I'm using Apache HttpClient 4.5.2 to make CloudKit Web API requests. When I send requests to the CloudKit endpoint URL (https://api.apple-cloudkit.com/[...]), I get the following error:
javax.net.ssl.SSLException: Certificate for <api.apple-cloudkit.com> doesn't match any of the subject alternative names: [*.icloud.com]
I'm no expert on SSL, but it looks like Apple is serving a certificate for api.apple-cloudkit.com
that's only valid for *.icloud.com
. Am I understanding that right?
Or if the certificate is correct, then why is HttpClient complaining?
It looks like the library you use or the underlying platform does not support Server Name Indication (SNI). Without SNI you get:
$ openssl s_client -connect api.apple-cloudkit.com:443 | openssl x509 -text
...
Subject: CN=*.icloud.com,
But when using SNI you get a different certificate:
$ openssl s_client -connect api.apple-cloudkit.com:443 \
-servername api.apple-cloudkit.com | openssl x509 -text
...
Subject: ...CN=cdn.apple-cloudkit.com
X509v3 Subject Alternative Name:
DNS:api.apple-cloudkit.com, DNS:cdn.apple-cloudkit.com
Older versions of the Apache HTTPClient library are known to have missing support for SNI so make sure you use a recent version.