Organizational Research By

Surprising Reserch Topic

node js hostname ip doesnt match certificates altnames

node js hostname ip doesnt match certificates altnames  using -'node.js'

I have code:

var r = require('request');
  method: 'POST',
  url: ''},
  function() { console.log(arguments)  } )

When I run it on desktop with Node 0.9.4, I get this in the console:

{ '0': [Error: Hostname/IP doesn't match certificate's altnames] }

When I run it on Netbook with Node 0.6.12, it all works without error (302 response - I think its right).

In question Node.js hostname/IP doesnt match certificates altnames, Rojuinex write: "Yeah, browser issue... sorry". What does "browser issue" mean?

UPD. This problem was resolved after roll back on Node v0.8

asked Sep 18, 2015 by vickeykumar66
0 votes

Related Hot Questions

4 Answers

0 votes

Since 0.9.2 (including 0.10.x) node.js now validates certificates by default. This is why you could see it become more strict when you upgrade past node.js 0.8. (HT:

You can avoid this with the {rejectUnauthorized:false} option, however this has serious security implications. Anything you send to the peer will still be encrypted, but it becomes much easier to mount a man-in-the-middle attack, i.e. your data will be encrypted to the peer but the peer itself is not the server you think it is!

It would be better to first diagnose why the certificate is not authorizing and see if that could be fixed instead.

answered Sep 18, 2015 by rolvyrf
0 votes

A slightly updated answer (since I ran into this problem in different circumstances.)

When you connect to a server using SSL, the first thing the server does is present a certificate which says "I am" The certificate has a "subject" and the subject has a "CN" (short for "common name".) The certificate may also have one or more "subjectAltNames". When node.js connects to a server, node.js fetches this certificate, and then verifies that the domain name it thinks it's connecting to ( matches either the subject's CN or one of the altnames. Note that, in node 0.10.x, if you connect using an IP, the IP address has to be in the altnames - node.js will not try to verify the IP against the CN.

Setting the rejectUnauthorized flag to false will get around this check, but first of all if the server is giving you different credentials than you are expecting, something fishy is going on, and second this will also bypass other checks - it's not a good idea if you're connecting over the Internet.

If you are using node >= 0.11.x, you can also specify a checkServerIdentity: function(host, cert) function to the tls module, which should return true if you want to allow the connection and false otherwise (although I don't know if request will proxy this flag through to tls for you.) It can be handy to declare such a function and console.log(host, cert); to figure out what the heck is going on.

answered Sep 18, 2015 by mcasudhir
0 votes

I know this is old, BUT for anyone else looking:

Remove https:// from the hostname and add port 443 instead.

  method: 'POST',
  hostname: '',
  port: 443
answered Sep 18, 2015 by mtabakade
0 votes

I ran into the same problem with node 0.10.26 while creating a soap client. The solution was simply to use the web service address with http insted of https (from to

answered Sep 18, 2015 by yogeshplv