问题描述:
java项目调用微信api的域名接口正常: String wxAccessTokenUrl = "https://api.weixin.qq.com/cgi-bin/token?"; 因项目要求采用ip访问外部服务,所以ping api.weixin.qq.com 得到域名对应的ip为101.91.37.13, 所以替换java调用api接口为:"https://101.91.37.13/cgi-bin/token?";
此时项目代码调用api接口为:"https://101.91.37.13/cgi-bin/token?",发出http请求后报错,内容如下:
javax.net.ssl.SSLPeerUnverifiedException: Certificate for <101.91.37.13> doesn't match any of the subject alternative names: [mp.weixin.qq.com, *.api.weixin.qq.com, *.mp.weixin.qq.com, *.open.weixin.qq.com, *.wechat.com, *.weixin.qq.com, mp.weixinbridge.com, rd.wechatapp.com, servicewechat.com]
解决办法
1. 修改请求的域名/ip,使证书可以覆盖到。
2. 设置证书的SAN,覆盖到请求的域名/ip。
3. 从代码上,要从调用HttpClient的代码入手,单独处理下信任所有证书,关闭主机名校验,就能通过验证了。 代码:
//信任所有证书,关闭主机名校验
SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(
SSLContexts.custom().loadTrustMaterial(null,new TrustSelfSignedStrategy()).build(),
NoopHostnameVerifier.INSTANCE);
// 创建Httpclient对象
CloseableHttpClient httpclient = HttpClients.custom().setSSLSocketFactory(sslsf).build();
// CloseableHttpClient httpclient = HttpClients.createDefault();
--------------------------------------