SSL certificate hostname mismatch when consuming feed on external site
-
I use a <cffeed> tag to consume a wordpress blog, but am getting a hostname mismatch in the certificate which causes the coldfusion tag to fail. I see my domain name added to the UCC certificate as a SAN, but the UCC doesn’t reference the Wildcard cert anywhere to link it back to wordpress.com. Is there any way to remedy this?
The blog I need help with is: (visible only to logged in users)
-
Sorry, but you are in the wrong place. These forums are only for blogs/sites hosted by WordPress.com
WordPress.COM and WordPress.ORG are completely separate and different http://support.wordpress.com/com-vs-org/
And you should ask in the WordPress.org forums.
http://wordpress.org/support/ -
My apologies as I wasn’t very clear; the blog in question is a wordpress hosted blog, http://umucglobalmediacenter.wordpress.com. We have a mapping in place for it to globalmedia.umuc.edu. Thank you.
-
To elaborate further on the error I’m receiving:
“hostname in certificate didn’t match: <globalmedia.umuc.edu> != <*.wordpress.com> OR <wordpress.com> OR <*.wordpress.com>”
I get this error when I consume the http://umucglobalmediacenter.wordpress.com/feed/ as the cffeed’s source from a page on http://www.umuc.edu’s website.
-
We have a mapping in place for it to globalmedia.umuc.edu
Perfect!
The issue is fixed (for me) right now: If I type
http://umucglobalmediacenter.wordpress.com/the result is
https://globalmedia.umuc.edu/ -
Yes, that works fine for me too, but when I try to consume the feed using the ColdFusion <cffeed> tag on our http://www.umuc.edu website, ColdFusion complains that the hostname in certificate didn’t match and errors out.
-
-
Correct, I’ve tried using that as the <cffeed> tags source as well as https://umucglobalmediacenter.wordpress.com/feed/ and get the same hostname mismatch error.
-
-
-
Hi @johndonohoeumuc,
Can you confirm you’ve tried both
https://globalmedia.umuc.edu/feedand
https://umucglobalmediacenter.wordpress.com/feed/ ?I noticed you had used http:// in a few examples.
Also, do you have a link where we can see this error in action?
-
Ah I had to correct one of my links there. And I understand now this is causing coldfusion to fail on that side, so we wouldn’t be able to see it publicly.
Stick with using https://globalmedia.umuc.edu/feed , since that is the name on the certificate for the site. You’ll notice the other URL just redirects there anyway.
If that still gives you errors, can you send the full text of the error? Thanks. :)
-
Hi @supernovia,
No worries.
Yes, confirmed: I have tried both https://umucglobalmediacenter.wordpress.com/feed/ and https://globalmedia.umuc.edu.
Here’s the link, note the second <cfdump> shows the “rssSource” or feed URL: https://www.umuc.edu/visitors/news/?showError
It’s currently pointed at https://umucglobalmediacenter.wordpress.com/feed/, I’ll update to the other.
Thank you.
-
@supernovia , Ok the feed is now pulling from https://globalmedia.umuc.edu/feed/ but it gives the same error: “hostname in certificate didn’t match: <globalmedia.umuc.edu> != <*.wordpress.com> OR <wordpress.com> OR <*.wordpress.com>”
Page with Error: https://www.umuc.edu/visitors/news/index.cfm?showError
-
Thanks, I’ve done some digging and talked to some sysadmins about this. Can you confirm your CF stack includes SNI support? Updating your JDK may help: https://docs.oracle.com/javase/7/docs/technotes/guides/security/enhancements-7.html
-
Hi @supernovia, our JDK is 1.7.0_17 on ColdFusion 10. From that article, it looks like that version supports SNI.
-
@johndonohoeumuc if you’ll look at Stack Overflow or a similar site you can see how other sysadmins worked through this. It’s out of the scope of WordPress.com support, but talking to other sysadmins about it will help, I’m sure.
From what I understand, your CF stack is not recognizing the validity of the certificate for globalmedia.umuc.edu, because it’s looking at the host for the IP address and seeing that’s wordpress / *.wordpress.com, etc. The SNI support _should_ help it get past that and not just automatically try to resolve by IP. I hope that helps.
-
-
You bet, @johndonohoeumuc . If you’re willing, feel free to come back and let us know what you ended up doing to make it work. With SSL being supported on all sites here as of just a few days ago, I’d imagine someone else might find that information useful.
-
From our Sysadmin:
It appears that this was a CF issue, and required CF 10 updater 18 be applied. I don’t know if that will break anything else, but it seemed fairly low risk. The last updater installed was 16. I don’t think there was a 17! Information about the specific issue is here:
https://bugbase.adobe.com/index.cfm?event=bug&id=3598342
Once installed, there was a second problem with the site. This problem was caused by the fact that the certificates were not installed in the Java keystore. I’ve installed the certificate chain into the java keystore… I then restarted the CF service, and tested and verified that content is being returned.
The keystore command I ran was:
/path/to/keytool>keytool -import -alias “<alias>” -keystore <path/to/cacerts> -file <certificate chain file>.pem -storepass <password> -trustcacerts
We then found that <cffeed> still wasn’t working and applied the following workaround:
– Fetch feed using cfhttp first
– Save file locally
– Read local file using cffeed
- The topic ‘SSL certificate hostname mismatch when consuming feed on external site’ is closed to new replies.
WordPress.com Forums 