javasslokhttpappium-androidremotewebdriver

Unable to create a new remote session. Hostname (IP_ADDRESS) not verified


I have an Appium instance hosted on a remote server. It is able to connect and execute tests on older version of Appium i.e. java-client 4.1.2 which is pretty old. I was trying to upgrade my Appium java-client version to 7.3.0, but I keep running into subjected error. Now I have read few answers here on how to get around this like

javax.net.ssl.SSLPeerUnverifiedException: Hostname not verified:

OkHttp javax.net.ssl.SSLPeerUnverifiedException: Hostname domain.com not verified

I also read some blog posts and created a certificate which has SAN (subject alternate name). I have verified that SAN is being reflected correctly and I see it under the exception. Another solution is to override the hostname verification part but since the HTTP URL connection is being done via Selenium remote driver dependencies I cannot do this either.

Exception stack trace

Exception in thread "main" org.openqa.selenium.SessionNotCreatedException: Unable to create a new remote session. Original error: Hostname IP_ADDRESS not verified:
certificate: sha256/qBxa5dCkXQoyg8GE54564120O+oBGYRHFZI8=
DN: CN=IP_ADDRESS, O=org_name, L=location, ST=state, C=country
subjectAltNames: [IP_ADDRESS]

Driver info: driver.version: AndroidDriver
    at io.appium.java_client.remote.AppiumCommandExecutor$1.createSession(AppiumCommandExecutor.java:208)
    at io.appium.java_client.remote.AppiumCommandExecutor.createSession(AppiumCommandExecutor.java:217)
    at io.appium.java_client.remote.AppiumCommandExecutor.execute(AppiumCommandExecutor.java:239)
    at org.openqa.selenium.remote.RemoteWebDriver.execute(RemoteWebDriver.java:577)
    at org.openqa.selenium.remote.RemoteWebDriver.startSession(RemoteWebDriver.java:211)
    at io.appium.java_client.AppiumDriver.startSession(AppiumDriver.java:336)
    at org.openqa.selenium.remote.RemoteWebDriver.<init>(RemoteWebDriver.java:131)
    at io.appium.java_client.DefaultGenericMobileDriver.<init>(DefaultGenericMobileDriver.java:37)
    at io.appium.java_client.AppiumDriver.<init>(AppiumDriver.java:88)
    at io.appium.java_client.AppiumDriver.<init>(AppiumDriver.java:98)
    at io.appium.java_client.android.AndroidDriver.<init>(AndroidDriver.java:94)
    at com.quantum.java.pages.Galaxy8Calculator.main(Galaxy8Calculator.java:43)
Caused by: java.lang.reflect.InvocationTargetException
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at io.appium.java_client.remote.AppiumCommandExecutor$1.createSession(AppiumCommandExecutor.java:186)
    ... 11 more
Caused by: javax.net.ssl.SSLPeerUnverifiedException: Hostname IP_ADDRESS not verified:
    certificate: sha256/qBxa5dCkXQoyg8GE54564120O+oBGYRHFZI8=
    DN: CN=IP_ADDRESS, O=org_name, L=location, ST=state, C=country
    subjectAltNames: [IP_ADDRESS]
    at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:350)
    at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:300)
    at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:185)
    at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224)
    at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:107)
    at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.java:87)
    at okhttp3.internal.connection.Transmitter.newExchange(Transmitter.java:162)
    at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
    at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
    at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
    at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
    at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:221)
    at okhttp3.RealCall.execute(RealCall.java:81)
    at org.openqa.selenium.remote.internal.OkHttpClient.execute(OkHttpClient.java:57)
    at org.openqa.selenium.remote.ProtocolHandshake.createSession(ProtocolHandshake.java:105)
    ... 16 more 

Here's the version of dependencies that I think matter

Appium java-client 7.3.0
Selenium selenium-java 3.141.59

I have also tried setting setAcceptInsecureCerts() capability to true when making a connection to no avail. Please let me know if anyone has any insights in this.

Here are the self signed certificate contents

verify OK
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=C, ST=st, L=loc, O=org, CN=IP_ADDRESS
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:d0:xyz
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name:
                DNS:IP_ADDRESS
    Signature Algorithm: sha256WithRSAEncryption
         52:e5:xyz

Solution

  • Can you print out how you generated the certificate? Or print out it's details. Is it possible you are somehow encoding the IP address as a DNS SAN value? They are typed inside the certificate (the DNS: prefix).

    openssl x509 -in a.pem -text
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                0c:b0:23:11:94:77:2a:a0:8e:76:5a:76:82:c9:ad:eb
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA
            Validity
                Not Before: Mar 26 00:00:00 2020 GMT
                Not After : Mar 25 12:00:00 2021 GMT
            Subject: C=US, ST=California, L=San Francisco, O=Twitter, Inc., OU=lon3, CN=api.twitter.com
    ...
                X509v3 Subject Alternative Name:
                    DNS:api.twitter.com