[WEB-26] No subject alternative DNS name matching libraries.minecraft.net found. (Caused by safety-shutdown after "Heartbleed")

Short Moderator Note

According to Kris Jelbring, this should be fixed now:
https://twitter.com/KrisJelbring/status/453589636154421248

It seems that the SSL certificate has a wrong CN entry. So I got the following error by downloading the libraries. This happens when I install a new version of Minecraft.

[18:17:58 WARN]: Couldn't download https://libraries.minecraft.net/tv/twitch/twitch/5.16/twitch-5.16.jar for job 'Version & Libraries'
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching libraries.minecraft.net found.
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:1.7.0_45]
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884) ~[?:1.7.0_45]
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276) ~[?:1.7.0_45]
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270) ~[?:1.7.0_45]
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341) ~[?:1.7.0_45]
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153) ~[?:1.7.0_45]
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) ~[?:1.7.0_45]
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:804) ~[?:1.7.0_45]
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016) ~[?:1.7.0_45]
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) ~[?:1.7.0_45]
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339) ~[?:1.7.0_45]
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323) ~[?:1.7.0_45]
	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) ~[?:1.7.0_45]
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) ~[?:1.7.0_45]
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1300) ~[?:1.7.0_45]
	at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:468) ~[?:1.7.0_45]
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338) ~[?:1.7.0_45]
	at net.minecraft.launcher.updater.download.ChecksummedDownloadable.download(ChecksummedDownloadable.java:49) ~[launcher.jar:?]
	at net.minecraft.launcher.updater.download.DownloadJob.popAndDownload(DownloadJob.java:108) [launcher.jar:?]
	at net.minecraft.launcher.updater.download.DownloadJob.access$000(DownloadJob.java:12) [launcher.jar:?]
	at net.minecraft.launcher.updater.download.DownloadJob$1.run(DownloadJob.java:89) [launcher.jar:?]
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) [?:1.7.0_45]
	at java.util.concurrent.FutureTask.run(FutureTask.java:262) [?:1.7.0_45]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [?:1.7.0_45]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [?:1.7.0_45]
	at java.lang.Thread.run(Thread.java:744) [?:1.7.0_45]
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching libraries.minecraft.net found.
	at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:191) ~[?:1.7.0_45]
	at sun.security.util.HostnameChecker.match(HostnameChecker.java:93) ~[?:1.7.0_45]
	at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:347) ~[?:1.7.0_45]
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:203) ~[?:1.7.0_45]
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) ~[?:1.7.0_45]
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323) ~[?:1.7.0_45]
	... 21 more

After I checked it with openssl you see that the CN of the certificate is wrong. Its a wild card certificate for CN=*.cloudfront.net.

~  ᐅ openssl s_client -showcerts -connect libraries.minecraft.net:443
CONNECTED(00000003)
depth=1 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=*.cloudfront.net
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
-----BEGIN CERTIFICATE-----
MIIGsTCCBZmgAwIBAgIQD3aZ/8AYbg5kEQOwpDBnhjANBgkqhkiG9w0BAQUFADBm
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSUwIwYDVQQDExxEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBDQS0zMB4XDTEzMDQxNzAwMDAwMFoXDTE2MDQyMTEyMDAwMFowaTELMAkGA1UE
BhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxGDAW
BgNVBAoTD0FtYXpvbi5jb20gSW5jLjEZMBcGA1UEAwwQKi5jbG91ZGZyb250Lm5l
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKb1125lfd8G3ZoRgK0j
cxG9zDNIJ+Z3pOzvM8D50/mqJGWDYcVAgIMd1AeH7pPsajP0hZ1neIM/o3WIccnW
0UqdCtEunhd9MfYP4tpDedlTaIbvsimcmBJXhtN4FW1piZxQZaD3DutIDtYCIvPY
pUV35N+G7LW29sn0fQll7PdFGmXarCv2fDnWaW7Dxx8H7QzUJuVtRik/rCpz3sJ3
SlXv7pK0Q53M+J4ppjaMLtJjART/e4z+jQRIB7aJEKW9SWWLGO3FrKI9GeuEOBUj
QI2IBWj9SdZA7VgDmTmwF2PJAyn9arcz8cohNOYVQ4j+bYZBx+PFmrkUNSRck8A5
7RMCAwEAAaOCA1YwggNSMB8GA1UdIwQYMBaAFFDqc4nbKfsQj57lASDU3nmZSIP3
MB0GA1UdDgQWBBR7a4/6zhj/TkLauUAHPus+IPbiPTArBgNVHREEJDAighAqLmNs
b3VkZnJvbnQubmV0gg5jbG91ZGZyb250Lm5ldDAOBgNVHQ8BAf8EBAMCBaAwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGEGA1UdHwRaMFgwKqAooCaGJGh0
dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9jYTMtZzIwLmNybDAqoCigJoYkaHR0cDov
L2NybDQuZGlnaWNlcnQuY29tL2NhMy1nMjAuY3JsMIIBxAYDVR0gBIIBuzCCAbcw
ggGzBglghkgBhv1sAQEwggGkMDoGCCsGAQUFBwIBFi5odHRwOi8vd3d3LmRpZ2lj
ZXJ0LmNvbS9zc2wtY3BzLXJlcG9zaXRvcnkuaHRtMIIBZAYIKwYBBQUHAgIwggFW
HoIBUgBBAG4AeQAgAHUAcwBlACAAbwBmACAAdABoAGkAcwAgAEMAZQByAHQAaQBm
AGkAYwBhAHQAZQAgAGMAbwBuAHMAdABpAHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0
AGEAbgBjAGUAIABvAGYAIAB0AGgAZQAgAEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAv
AEMAUABTACAAYQBuAGQAIAB0AGgAZQAgAFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0
AHkAIABBAGcAcgBlAGUAbQBlAG4AdAAgAHcAaABpAGMAaAAgAGwAaQBtAGkAdAAg
AGwAaQBhAGIAaQBsAGkAdAB5ACAAYQBuAGQAIABhAHIAZQAgAGkAbgBjAG8AcgBw
AG8AcgBhAHQAZQBkACAAaABlAHIAZQBpAG4AIABiAHkAIAByAGUAZgBlAHIAZQBu
AGMAZQAuMHsGCCsGAQUFBwEBBG8wbTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3Au
ZGlnaWNlcnQuY29tMEUGCCsGAQUFBzAChjlodHRwOi8vY2FjZXJ0cy5kaWdpY2Vy
dC5jb20vRGlnaUNlcnRIaWdoQXNzdXJhbmNlQ0EtMy5jcnQwDAYDVR0TAQH/BAIw
ADANBgkqhkiG9w0BAQUFAAOCAQEAfyuj+zKRlS6e34v6GZMtGh0pPcW3UIMXDEYS
rDndF03AVOXGlTWm0n1g2K5tLXAtMnRMMDOLqsO6FcXU/K9bXQW7/OUZiWK/iq/W
Tsp0g+O+kg7oSXyK4QIkJNYDxUhVwfMJNLfSOvA3oSasdOLSZqn8giBJIoWS081W
zy20f6i2jYRcX8LYKpdmMqgSUQm9tXwJ0lHhXCF8oKc1AKYuv9nva+e+4tJLhyhu
49oUVgC3n1O9k1Av/7Yifw9fCs5Owjv3Ys77aBtuFajgF61goDp9PbOqOwk5m09r
HcpzPDRiltlQ7gwWbOsdZMAY4kA+UqfeOBXzUqIaKhCxBgnikQ==
-----END CERTIFICATE-----
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
-----BEGIN CERTIFICATE-----
MIIGWDCCBUCgAwIBAgIQCl8RTQNbF5EX0u/UA4w/OzANBgkqhkiG9w0BAQUFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBFViBSb290IENBMB4XDTA4MDQwMjEyMDAwMFoXDTIyMDQwMzAwMDAwMFowZjEL
MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
LmRpZ2ljZXJ0LmNvbTElMCMGA1UEAxMcRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug
Q0EtMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9hCikQH17+NDdR
CPge+yLtYb4LDXBMUGMmdRW5QYiXtvCgFbsIYOBC6AUpEIc2iihlqO8xB3RtNpcv
KEZmBMcqeSZ6mdWOw21PoF6tvD2Rwll7XjZswFPPAAgyPhBkWBATaccM7pxCUQD5
BUTuJM56H+2MEb0SqPMV9Bx6MWkBG6fmXcCabH4JnudSREoQOiPkm7YDr6ictFuf
1EutkozOtREqqjcYjbTCuNhcBoz4/yO9NV7UfD5+gw6RlgWYw7If48hl66l7XaAs
zPw82W3tzPpLQ4zJ1LilYRyyQLYoEt+5+F/+07LJ7z20Hkt8HEyZNp496+ynaF4d
32duXvsCAwEAAaOCAvowggL2MA4GA1UdDwEB/wQEAwIBhjCCAcYGA1UdIASCAb0w
ggG5MIIBtQYLYIZIAYb9bAEDAAIwggGkMDoGCCsGAQUFBwIBFi5odHRwOi8vd3d3
LmRpZ2ljZXJ0LmNvbS9zc2wtY3BzLXJlcG9zaXRvcnkuaHRtMIIBZAYIKwYBBQUH
AgIwggFWHoIBUgBBAG4AeQAgAHUAcwBlACAAbwBmACAAdABoAGkAcwAgAEMAZQBy
AHQAaQBmAGkAYwBhAHQAZQAgAGMAbwBuAHMAdABpAHQAdQB0AGUAcwAgAGEAYwBj
AGUAcAB0AGEAbgBjAGUAIABvAGYAIAB0AGgAZQAgAEQAaQBnAGkAQwBlAHIAdAAg
AEMAUAAvAEMAUABTACAAYQBuAGQAIAB0AGgAZQAgAFIAZQBsAHkAaQBuAGcAIABQ
AGEAcgB0AHkAIABBAGcAcgBlAGUAbQBlAG4AdAAgAHcAaABpAGMAaAAgAGwAaQBt
AGkAdAAgAGwAaQBhAGIAaQBsAGkAdAB5ACAAYQBuAGQAIABhAHIAZQAgAGkAbgBj
AG8AcgBwAG8AcgBhAHQAZQBkACAAaABlAHIAZQBpAG4AIABiAHkAIAByAGUAZgBl
AHIAZQBuAGMAZQAuMBIGA1UdEwEB/wQIMAYBAf8CAQAwNAYIKwYBBQUHAQEEKDAm
MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wgY8GA1UdHwSB
hzCBhDBAoD6gPIY6aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0SGln
aEFzc3VyYW5jZUVWUm9vdENBLmNybDBAoD6gPIY6aHR0cDovL2NybDQuZGlnaWNl
cnQuY29tL0RpZ2lDZXJ0SGlnaEFzc3VyYW5jZUVWUm9vdENBLmNybDAfBgNVHSME
GDAWgBSxPsNpA/i/RwHUmCYaCALvY2QrwzAdBgNVHQ4EFgQUUOpzidsp+xCPnuUB
INTeeZlIg/cwDQYJKoZIhvcNAQEFBQADggEBAB7ipUiebNtTOA/vphoqrOIDQ+2a
vD6OdRvw/S4iWawTwGHi5/rpmc2HCXVUKL9GYNy+USyS8xuRfDEIcOI3ucFbqL2j
CwD7GhX9A61YasXHJJlIR0YxHpLvtF9ONMeQvzHB+LGEhtCcAarfilYGzjrpDq6X
dF3XcZpCdF/ejUN83ulV7WkAywXgemFhM9EZTfkI7qA5xSU1tyvED7Ld8aW3DiTE
JiiNeXf1L/BXunwH1OH8zVowV36GEEfdMR/X/KLCvzB8XSSq6PmuX2p0ws5rs0bY
Ib4p1I5eFdZCSucyb6Sxa1GDWL4/bcf72gMhy2oWGU4K8K2Eyl2Us1p292E=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=*.cloudfront.net
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
---
No client certificate CA names sent
---
SSL handshake has read 3501 bytes and written 440 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID: A2B04D7C717B05547E18132F2CA6818934991A9F8D5A14DDF03753F5DB8E37D1
    Session-ID-ctx:
    Master-Key: B6BBAA4367D9F1DD528AA67022A035C28B6AF10FC1EEB1D12226D3C25511A66CC52ECD3D6A6F32158E559F837E8C9FFB
    Key-Arg   : None
    Start Time: 1396975068
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
closed

Linked issues

is duplicated by 2

MCL-2399 Gave up trying to download [link] for job 'Version & Libraries' Resolved

MCL-2397 will not load, update, or open game Closed

Comments 5

Claudia Ashlyn Forbes-Robinson 2014-04-08T17:08:11Z

I have the same problem! Please fix soon!!

Joey Brom 2014-04-08T17:49:01Z

same problem over here

Tails 2014-04-08T17:51:42Z

https://twitter.com/KrisJelbring/status/453589636154421248

Torsten Walluhn 2014-04-08T18:05:48Z

I can confirm that is solved.

/Volumes/Data/Development/minecraft/launcher/run/Instances/Ozelotdev/Flan (master ✔) ᐅ openssl s_client -showcerts -connect libraries.minecraft.net:443
CONNECTED(00000003)
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=SE/ST=Stockholm/L=Stockholm/O=Mojang AB/CN=*.minecraft.net
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G2

The CN is now correct.

Tristen Rasmussen 2014-04-12T03:17:41Z

Wow, look at all you guys, being all smart and sophisticated. With your algorithms and codes. It makes me feel stupid... XD