrong.
Can you parse LND tls certificate with openssl and paste the result here, just to check that the extra IP address have been added to the certificate correctly?
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4d:a1:04:9d:e9:e8:f9:72:4f:6e:e4:9b:64:99:bc:fd
Signature Algorithm: ecdsa-with-SHA256
Issuer: O = lnd autogenerated cert, CN = ip-172-31-20-14
Validity
Not Before: Feb 25 02:54:57 2019 GMT
Not After : Apr 21 02:54:57 2020 GMT
Subject: O = lnd autogenerated cert, CN = ip-172-31-20-14
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:1a:23:ac:c4:5c:cc:51:a4:04:5a:84:ff:b9:6e:
92:88:09:07:9f:c9:41:a4:3b:0a:da:0b:13:a5:07:
17:96:10:fc:95:d6:3f:98:23:14:94:64:e5:b8:79:
e7:4b:3c:01:25:e3:61:7a:0f:5b:d2:12:26:01:7e:
e4:87:21:16:97
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Certificate Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Alternative Name:
DNS:ip-172-31-20-14, DNS:localhost, DNS:unix, DNS:unixpacket, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, IP Address:172.31.20.14, IP Address:FE80:0:0:0:4F5:B0FF:FE85:2D7A, IP Address:113.251.21.83
Signature Algorithm: ecdsa-with-SHA256
30:45:02:20:44:e6:d0:4b:09:cd:44:f4:bd:16:c8:b2:32:e0:
bb:75:ef:c8:4e:72:38:0b:20:07:ae:cd:1a:9e:c5:f9:47:4e:
02:21:00:d4:41:f3:b0:44:19:c1:fe:6f:4d:62:2b:ff:8e:45:
d2:f2:d4:30:5e:4f:5b:8d:f7:93:5c:28:8c:72:fb:db:f5
113.251.21.83 is the machine IP address of my test.
I just deployed my test code on the node server. It works fine. So I can be sure that the problem is indeed on the tls.cert.
Good that you got it working!
If you connect to the lnd server remotely, this problem still exists.
Have you regenerated the tls.cert and is 18.179.20.192 included in the list of X509v3 Subject Alternative Name, and you still have this problem?
@herrvendil
This problem has been solved.
- Modified the lnd.conf file
add:tlsextradomain=test.com
- Modify the test machine's /etc/hosts
add:x.x.x.x test.com
x.x.x.x is lnd server IP
Thank you for your answer.