Clever Geek Handbook

Host error for https://www.apis.google.com/ in spring social

I am using Spring Social to login with gmail account to my webapp. Everything was fine when I implemented this feature, but today I am getting

javax.net.ssl.SSLPeerUnverifiedException: Host name 'www.googleapis.com' does not match the certificate subject provided by the peer (CN=*.storage.googleapis.com, O=Google Inc, L=Mountain View, ST=California, C=US)

This is the stack trace:

Caused by: javax.net.ssl.SSLPeerUnverifiedException: Host name 'www.googleapis.com' does not match the certificate subject provided by the peer (CN=*.storage.googleapis.com, O=Google Inc, L=Mountain View, ST=California, C=US)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:465)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:395)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
    at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)
    at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
    at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
    at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
    at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
    at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
    at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
    at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
    at org.springframework.http.client.HttpComponentsClientHttpRequest.executeInternal(HttpComponentsClientHttpRequest.java:84)
    at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:46)
    at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:52)
    at org.springframework.http.client.InterceptingClientHttpRequest$RequestExecution.execute(InterceptingClientHttpRequest.java:94)
    at org.springframework.social.oauth2.OAuth2RequestInterceptor.intercept(OAuth2RequestInterceptor.java:45)
    at org.springframework.http.client.InterceptingClientHttpRequest$RequestExecution.execute(InterceptingClientHttpRequest.java:84)
    at org.springframework.http.client.InterceptingClientHttpRequest.executeInternal(InterceptingClientHttpRequest.java:69)
    at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:46)
    at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:52)
    at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:541)
    ... 44 more

If I browse firefox at the url: https://www.apis.google.com/ I get a warning that the certificate is not valid for this domain.

Is there something wrong with the Spring social call? How to temporarily disable host validation for gmail Spring social?

+3


source to share


3 answers


I am facing the same problem. My best guess. There is a mismatch between the HTTP calls and the certificate. This is similar to the Google problem and then the Spring social Google API problem.

Not sure how long this problem has been going on. I started working on this code yesterday.

An error opens with Google and Spring Google Social

Filed bug with Google , and for social - Github



59:27:345 ERROR org.springframework.social.connect.web.ProviderSignInController.oauth2Callback Message=Exception while completing OAuth 2 connection: 
org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://www.googleapis.com/plus/v1/people/me":Host name 'www.googleapis.com' does not match the certificate subject provided by the peer (CN=*.storage.googleapis.com, O=Google Inc, L=Mountain View, ST=California, C=US); nested exception is javax.net.ssl.SSLPeerUnverifiedException: Host name 'www.googleapis.com' does not match the certificate subject provided by the peer (CN=*.storage.googleapis.com, O=Google Inc, L=Mountain View, ST=California, C=US)
    at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:580)
    at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:530)
    at org.springframework.web.client.RestTemplate.getForObject(RestTemplate.java:237)
    at org.springframework.social.google.api.impl.AbstractGoogleApiOperations.getEntity(AbstractGoogleApiOperations.java:50)
    at org.springframework.social.google.api.plus.impl.PlusTemplate.getPerson(PlusTemplate.java:105)
    at org.springframework.social.google.api.plus.impl.PlusTemplate.getGoogleProfile(PlusTemplate.java:110)
    at org.springframework.social.google.connect.GoogleAdapter.fetchUserProfile(GoogleAdapter.java:51)
    at org.springframework.social.google.connect.GoogleAdapter.fetchUserProfile(GoogleAdapter.java:31)
    at org.springframework.social.google.connect.GoogleConnectionFactory.extractProviderUserId(GoogleConnectionFactory.java:37)
    at org.springframework.social.connect.support.OAuth2ConnectionFactory.createConnection(OAuth2ConnectionFactory.java:91)
    at org.springframework.social.connect.web.ConnectSupport.completeConnection(ConnectSupport.java:161)
    at org.springframework.social.connect.web.ProviderSignInController.oauth2Callback(ProviderSignInController.java:216)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:497)

Finally found a solution to this problem.

Downgrade HttpClient to 4.3.x. There is a bug reported and resolved for 4.5.x https://issues.apache.org/jira/browse/HTTPCLIENT-1613

For reference - https://github.com/GabiAxel/spring-social-google/issues/67#issuecomment-97154525

+11


source


If I browse firefox at the url: https://www.apis.google.com/ I get a warning that the certificate is not valid for this domain.

The hostname must be apis.google.com

, i.e. without www

. Then the verification of the certificate should be successful.

Is there something wrong with the spring social call?

You are using a different name here, i.e. www.googleapis.com

... The certificate for this name is correct.



The hostname "www.googleapis.com" does not match the subject of the certificate provided by the partner (CN = *. Storage.googleapis.com, O = Google Inc, L = Mountain View, ST = California, C = USA)

While CN does *.storage.googleapis.com

, there is an alternate name for *.googleapis.com

that matches www.googleapis.com

. This means the hostname validation your code is using is incorrect. I don't know where this bad check comes from, but it could be an old version of Java or the libraries you are using.

How to temporarily disable host validation for gmail spring social?

It would be a bad idea, because it would undermine the reason https is used at all.

0


source


Check if you are using HttpClient. Then go to the HttpClient 4.3.x library, not 4.4.x.

<!-- http://mvnrepository.com/artifact/org.apache.httpcomponents/httpclient -->
<dependency>
    <groupId>org.apache.httpcomponents</groupId>
    <artifactId>httpclient</artifactId>
    <version>4.3.1</version>
</dependency>
0


source






More articles:


All Articles