system.net.httpClient post return exception : No subject alternative names present

Ignition
,
1

Hi @PGriffith,

Ignition 8.1.1
I try to connect with https to a rest webservices on my LAN.

I have the following error:
Caused by: com.inductiveautomation.ignition.common.GenericTransferrableException: No subject alternative names present

I use bypass_cert_validation=True.

I try to add
wrapper.java.additional.7=-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
and restarted the gateway, but I still have the same exception.

Any idea ???

	client = system.net.httpClient(bypass_cert_validation=True,username="admin", password="admin")
	response = client.post(url="https://10.100.3.31:443/api/api-token-auth/",username="admin", password="admin")
	
	# Validate the response
	if response.good:
	    # Do something with the response
	    print response.json

13:35:28.866 [AWT-EventQueue-0] ERROR com.inductiveautomation.ignition.client.util.gui.ErrorUtil - Error running action 'component.onActionPerformed' on pages/HOME@D/root/Button_19: Traceback (most recent call last):
  File "<function:runAction>", line 3, in runAction
	at com.inductiveautomation.ignition.common.script.builtin.http.JythonHttpClient.send(JythonHttpClient.java:94)
	at com.inductiveautomation.ignition.common.script.builtin.http.JythonHttpClient.post(JythonHttpClient.java:308)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
java.io.IOException: java.io.IOException: Unable to POST https://10.100.3.31:443/api/api-token-auth/

com.inductiveautomation.ignition.common.GenericTransferrableException: Traceback (most recent call last):
  File "<function:runAction>", line 3, in runAction
	at com.inductiveautomation.ignition.common.script.builtin.http.JythonHttpClient.send(JythonHttpClient.java:94)
	at com.inductiveautomation.ignition.common.script.builtin.http.JythonHttpClient.post(JythonHttpClient.java:308)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
java.io.IOException: java.io.IOException: Unable to POST https://10.100.3.31:443/api/api-token-auth/

	at org.python.core.Py.JavaError(Py.java:552)
	at org.python.core.Py.JavaError(Py.java:543)
	at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:190)
	at org.python.core.PyObject.__call__(PyObject.java:438)
	at org.python.core.PyMethod.instancemethod___call__(PyMethod.java:237)
	at org.python.core.PyMethod.__call__(PyMethod.java:228)
	at org.python.pycode._pyx5907.runAction$1(<function:runAction>:8)
	at org.python.pycode._pyx5907.call_function(<function:runAction>)
	at org.python.core.PyTableCode.call(PyTableCode.java:171)
	at org.python.core.PyBaseCode.call(PyBaseCode.java:308)
	at org.python.core.PyFunction.function___call__(PyFunction.java:471)
	at org.python.core.PyFunction.__call__(PyFunction.java:466)
	at org.python.core.PyFunction.__call__(PyFunction.java:461)
	at com.inductiveautomation.ignition.common.script.ScriptManager.runFunction(ScriptManager.java:821)
	at com.inductiveautomation.ignition.common.script.ScriptManager.runFunction(ScriptManager.java:805)
	at com.inductiveautomation.ignition.gateway.project.ProjectScriptLifecycle$TrackingProjectScriptManager.runFunction(ProjectScriptLifecycle.java:687)
	at com.inductiveautomation.ignition.common.script.ScriptManager$ScriptFunctionImpl.invoke(ScriptManager.java:964)
	at com.inductiveautomation.ignition.gateway.project.ProjectScriptLifecycle$AutoRecompilingScriptFunction.invoke(ProjectScriptLifecycle.java:752)
	at com.inductiveautomation.perspective.gateway.script.ScriptFunctionHelper.invoke(ScriptFunctionHelper.java:106)
	at com.inductiveautomation.perspective.gateway.action.ScriptAction.runAction(ScriptAction.java:71)
	at com.inductiveautomation.perspective.gateway.model.ActionCollection$ActionSequence$ExecuteActionsTask.lambda$call$0(ActionCollection.java:263)
	at com.inductiveautomation.perspective.gateway.api.LoggingContext.mdc(LoggingContext.java:54)
	at com.inductiveautomation.perspective.gateway.model.ActionCollection$ActionSequence$ExecuteActionsTask.call(ActionCollection.java:252)
	at com.inductiveautomation.perspective.gateway.model.ActionCollection$ActionSequence$ExecuteActionsTask.call(ActionCollection.java:221)
	at com.inductiveautomation.perspective.gateway.threading.BlockingTaskQueue$TaskWrapper.run(BlockingTaskQueue.java:154)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
	at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.base/java.lang.Thread.run(Unknown Source)
Caused by: com.inductiveautomation.ignition.common.GenericTransferrableException: Traceback (most recent call last):
  File "<function:runAction>", line 3, in runAction
	at com.inductiveautomation.ignition.common.script.builtin.http.JythonHttpClient.send(JythonHttpClient.java:94)
	at com.inductiveautomation.ignition.common.script.builtin.http.JythonHttpClient.post(JythonHttpClient.java:308)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
java.io.IOException: java.io.IOException: Unable to POST https://10.100.3.31:443/api/api-token-auth/

	... 30 common frames omitted
Caused by: com.inductiveautomation.ignition.common.GenericTransferrableException: Unable to POST https://10.100.3.31:443/api/api-token-auth/
	at com.inductiveautomation.ignition.common.script.builtin.http.JythonHttpClient.send(JythonHttpClient.java:94)
	at com.inductiveautomation.ignition.common.script.builtin.http.JythonHttpClient.post(JythonHttpClient.java:308)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
	at org.python.core.PyReflectedFunction.__call__(PyReflectedFunction.java:188)
	... 27 common frames omitted
Caused by: com.inductiveautomation.ignition.common.GenericTransferrableException: No subject alternative names present
	at java.net.http/jdk.internal.net.http.HttpClientImpl.send(Unknown Source)
	at java.net.http/jdk.internal.net.http.HttpClientFacade.send(Unknown Source)
	at com.inductiveautomation.ignition.common.script.builtin.http.JythonHttpClient.send(JythonHttpClient.java:92)
	... 33 common frames omitted
Caused by: com.inductiveautomation.ignition.common.GenericTransferrableException: No subject alternative names present
	at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
	at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
	at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
	at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(Unknown Source)
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(Unknown Source)
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(Unknown Source)
	at java.base/sun.security.ssl.SSLHandshake.consume(Unknown Source)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(Unknown Source)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(Unknown Source)
	at java.base/java.security.AccessController.doPrivileged(Native Method)
	at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(Unknown Source)
	at java.base/java.util.ArrayList.forEach(Unknown Source)
	at java.net.http/jdk.internal.net.http.common.SSLFlowDelegate.lambda$executeTasks$3(Unknown Source)
	at java.net.http/jdk.internal.net.http.HttpClientImpl$DelegatingExecutor.execute(Unknown Source)
	at java.net.http/jdk.internal.net.http.common.SSLFlowDelegate.executeTasks(Unknown Source)
	at java.net.http/jdk.internal.net.http.common.SSLFlowDelegate.doHandshake(Unknown Source)
	at java.net.http/jdk.internal.net.http.common.SSLFlowDelegate$Reader.processData(Unknown Source)
	at java.net.http/jdk.internal.net.http.common.SSLFlowDelegate$Reader$ReaderDownstreamPusher.run(Unknown Source)
	at java.net.http/jdk.internal.net.http.common.SequentialScheduler$SynchronizedRestartableTask.run(Unknown Source)
	at java.net.http/jdk.internal.net.http.common.SequentialScheduler$CompleteRestartableTask.run(Unknown Source)
	at java.net.http/jdk.internal.net.http.common.SequentialScheduler$TryEndDeferredCompleter.complete(Unknown Source)
	at java.net.http/jdk.internal.net.http.common.SequentialScheduler$CompleteRestartableTask.run(Unknown Source)
	at java.net.http/jdk.internal.net.http.common.SequentialScheduler$SchedulableTask.run(Unknown Source)
	... 3 common frames omitted
Caused by: com.inductiveautomation.ignition.common.GenericTransferrableException: No subject alternative names present
	at java.base/sun.security.util.HostnameChecker.matchIP(Unknown Source)
	at java.base/sun.security.util.HostnameChecker.match(Unknown Source)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source)
	at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(Unknown Source)
	at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(Unknown Source)
	... 24 common frames omitted
2

Can you print client? The toString() may be helpful. The stack trace looks like it’s not choosing the alternative, no-op trust manager that it should be.

3

Client print:

18:16:33.358 [Browser Thread: 57869] INFO Perspective.Designer.Workspace - client.toString()=<JythonHttpClient@198812531 timeout=10000, bypass_cert_validation=True, has_credentials=True, proxy=None, cookie_policy='ACCEPT_ORIGINAL_SERVER', redirect_policy='NEVER'>
4

@PGriffith I don’t think these no-op trust manager implementations we use excuse an invalid certificate - they just skip the part where it is verified that a path from the cert to a Trust Anchor can be constructed.

@mazeyrat you probably need to get a valid SSL certificate in place, even if it’s self-signed - one that has SAN entries present.

1 Like
5

I will ask to the webserver provider if he can check its SSL certificate.

6

You are accessing it via 10.100.3.31, therefore it must contain an IP address entry matching that in the SAN extension. You can grab the certificate and verify this yourself.

7

how do I can grab the certificate and verify myself ?

8

In Chrome you can just put the URL into the browser and then click on the padlock or whatever in the URL bar to view/download the certificate… somewhere.

There’s probably better ways via command line too.

edit: openssl s_client -connect {HOSTNAME}:{PORT} -showcerts

9

the certificate seem to be not valid. End date 29 Spetembre 2020 !

image
image918×990 45.5 KB

1 Like
10

@Kevin.Herron, @PGriffith

Is there any way to ignore SSL certificate verification in httpPost / httpClient from ignition ?

For example in Postman, it works with “SSL certificate versification=OFF”
and with curl -k:

curl -X POST -d '{"username": "admin", "password": "admin"}' -H "Content-Type: application/json" -k "https://10.100.3.31:443/api/api-token-auth/"

I tried to add the certificate (*.p7b) exported from chrome in
C:\Program Files\Inductive Automation\Ignition\data\certificates\supplemental
restarted the gateway, but I have still this error.

image
image729×459 28.8 KB

11

@PGriffith,
Perhaps something like this could be added to httpClient in case of bypass_cert_validation=True

12

Setting that property would be ‘global’, though - there’s no great way to set it for a single http client instance.

13

Perhaps a parameter to accep some untrusted certificate for HTTPS connection could be possible with httpClient, it would be usefull for dev/test environnement.

For test purpose only, I ended with temporary adding in ignition.conf:

-Djdk.internal.httpclient.disableHostnameVerification
14

That ‘trust all’ cert manager approach is exactly what the code currently does. It’s just that your particular cert is not just self-signed, but entirely invalid, which apparently Java still balks at (without the system property). It’s relatively unlikely we’ll change anything around that - you can work around it yourself, but globally setting internal http client parameters seems like a bad idea. It’s possible some future version of Java will enhance the HTTP client to allow a more first-class bypass mechanism, in which case we could add it to the httpClient() function.

15

Another developer came up with a different approach that should work here - the latest 8.1.3 nightly enhances the bypass_cert_validation flag to allow totally invalid certs.

1 Like
16

Hi All,

Came across this post and wanted to let you know I had the exact same error when trying to access developer when trying to use a self-signed cert. What I did was fill out the optional field at the bottom of the cert application for additional IP’s to just include one additional IP. This worked and allowed me to access developer