Issue
Getting the following error when accessing the Deploy URL:
HTTP ERROR 400 Invalid SNI
URI: https://example-deploy.com:4517/
STATUS: 400
MESSAGE: Invalid SNI
Affected Products & Versions
24.x versions
Cause
The SNI error HTTP ERROR 400 Invalid SNI indicates that the application itself is functioning correctly. This error arises because Deploy versions 24.1 and 24.3 use the third-party Jetty library, which enforces strict SNI (Server Name Indication) checks as part of a security enhancement. This behavior is not a bug or issue within the Deploy application; it results from updates in the Jetty library that implement stronger security measures.
Workaround/Resolution Action
You should be able to access the application by using the correct domain name registered in the SAN (Subject Alternative Name) field of the SSL certificate issued for the application. Verify the SubjectAlternativeName entry in the application's SSL certificate and use the corresponding domain name to access the application. For example: https://<dns_name>:4517.
To access the application via the load balancer URL, ensure that the load balancer's domain name is included as a SAN (Subject Alternative Name) entry in the SSL certificate for each node. Additionally, import this updated certificate into the keystore on each node to ensure proper SSL validation.
Considerations
Our engineering team will create a feature flag to disable the sniHostCheck within the Deploy configuration. This feature is under development and is expected to be introduced in version 25.1.x of Deploy.
Comments
Please sign in to leave a comment.