Opened 8 years ago

Closed 8 years ago

#1023 closed defect (invalid)

SNI problem with nginx and apache httpclient

Reported by: proeatalk@… Owned by:
Priority: major Milestone:
Component: nginx-core Version: 1.10.x
Keywords: Cc: proeatalk@…
uname -a: Linux srv02.lets.by 2.6.32-573.18.1.el6.x86_64 #1 SMP Tue Feb 9 22:46:17 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.10.1
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --add-dynamic-module=njs-1c50334fbea6/nginx --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'

Description

Using this code causes problems when connecting to nginx server.
I tried several nginx and apache servers. this is relevant only for nginx
while using this code, when connection is established the server nginx, we get not the requested host, a standard server host
SNI in this case does not work correctly

        HttpClient client = new DefaultHttpClient();
        HttpGet request = new HttpGet("https://" + args[0]);
        HttpResponse response = null;

        try
        {
            response = client.execute(request);
        }
        catch (IOException e)
        {
            e.printStackTrace();
            throw new RuntimeException(e);

        }

This code basis of https://bitbucket.org/atlassianlabs/httpclienttest
in some other atlassian products arises as a problem with the SNI. It has already set up their issue.
but in this case, the problem is in the nginx with apache httpclient

So,

$ java -Djavax.net.debug=ssl -Djavax.net.ssl.trustStorePassword=tmptmp -Djavax.net.ssl.trustStore=truststore5.ts -jar target/httpclienttest-1.0.jar mail.lets.by
trustStore is: truststore5.ts
trustStore type is : jks
trustStore provider is : 
init truststore
adding as trusted cert:
  Subject: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
  Issuer:  CN=DST Root CA X3, O=Digital Signature Trust Co.
  Algorithm: RSA; Serial number: 0xa0141420000015385736a0b85eca708
  Valid from Thu Mar 17 19:40:46 MSK 2016 until Wed Mar 17 19:40:46 MSK 2021

trigger seeding of SecureRandom
done seeding SecureRandom
main, setSoTimeout(0) called
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1451553807 bytes = { 105, 244, 27, 87, 140, 233, 249, 95, 5, 128, 245, 115, 101, 219, 200, 209, 243, 1, 226, 244, 84, 105, 68, 43, 150, 207, 243, 13 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
***
main, WRITE: TLSv1.2 Handshake, length = 235
main, READ: TLSv1.2 Handshake, length = 89
*** ServerHello, TLSv1.2
RandomCookie:  GMT: 1451553808 bytes = { 177, 236, 117, 43, 227, 249, 170, 228, 137, 45, 79, 199, 97, 129, 68, 46, 192, 235, 66, 14, 102, 173, 131, 113, 32, 236, 119, 241 }
Session ID:  {90, 60, 132, 0, 58, 67, 62, 214, 17, 10, 61, 249, 63, 194, 84, 172, 84, 49, 158, 177, 255, 57, 253, 136, 4, 186, 75, 53, 200, 127, 65, 212}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension ec_point_formats, formats: [uncompressed, ansiX962_compressed_prime, ansiX962_compressed_char2]
***
%% Initialized:  [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
** TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
main, READ: TLSv1.2 Handshake, length = 2470
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=lets.by
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 20783009961485177170710506621297683459209779147133709805240301929863519988417165967795600086886120890077580015376128550146056475941455664327361234391889715360640500380663690718540401902985281507743861264338565773494671786315495904365037279635786432067204662175281925501671560337259811374373711157735591096522391469639894998962734294232454831121415485906820610888019794441145518663923852472257534778307922938910419873659638694812225612783033473051694557253915668561092725908871566538660691889731184979064503106745461548453619047586660263687052739899219210981680497015983219570344034493155867831865168412586160979156569
  public exponent: 65537
  Validity: [From: Mon Jul 11 22:05:00 MSK 2016,
               To: Sun Oct 09 22:05:00 MSK 2016]
  Issuer: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
  SerialNumber: [    031d749b 0b28f38a 4b270590 f2fbe28d 3c23]

Certificate Extensions: 8
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.int-x3.letsencrypt.org/
, 
   accessMethod: caIssuers
   accessLocation: URIName: http://cert.int-x3.letsencrypt.org/
]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A8 4A 6A 63 04 7D DD BA   E6 D1 39 B7 A6 45 65 EF  .Jjc......9..Ee.
0010: F3 A8 EC A1                                        ....
]
]

[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[4]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.23.140.1.2.1]
[]  ]
  [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 1A 68 74 74 70 3A 2F   2F 63 70 73 2E 6C 65 74  ..http://cps.let
0010: 73 65 6E 63 72 79 70 74   2E 6F 72 67              sencrypt.org

], PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.2
  qualifier: 0000: 30 81 9E 0C 81 9B 54 68   69 73 20 43 65 72 74 69  0.....This Certi
0010: 66 69 63 61 74 65 20 6D   61 79 20 6F 6E 6C 79 20  ficate may only 
0020: 62 65 20 72 65 6C 69 65   64 20 75 70 6F 6E 20 62  be relied upon b
0030: 79 20 52 65 6C 79 69 6E   67 20 50 61 72 74 69 65  y Relying Partie
0040: 73 20 61 6E 64 20 6F 6E   6C 79 20 69 6E 20 61 63  s and only in ac
0050: 63 6F 72 64 61 6E 63 65   20 77 69 74 68 20 74 68  cordance with th
0060: 65 20 43 65 72 74 69 66   69 63 61 74 65 20 50 6F  e Certificate Po
0070: 6C 69 63 79 20 66 6F 75   6E 64 20 61 74 20 68 74  licy found at ht
0080: 74 70 73 3A 2F 2F 6C 65   74 73 65 6E 63 72 79 70  tps://letsencryp
0090: 74 2E 6F 72 67 2F 72 65   70 6F 73 69 74 6F 72 79  t.org/repository
00A0: 2F                                                 /

]]  ]
]

[5]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

[6]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

[7]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: lets.by
  DNSName: www.lets.by
]

[8]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: FF 41 64 B0 7C 15 9A 9A   59 BA AA 7C F4 1B A4 D4  .Ad.....Y.......
0010: 75 77 61 9D                                        uwa.
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 6D 16 3F E4 10 C0 6D 3F   94 A9 1B BA 03 26 8C A3  m.?...m?.....&..
0010: 1C A5 FE 96 1C B4 06 8B   9A BF E0 8F 71 52 1D 0F  ............qR..
0020: A5 F7 C1 6C E1 A7 2F 28   BB D9 3B 99 FD 55 08 D1  ...l../(..;..U..
0030: AE 3E 0D 31 81 94 85 32   60 FF 69 3C BC B3 EC C3  .>.1...2`.i<....
0040: CA 9F 64 B1 1C 83 02 E5   7B CD 35 FB 25 72 AC 45  ..d.......5.%r.E
0050: 4D 43 EE D1 3A 70 DE 93   1A 30 87 BF E4 66 14 CF  MC..:p...0...f..
0060: 12 58 94 C1 BD AB 41 86   D4 F2 55 94 59 D9 67 15  .X....A...U.Y.g.
0070: 4E 03 E5 BF 53 C2 32 73   A2 59 E7 47 7E 82 89 0C  N...S.2s.Y.G....
0080: 16 B2 58 3C 4B A6 51 12   FD 27 5F 0F 14 52 C7 27  ..X<K.Q..'_..R.'
0090: 18 A9 A8 0F 12 78 72 34   77 35 FF 8A EB 3D F1 0F  .....xr4w5...=..
00A0: 2F 14 64 64 8D 64 23 B2   63 78 F7 A6 D8 CF 31 2A  /.dd.d#.cx....1*
00B0: 49 8D 38 FA E2 F4 93 FD   32 F4 D4 9D B3 CC E0 20  I.8.....2...... 
00C0: DC 97 CA 51 49 4F EB 45   6C 48 50 13 B3 FF 83 44  ...QIO.ElHP....D
00D0: 13 B6 3B 44 CD A9 EF 4A   AF F1 E2 38 EE 5E B3 ED  ..;D...J...8.^..
00E0: FD 3B 2F 9C DD 5C 24 4C   7B CF AD 0A 01 7F ED FC  .;/..\$L........
00F0: 5C E4 EA 24 4B CC DF A7   4F 6B 7B FB 48 B0 5F 41  \..$K...Ok..H._A

]
chain [1] = [
[
  Version: V3
  Subject: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 19797248476075437682355852246492227182925025209894527646389863306257272162327717438476096960751529894413137923782807258828237626757946953550223743258656059351948211427799114263948499232121738590221774214131983890556391436336270214266656447169277800971416884432628642288505627878176138101439755752196484972290641499489076846352390454201028735981960275647482014359370041238010607728611828345534572152635280172155598035959878659370929022966413402097129857505568509453268467065766156311136296802046438183697980908977865999500405760226706893415483460747503705792669060406182022181441316967415301631965711690685520847684499
  public exponent: 65537
  Validity: [From: Thu Mar 17 19:40:46 MSK 2016,
               To: Wed Mar 17 19:40:46 MSK 2021]
  Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co.
  SerialNumber: [    0a014142 00000153 85736a0b 85eca708]

Certificate Extensions: 7
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://isrg.trustid.ocsp.identrust.com
, 
   accessMethod: caIssuers
   accessLocation: URIName: http://apps.identrust.com/roots/dstrootcax3.p7c
]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C4 A7 B1 A4 7B 2C 71 FA   DB E1 4B 90 75 FF C4 15  .....,q...K.u...
0010: 60 85 89 10                                        `...
]
]

[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]

[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.identrust.com/DSTROOTCAX3CRL.crl]
]]

[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.23.140.1.2.1]
[]  ]
  [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 22 68 74 74 70 3A 2F   2F 63 70 73 2E 72 6F 6F  ."http://cps.roo
0010: 74 2D 78 31 2E 6C 65 74   73 65 6E 63 72 79 70 74  t-x1.letsencrypt
0020: 2E 6F 72 67                                        .org

]]  ]
]

[6]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_CertSign
  Crl_Sign
]

[7]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A8 4A 6A 63 04 7D DD BA   E6 D1 39 B7 A6 45 65 EF  .Jjc......9..Ee.
0010: F3 A8 EC A1                                        ....
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: DD 33 D7 11 F3 63 58 38   DD 18 15 FB 09 55 BE 76  .3...cX8.....U.v
0010: 56 B9 70 48 A5 69 47 27   7B C2 24 08 92 F1 5A 1F  V.pH.iG'..$...Z.
0020: 4A 12 29 37 24 74 51 1C   62 68 B8 CD 95 70 67 E5  J.)7$tQ.bh...pg.
0030: F7 A4 BC 4E 28 51 CD 9B   E8 AE 87 9D EA D8 BA 5A  ...N(Q.........Z
0040: A1 01 9A DC F0 DD 6A 1D   6A D8 3E 57 23 9E A6 1E  ......j.j.>W#...
0050: 04 62 9A FF D7 05 CA B7   1F 3F C0 0A 48 BC 94 B0  .b.......?..H...
0060: B6 65 62 E0 C1 54 E5 A3   2A AD 20 C4 E9 E6 BB DC  .eb..T..*. .....
0070: C8 F6 B5 C3 32 A3 98 CC   77 A8 E6 79 65 07 2B CB  ....2...w..ye.+.
0080: 28 FE 3A 16 52 81 CE 52   0C 2E 5F 83 E8 D5 06 33  (.:.R..R.._....3
0090: FB 77 6C CE 40 EA 32 9E   1F 92 5C 41 C1 74 6C 5B  .wl.@.2...\A.tl[
00A0: 5D 0A 5F 33 CC 4D 9F AC   38 F0 2F 7B 2C 62 9D D9  ]._3.M..8./.,b..
00B0: A3 91 6F 25 1B 2F 90 B1   19 46 3D F6 7E 1B A6 7A  ..o%./...F=....z
00C0: 87 B9 A3 7A 6D 18 FA 25   A5 91 87 15 E0 F2 16 2F  ...zm..%......./
00D0: 58 B0 06 2F 2C 68 26 C6   4B 98 CD DA 9F 0C F9 7F  X../,h&.K.......
00E0: 90 ED 43 4A 12 44 4E 6F   73 7A 28 EA A4 AA 6E 7B  ..CJ.DNosz(...n.
00F0: 4C 7D 87 DD E0 C9 02 44   A7 87 AF C3 34 5B B4 42  L......D....4[.B

]
***
Found trusted certificate:
[
[
  Version: V3
  Subject: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 19797248476075437682355852246492227182925025209894527646389863306257272162327717438476096960751529894413137923782807258828237626757946953550223743258656059351948211427799114263948499232121738590221774214131983890556391436336270214266656447169277800971416884432628642288505627878176138101439755752196484972290641499489076846352390454201028735981960275647482014359370041238010607728611828345534572152635280172155598035959878659370929022966413402097129857505568509453268467065766156311136296802046438183697980908977865999500405760226706893415483460747503705792669060406182022181441316967415301631965711690685520847684499
  public exponent: 65537
  Validity: [From: Thu Mar 17 19:40:46 MSK 2016,
               To: Wed Mar 17 19:40:46 MSK 2021]
  Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co.
  SerialNumber: [    0a014142 00000153 85736a0b 85eca708]

Certificate Extensions: 7
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://isrg.trustid.ocsp.identrust.com
, 
   accessMethod: caIssuers
   accessLocation: URIName: http://apps.identrust.com/roots/dstrootcax3.p7c
]
]

[2]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C4 A7 B1 A4 7B 2C 71 FA   DB E1 4B 90 75 FF C4 15  .....,q...K.u...
0010: 60 85 89 10                                        `...
]
]

[3]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]

[4]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.identrust.com/DSTROOTCAX3CRL.crl]
]]

[5]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.23.140.1.2.1]
[]  ]
  [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 22 68 74 74 70 3A 2F   2F 63 70 73 2E 72 6F 6F  ."http://cps.roo
0010: 74 2D 78 31 2E 6C 65 74   73 65 6E 63 72 79 70 74  t-x1.letsencrypt
0020: 2E 6F 72 67                                        .org

]]  ]
]

[6]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_CertSign
  Crl_Sign
]

[7]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A8 4A 6A 63 04 7D DD BA   E6 D1 39 B7 A6 45 65 EF  .Jjc......9..Ee.
0010: F3 A8 EC A1                                        ....
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: DD 33 D7 11 F3 63 58 38   DD 18 15 FB 09 55 BE 76  .3...cX8.....U.v
0010: 56 B9 70 48 A5 69 47 27   7B C2 24 08 92 F1 5A 1F  V.pH.iG'..$...Z.
0020: 4A 12 29 37 24 74 51 1C   62 68 B8 CD 95 70 67 E5  J.)7$tQ.bh...pg.
0030: F7 A4 BC 4E 28 51 CD 9B   E8 AE 87 9D EA D8 BA 5A  ...N(Q.........Z
0040: A1 01 9A DC F0 DD 6A 1D   6A D8 3E 57 23 9E A6 1E  ......j.j.>W#...
0050: 04 62 9A FF D7 05 CA B7   1F 3F C0 0A 48 BC 94 B0  .b.......?..H...
0060: B6 65 62 E0 C1 54 E5 A3   2A AD 20 C4 E9 E6 BB DC  .eb..T..*. .....
0070: C8 F6 B5 C3 32 A3 98 CC   77 A8 E6 79 65 07 2B CB  ....2...w..ye.+.
0080: 28 FE 3A 16 52 81 CE 52   0C 2E 5F 83 E8 D5 06 33  (.:.R..R.._....3
0090: FB 77 6C CE 40 EA 32 9E   1F 92 5C 41 C1 74 6C 5B  .wl.@.2...\A.tl[
00A0: 5D 0A 5F 33 CC 4D 9F AC   38 F0 2F 7B 2C 62 9D D9  ]._3.M..8./.,b..
00B0: A3 91 6F 25 1B 2F 90 B1   19 46 3D F6 7E 1B A6 7A  ..o%./...F=....z
00C0: 87 B9 A3 7A 6D 18 FA 25   A5 91 87 15 E0 F2 16 2F  ...zm..%......./
00D0: 58 B0 06 2F 2C 68 26 C6   4B 98 CD DA 9F 0C F9 7F  X../,h&.K.......
00E0: 90 ED 43 4A 12 44 4E 6F   73 7A 28 EA A4 AA 6E 7B  ..CJ.DNosz(...n.
00F0: 4C 7D 87 DD E0 C9 02 44   A7 87 AF C3 34 5B B4 42  L......D....4[.B

]
main, READ: TLSv1.2 Handshake, length = 333
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 256 bits
  public x coord: 77163766975699340803130404757460160701910836844720632649573046889351170335745
  public y coord: 50920701878508358601042260478698731068740060139884881369139865111276453161320
  parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
main, READ: TLSv1.2 Handshake, length = 4
*** ServerHelloDone
*** ECDHClientKeyExchange
ECDH Public value:  { 4, 10, 219, 202, 167, 58, 255, 242, 120, 167, 133, 241, 153, 252, 21, 202, 26, 162, 69, 216, 132, 74, 35, 141, 36, 69, 131, 181, 156, 192, 242, 176, 153, 84, 45, 158, 207, 210, 90, 11, 240, 79, 247, 70, 202, 216, 79, 80, 200, 84, 158, 13, 119, 15, 145, 178, 12, 21, 20, 16, 190, 67, 12, 168, 193 }
main, WRITE: TLSv1.2 Handshake, length = 70
SESSION KEYGEN:
PreMaster Secret:
0000: 66 97 DE 7F 58 5F 4E BB   BE C2 8C 7A 7B 46 BC F6  f...X_N....z.F..
0010: 62 B3 28 EC 43 52 B5 87   14 43 8D EF 96 71 E9 5C  b.(.CR...C...q.\
CONNECTION KEYGEN:
Client Nonce:
0000: 57 85 F4 0F 69 F4 1B 57   8C E9 F9 5F 05 80 F5 73  W...i..W..._...s
0010: 65 DB C8 D1 F3 01 E2 F4   54 69 44 2B 96 CF F3 0D  e.......TiD+....
Server Nonce:
0000: 57 85 F4 10 B1 EC 75 2B   E3 F9 AA E4 89 2D 4F C7  W.....u+.....-O.
0010: 61 81 44 2E C0 EB 42 0E   66 AD 83 71 20 EC 77 F1  a.D...B.f..q .w.
Master Secret:
0000: D0 7C 8B DC 17 F4 FA 8F   ED A5 5A 51 7C 0C 1A 83  ..........ZQ....
0010: 0A B7 F3 D2 1B A1 2E 09   64 75 31 26 E7 B2 D0 22  ........du1&..."
0020: DF C3 3A A1 EF 98 4F FE   4A 6F A3 63 61 68 52 7D  ..:...O.Jo.cahR.
... no MAC keys used for this cipher
Client write key:
0000: A0 6A 7B DF 61 C2 A7 AD   A2 0A E5 92 40 72 38 C3  .j..a.......@r8.
0010: 40 5D 36 BF 9D 39 9B E9   BD 87 07 86 7A 5C 06 99  @]6..9......z\..
Server write key:
0000: D7 BB 6C E5 40 55 21 91   AE 20 37 AF DD 10 F8 33  ..l.@U!.. 7....3
0010: E6 E0 CB 4D CE 76 D3 00   2B AC 54 4C 1D D2 64 3E  ...M.v..+.TL..d>
Client write IV:
0000: 43 E6 02 2B                                        C..+
Server write IV:
0000: E9 51 B0 E0                                        .Q..
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data:  { 193, 102, 229, 230, 94, 16, 63, 213, 69, 233, 72, 12 }
***
main, WRITE: TLSv1.2 Handshake, length = 40
main, READ: TLSv1.2 Change Cipher Spec, length = 1
main, READ: TLSv1.2 Handshake, length = 40
*** Finished
verify_data:  { 187, 143, 98, 101, 187, 34, 197, 185, 41, 170, 85, 22 }
***
%% Cached client session: [Session-1, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
main, called close()
main, called closeInternal(true)
main, SEND TLSv1.2 ALERT:  warning, description = close_notify
main, WRITE: TLSv1.2 Alert, length = 26
main, called closeSocket(true)
main, called close()
main, called closeInternal(true)
javax.net.ssl.SSLException: Certificate for <mail.lets.by> doesn't match any of the subject alternative names: [lets.by, www.lets.by]
	at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:165)
	at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:61)
	at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:141)
	at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:114)
	at org.apache.http.conn.ssl.SSLSocketFactory.verifyHostname(SSLSocketFactory.java:580)
	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:554)
	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:412)
	at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:179)
	at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:328)
	at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:612)
	at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:447)
	at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:884)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
	at com.atlassianlabs.sslclient.Main.main(Main.java:57)
Exception in thread "main" java.lang.RuntimeException: javax.net.ssl.SSLException: Certificate for <mail.lets.by> doesn't match any of the subject alternative names: [lets.by, www.lets.by]
	at com.atlassianlabs.sslclient.Main.main(Main.java:62)
Caused by: javax.net.ssl.SSLException: Certificate for <mail.lets.by> doesn't match any of the subject alternative names: [lets.by, www.lets.by]
	at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:165)
	at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:61)
	at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:141)
	at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:114)
	at org.apache.http.conn.ssl.SSLSocketFactory.verifyHostname(SSLSocketFactory.java:580)
	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:554)
	at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:412)
	at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:179)
	at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:328)
	at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:612)
	at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:447)
	at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:884)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
	at com.atlassianlabs.sslclient.Main.main(Main.java:57)

while we expect data from the host *mail.lets.by* we get data *lets.by* (lets.by is a *default* host on the server . If the connection without SNI or directly over IP opens the default host)

Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=lets.by

But we expect data from the host *mail.lets.by*

we get an error {code}Caused by: javax.net.ssl.SSLException: Certificate for <mail.lets.by> doesn't match any of the subject alternative names: [lets.by, www.lets.by]{code}

in order to ensure that the certificates are installed correctly:

$ openssl s_client -showcerts -connect mail.lets.by:443 -servername mail.lets.by </dev/null
CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/CN=mail.lets.by
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIE/DCCA+SgAwIBAgISAyc5rE+QKzQoa4sOUHb/hMdEMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjA3MTExODQ3MDBaFw0x
NjEwMDkxODQ3MDBaMBcxFTATBgNVBAMTDG1haWwubGV0cy5ieTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBANSdsBo9iMZnGijSrfXm+1xyP6371GIMxzCy
6cjlCtI+27EL109KUsuA8qKOuE6xlnkjD1cl5xeOZD9Fzf7eV7WGMR85oV1xxGX2
h6069WDFhsGgDRKEgreuOreakOIzCU//uwBElbqUClN0tnscNjvIVHC7Se0qkpjt
fQhjZSx++dCQQVzwTq1SGMSM+h6Rt9rRQ+H588N9yJYOrnfWnAT2/7o5HrIOLryC
vGIVfKkVdwSUMsNurs8g5KAZB4079QhxUNb7K7+bCW8LK0jJUUOoCQDBicjI31Yr
bhPRuG1IT6L1Ik/yVEszSSsuL/5G3p8nd+lNQWx8Qwx3u2bpTiMCAwEAAaOCAg0w
ggIJMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUPNaRFUcN88kek0Z0MEl3BjHL9vAw
HwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYBBQUHAQEEZDBi
MC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
LzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9y
Zy8wFwYDVR0RBBAwDoIMbWFpbC5sZXRzLmJ5MIH+BgNVHSAEgfYwgfMwCAYGZ4EM
AQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5s
ZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGeDIGbVGhpcyBDZXJ0aWZpY2F0
ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBSZWx5aW5nIFBhcnRpZXMgYW5k
IG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBDZXJ0aWZpY2F0ZSBQb2xpY3kg
Zm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcvcmVwb3NpdG9yeS8wDQYJ
KoZIhvcNAQELBQADggEBAGzd6kvKTExXXQRLFo5prAiQDADiWZsaDLKqDQHcPMyy
LxxI1aqfQ6/qgG4kGzR5RJmr5GGEk3aB7PZpN3Z9aIeyjW4nY58pH/ly8N/tjogK
rXkmKD6fyOxNqqo+jQKlo6kRot/x/KfBy35jgzRYNLUxgfDJh4dUekKHuBYd7P7m
xcn+XLix1gwYx+5dipOXMn4fjOw3+irjOHIJjXfLNyVg90WNPrxSxSjOW5ysJjFy
z7HP+YQ7OR1Q8MgQqjNgvA/GCnlcj9KxY6SAgWlNUrycJzFiO2tSuf4J/x+5Ofei
DGW9uLSRSOpEFw2uDUMYawl1HYkEn9I9XlYJzjccHsU=
-----END CERTIFICATE-----
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=mail.lets.by
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
---
SSL handshake has read 3152 bytes and written 442 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: ...
    Session-ID-ctx: 
    Master-Key: ...
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 900 (seconds)
    TLS session ticket: ...
    Start Time: 1468397094
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
DONE

and without "-servername"

$ openssl s_client -showcerts -connect mail.lets.by:443  </dev/null
CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/CN=lets.by
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIE/zCCA+egAwIBAgISAx10mwso84pLJwWQ8vvijTwjMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNjA3MTExOTA1MDBaFw0x
NjEwMDkxOTA1MDBaMBIxEDAOBgNVBAMTB2xldHMuYnkwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCkohY0JBvLXUpwK5ubrT9/9mJqH8OhvOO+hqpuWNgP
oVuXbHFHhBR4k67ZPFAXx5xK62NxwZPOP8qyvxgPs3GTU4RTI+yHSJazEHOzY4Fq
jcLJjshOrfsh/EmP7iIyyFy9piOkANOECORlm8yiKxbUKcDdYqKBZGro/4NT93gr
PayPEVxIUiTFHWAm6WwpELabzF2SE/iU3yFRzi8Q00epzQ7eJUSrvzTS3NMf6NnE
dNZ1wwFHm28O1MO+jLX6O/99LBWJJEonJw6rsBODJ64QwT8JeJTeinBi0zG1VXmY
kLvwMjQW8vmv+n2MVqevR2NLUEvPYmYSXGumpUKXp55ZAgMBAAGjggIVMIICETAO
BgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwG
A1UdEwEB/wQCMAAwHQYDVR0OBBYEFP9BZLB8FZqaWbqqfPQbpNR1d2GdMB8GA1Ud
IwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMHAGCCsGAQUFBwEBBGQwYjAvBggr
BgEFBQcwAYYjaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0Lm9yZy8wLwYI
KwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcvMB8G
A1UdEQQYMBaCB2xldHMuYnmCC3d3dy5sZXRzLmJ5MIH+BgNVHSAEgfYwgfMwCAYG
Z4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEFBQcCARYaaHR0cDovL2Nw
cy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGeDIGbVGhpcyBDZXJ0aWZp
Y2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBSZWx5aW5nIFBhcnRpZXMg
YW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBDZXJ0aWZpY2F0ZSBQb2xp
Y3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcvcmVwb3NpdG9yeS8w
DQYJKoZIhvcNAQELBQADggEBAG0WP+QQwG0/lKkbugMmjKMcpf6WHLQGi5q/4I9x
Uh0PpffBbOGnLyi72TuZ/VUI0a4+DTGBlIUyYP9pPLyz7MPKn2SxHIMC5XvNNfsl
cqxFTUPu0Tpw3pMaMIe/5GYUzxJYlMG9q0GG1PJVlFnZZxVOA+W/U8Iyc6JZ50d+
gokMFrJYPEumURL9J18PFFLHJxipqA8SeHI0dzX/ius98Q8vFGRkjWQjsmN496bY
zzEqSY04+uL0k/0y9NSds8zgINyXylFJT+tFbEhQE7P/g0QTtjtEzanvSq/x4jju
XrPt/TsvnN1cJEx7z60KAX/t/Fzk6iRLzN+nT2t7+0iwX0E=
-----END CERTIFICATE-----
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=lets.by
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
---
SSL handshake has read 3135 bytes and written 421 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: E95CA6A82D0BC7E850E621BFDD02D51A292BDB81C345FF18C2045B9CC2BEE7FA
    Session-ID-ctx: 
    Master-Key: D851E65E6E71BE4E6A8368EC5AC896FBC0BC03A1BECF16C236CF1799606ABE9699D24DC8D93BE0960D3FFFB6963DB84B
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 900 (seconds)
    TLS session ticket:
    0000 - cf 6c 75 ab 6c 6f 97 da-2f 75 c0 ed 93 a1 aa 0d   .lu.lo../u......
    0010 - 35 c2 7f 07 59 ab ae fd-1e 3b 09 b7 f5 5f df f3   5...Y....;..._..
    0020 - 87 8a 28 fa 05 b8 d0 f7-0c ce f0 14 f9 a6 e1 14   ..(.............
    0030 - b0 8a 5e 7d 38 a4 49 90-88 ec 73 22 72 c3 2c 0a   ..^}8.I...s"r.,.
    0040 - 0c 90 39 78 46 46 a4 b3-98 ef a8 c3 c4 c8 04 d4   ..9xFF..........
    0050 - 26 da d2 eb d7 6f c5 ab-7c 02 95 9e 01 f5 16 f8   &....o..|.......
    0060 - 54 33 96 6f 92 e2 7e f3-bd 4c 7c 27 3d 34 25 51   T3.o..~..L|'=4%Q
    0070 - 1e 34 1e 21 a9 61 3e 40-4a e3 a6 39 c8 ed ab 23   .4.!.a>@J..9...#
    0080 - 28 59 5c 84 cd 95 a8 79-be 64 2a c4 7e 9a 34 32   (Y\....y.d*.~.42
    0090 - 90 05 7c 5e c9 0f eb 44-20 75 48 65 53 8f 2f 0d   ..|^...D uHeS./.
    00a0 - 75 28 87 48 18 66 86 75-82 f5 b3 e5 3c df c5 ad   u(.H.f.u....<...

    Start Time: 1468397202
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
DONE

Truststore present in only 1 certificate: Let’s Encrypt Authority X3 (IdenTrust cross-signed) https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem | https://letsencrypt.org/certificates/

wget https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem
keytool -import -file lets-encrypt-x3-cross-signed.pem -alias letsencrypt -keystore truststore5.ts -storepass tmptmp
  • can you say it is a problem from nginx or apache httpclient?
  • I tested it on different web servers. the problem is relevant only for the server nginx (exposed different versions of nginx)

Change History (2)

comment:1 by proeatalk@…, 8 years ago

with apache httpclient 4.5.3-SNAPSHOT problem is solved!
I have gathered from github version 4.5.3 and recompiled the jar. No problem! Everything works correctly

comment:2 by Maxim Dounin, 8 years ago

Resolution: invalid
Status: newclosed

This doesn't looks like a problem in nginx. Likely the client you use doesn't support SNI or do not use it by default.

For further questions, please use mail lists. Trac is to track bugs, not to ask questions.

Note: See TracTickets for help on using tickets.