function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
Rupali PophaliyaRupali Pophaliya 

Salesforce Certificate Exception: No subject alternative DNS name matching found

Hi,

We are trying to make a callout to "https://support.breadwinnerhq.com/bwpayment/v1/accounts/00Db0000000b9t" from Salesforce. But, we are facing an exception:

System.CalloutException: java.security.cert.CertificateException: No subject alternative DNS name matching support.breadwinnerhq.com found.

The domain has a valid SSL certificate.

We have checked from SSL shopper: https://www.sslshopper.com/ssl-checker.html?submit=submit&hostname=support.breadwinnerhq.com (https://www.sslshopper.com/ssl-checker.html?submit=submit&hostname=support.breadwinnerhq.com)

But, still we are facing this issue.

We don't understand why is Salesforce not allowing us to make callouts to this domain when it has a valid SSL certificate and the browsers allow it.


Thanks,
Rupali
Best Answer chosen by Rupali Pophaliya
Stony Grunow - BreadwinnerStony Grunow - Breadwinner
Hi Max

Thanks for testing! We had just solved this a few days ago and not updated the question, sorry.

The reason we had this error was that Salesforce cannot apparently handle multiple SSL certs on a single IP address. Once we put our subdomain on a dedicated IP address it worked. Salesforce also apparently has problems with wildcard certs and may give the same (innacurate) error message for those as well.

Hope this helps those with the same error!

stony

All Answers

Chaten Raghav 5Chaten Raghav 5
Hi Rupali,


Salesforce support the certificates from trusted CA authorities as listed on

https://developer.salesforce.com/page/Outbound_Messaging_SSL_CA_Certificates

Please check if the certificate you are using is signed from a trusted authorities listed on the above link.
If you do not find your CA authorities in the above list then the error message is correct and you need to get the certificate signed from the Salesforce trusted CA authority.

Please mark this as ""Best Answer"" if it helps you.


Thanks.
Stony Grunow - BreadwinnerStony Grunow - Breadwinner
Hi Chaten

Did you click the link we provided? And did you notice that we got our certificate from Go Daddy, which is in that list?

You gave us very clear instructions on what do to if our CA Authority wasn't on the list, perhaps you'd be kind enough to tell us what to do if it is on the list?

Kindly escalate this case to the next tier.

thanks
stony
Rupali PophaliyaRupali Pophaliya
Hi Chetan,

We understand that Salesforce only supports the certificates from trusted CA authorities as listed on

https://developer.salesforce.com/page/Outbound_Messaging_SSL_CA_Certificates

Our certificate provider is GoDaddy which is listed in the list in above link. Our our fingerprint matches with godaddyclass2ca


Simple steps to recreate the issue are as follows-

1) Create a remote site setting for URL - "https://support.breadwinnerhq.com"
2) Exceute the following code from developer console -
HttpRequest httpReq = new HttpRequest();
Http httpObj = new Http();
HttpResponse httpResp = new HttpResponse();

httpReq.setEndPoint('https://support.breadwinnerhq.com/bwpayment/accounts/orgid'); 
httpReq.setMethod('GET');
 
httpResp = httpObj.send(httpReq);

3) The execution will fail. Check debug logs for details of exception

Can you please exaplain the reason for this issue?


MaxPowerForceMaxPowerForce
The certificate looks fine and I was able to successfully make a callout with the example code.  I am not sure if something has changed since this was posted, but the error may not have been descriptive of the actual issue.
Stony Grunow - BreadwinnerStony Grunow - Breadwinner
Hi Max

Thanks for testing! We had just solved this a few days ago and not updated the question, sorry.

The reason we had this error was that Salesforce cannot apparently handle multiple SSL certs on a single IP address. Once we put our subdomain on a dedicated IP address it worked. Salesforce also apparently has problems with wildcard certs and may give the same (innacurate) error message for those as well.

Hope this helps those with the same error!

stony
This was selected as the best answer
Hussey786Hussey786

Hi Stony,

I am getting 'java.security.cert.CertificateException: No subject alternative DNS name matching 'xxx.aaa.com'  exception in production only. but it is working fine in Sandox. 
'I am unable to find the reason for this.
Please help me.

Thanks,
Hussain.
Stony Grunow - BreadwinnerStony Grunow - Breadwinner
Hi Hussain

This error was realyl tricky. First support told me that we needed to have an SSL Cert with no Chained Certs in it. But that isn't true as Heroku itself has chained certs and we could resolve to their SSL Heroku-branded domains. Then we were told Salesforce's Java is behind by a few years. Finally we pushed the case more and someone in their Oregon support office talked to me. She said she'd look into it. I never heard back from her but it started working 2 days later so I guess she did something? I'd say to keep pushing support and push them some more.

best of luck
stony
Dennis FoleyDennis Foley

I have the same error works fine in staging but not in production.. I have a Symantect Class 3 EV SSL CA G3.
I dont have wildcard certificates, I dont have multiple certificates per ipaddress..