Apex Code Development You need to sign in to do that
Don't have an account?
John Brodrick How to do Apex Callout via https to site that has multiple ssl certs on single IP
Hello All-
When doing an Apex Callout to a secure site via HTTPS I am getting this error:
java.security.cert.CertificateException: No name matching xxx found
This site does have a valid ssl certificate installed and I have verified that the CA is listed here: https://developer.salesforce.com/page/Outbound_Messaging_SSL_CA_Certificates.
However, this site does have multiple domains and corresponding certificates all hosted on the same IP address. From my research I have found that apparently salesforce doesn't support SNI (server name indication) which would be required in order to get the correct certificate back for the specific site I am trying to hit. I am wondering what workarounds I can do other than:
1) Have them get more IP addresses
2) Make the call via HTTP instead of HTTPs
Does Salesforce have plans to support this in the future? I would imagine that the need for this functionality is quite common.
Thanks,
John
When doing an Apex Callout to a secure site via HTTPS I am getting this error:
java.security.cert.CertificateException: No name matching xxx found
This site does have a valid ssl certificate installed and I have verified that the CA is listed here: https://developer.salesforce.com/page/Outbound_Messaging_SSL_CA_Certificates.
However, this site does have multiple domains and corresponding certificates all hosted on the same IP address. From my research I have found that apparently salesforce doesn't support SNI (server name indication) which would be required in order to get the correct certificate back for the specific site I am trying to hit. I am wondering what workarounds I can do other than:
1) Have them get more IP addresses
2) Make the call via HTTP instead of HTTPs
Does Salesforce have plans to support this in the future? I would imagine that the need for this functionality is quite common.
Thanks,
John
Don't know if this will help, but I had a similar problem with callouts, certificates and SNI. The problem with non-SNI support was that the call from salesforce didn't contain the domain name for the certificate. The server then didn't know which certificate to provide.
We had the server admin specify a fallback certificate that was provided if the domain name was empty, and it worked smoothly after that.
You could also try to run openssl from your machine.
You can specify the domain name as a paramater, or choose not to send any name (as saleforce does). The command will output the certificate and you can verify that it's the correct one.
No SNI: openssl s_client -connect <myserver.com>
With server name: openssl s_client -connect myserver.com -servername myserver.com
All Answers
Don't know if this will help, but I had a similar problem with callouts, certificates and SNI. The problem with non-SNI support was that the call from salesforce didn't contain the domain name for the certificate. The server then didn't know which certificate to provide.
We had the server admin specify a fallback certificate that was provided if the domain name was empty, and it worked smoothly after that.
You could also try to run openssl from your machine.
You can specify the domain name as a paramater, or choose not to send any name (as saleforce does). The command will output the certificate and you can verify that it's the correct one.
No SNI: openssl s_client -connect <myserver.com>
With server name: openssl s_client -connect myserver.com -servername myserver.com