HTTPS request using Sendega SMS

Enonic version: 6.7.2
OS: Ubuntu 14.04.5 LTS

Hello everyone,

I’m trying to create a service to send SMS messages using Sendega.
For some reason Enonic is throwing a “Hostname not verified” error.

Here is the full error message: Hostname not verified: certificate: sha1/T6MymE6L3G/HojxbNmshqP8iwOc= DN: subjectAltNames: [] (java.lang.RuntimeException)

Any ideas?

BTW: I have other services sending requests to HTTPS working fine.

The SSL certificate seems correct. But it contains “” in the server name. The browsers don’t complain, so maybe the Java HTTP library we use is a bit more strict.

openssl s_client -connect -showcerts
depth=1 /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
Certificate chain
 0 s:/
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
Server certificate
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

If you try to connect to “” , instead of “”, it seems to work. And both names point to the same IP address. So maybe that is a workaround.

1 Like

Hi Aro, I am having the same problem, this error shows when I try httpClientLib.

The URL is this " ". Hostname not verified: certificate: sha1/eLTZPGfe010o1J1Xnns/ch2YRYI= DN: subjectAltNames: [] (java.lang.RuntimeException)

The URL is this " ".

It looks like it’s the same case as the one above. The certificate we get back is for, which has the same IP address than When I try making the request from java or from command line, I get a certificate with a host that does not match ( !=

$ openssl s_client -connect | openssl x509 -noout -subject -issuer
depth=1 /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
subject= /
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

But all the browsers I tried, validate and accept the certificate without warnings.

I tried upgrading to the latest version of the HTTP lib we use (OkHttp), but it did not help.

Which web server are you using? Could you post the SSL config here?

Chiming in with the same problem, and the same cert authority.

I’m trying to consume

I’m getting this error: Hostname not verified: certificate: sha1/NroKloeb/Zt5UWXHQcpxGbrnJNc= DN: subjectAltNames: [] (java.lang.RuntimeException)

Examining the certificate gives this error:

Checking with openssl gives this error:

openssl s_client -connect -showcerts CONNECTED(00000003) 9432:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52.40.1/src/ssl/s23_clnt.c:593:

However, Chrome is having no problems using the endpoint, and shows a green padlock to indicate that all is ok.

1 Like

I showed the errors in this thread to a friend of mine who has done similar troubleshooting in the past (although he is by no means an expert), and his immediate reaction was:
“That’s just an error you get when you don’t have the required certificate locally. If the process that does the request is Java, then the local Java machine needs to get that certificate somehow.”

I tried adding the relevant certificates to $JAVA_HOME/jre/lib/security/cacerts with keytool, but this doesn’t seem to do anything for Enonic XP’s ability to access this connection.

In my specific case, it seems that has two certificates. One for (which fails), and one for all the other domains they have, including (which seems to pass). I have added both certificates to cacerts.

I’ll make a proper support request for my specific problem, but the solution is probably interesting for the others in this thread. If there is some other way of getting Enonic XP to do this itself, I would like to know. I’d hate to have to fetch renewed certificates regularly in the future.

The issue is with hosts that have multiple SSL certificates for different domains. The request validates the certificate, but when it checks if the certificate domain matches with the host in the HTTPS request, it fails because it has received the certificate for another domain on the server.

We will look more into this and try to get some kind of fix for the 6.9 release.

Good stuff, please fix :smile:

While we wait for the fix: As a workaround, it is possible and pretty easy to set up a reverse proxy, terminating the ssl connection and exposing a normal http connection to Enonic XP.

1 Like

I think I found the problem, and maybe a quick solution so you don’t need to wait for 6.9.

We need to set the JVM property jsse.enableSNIExtension to true, to enable SNI for SSL connections.

Can you try this command, before starting XP (on Unix/Linux), and confirm if it fixes the issue for you?
export JAVA_OPTS=-Djsse.enableSNIExtension=true

Or else change the value to true, in

Explanation from Java documentation:

Server Name Indication (SNI) is a TLS extension, defined in RFC 6066. It enables TLS connections to virtual servers, in which multiple servers for different network names are hosted at a single underlying network address.
Some very old SSL/TLS vendors may not be able handle SSL/TLS extensions. In this case, set this property to false to disable the SNI extension.


Great news everyone! It works! :smiley:

Will this be default setting in XP from 6.9 then? What about the keystore etc - no need to use this at all then?


Thx Aro, it did work.

Yes, it will be the default setting from 6.9. True is actually the default value in the JVM, our start up scripts were setting it to false.
For those connecting to very old servers not supporting SNI extensions, it will have to be set to false. Hopefully those are not so common nowadays.

Normally there is no need to change the keystore, most root certificates included in browsers are also included in the JVM.