Skip to content

'Hostname/IP does not match certificate' error when proxying HTTPS via HTTP (CONNECT) proxy #83

Open
Open
'Hostname/IP does not match certificate' error when proxying HTTPS via HTTP (CONNECT) proxy#83
@christopherjturner

Description

@christopherjturner
christopherjturner
opened on Mar 24, 2026

After upgrading global agent from 3.0.0 to 4.1.3 HTTPS calls made though a HTTP proxy (using a CONNECT tunnel) fail due to the certs not matching the hostname.

Client request error: Hostname/IP does not match certificate's altnames: Host: localhost. is not in the cert's altnames: DNS:github.com, DNS:www.github.com

It feels like the secureEndpoint flag isn't being set correctly in this scenario, so the servername in the TLS options is never set?

Steps to reproduce:

  1. Start an HTTP proxy on localhost:3128 (https://opensource.saucelabs.com/forwarder/)
  2. Set GLOBAL_AGENT_HTTP_PROXY=http://127.0.0.1:3128
  3. call bootstrap()
  4. Make https call await Wreck.get('https://www.github.com')
  5. Call fails with Client request error: Hostname/IP does not match certificate's altnames: Host: localhost. is not in the cert's altnames: DNS:github.com, DNS:www.github.com

Trace logs

Trace: {
  destination: 'https://www.github.com/',
  proxy: 'http://127.0.0.1:3128',
  requestId: 1
} proxying request
    at Object.trace (***/node_modules/global-agent/dist/Logger.js:47:25)
    at BoundHttpsProxyAgent.addRequest (***/node_modules/global-agent/dist/classes/Agent.js:125:13)
    at new ClientRequest (node:_http_client:404:16)
    at request (node:https:633:10)
    at Object.request (***/node_modules/global-agent/dist/utilities/bindHttpMethod.js:47:20)
    at internals.Client._request (***/node_modules/@hapi/wreck/lib/index.js:186:28)
    at internals.Client.request (***/node_modules/@hapi/wreck/lib/index.js:76:26)
    at internals.Client._shortcut (***/node_modules/@hapi/wreck/lib/index.js:549:32)
    at internals.Client.get (***/node_modules/@hapi/wreck/lib/index.js:524:21)
    at handler (***/src/api/example/controllers/proxy-controller.js:6:51)
    at exports.Manager.execute (***/node_modules/@hapi/hapi/lib/toolkit.js:57:29)
    at internals.handler (***/node_modules/@hapi/hapi/lib/handler.js:46:48)
    at exports.execute (***/node_modules/@hapi/hapi/lib/handler.js:31:36)
    at Request._lifecycle (***/node_modules/@hapi/hapi/lib/request.js:370:68)
    at process.processTicksAndRejections (node:internal/process/task_queues:103:5)
    at async Request._execute (***/node_modules/@hapi/hapi/lib/request.js:280:9)
Trace: {
  target: {
    host: 'www.github.com',
    port: 443,
    proxy: { authorization: null, hostname: '127.0.0.1', port: 3128 },
    tls: {}
  }
} connecting
    at Object.trace (***/node_modules/global-agent/dist/Logger.js:47:25)
    at ***/node_modules/global-agent/dist/classes/Agent.js:180:17
    at Socket.<anonymous> (/***/node_modules/global-agent/dist/classes/HttpsProxyAgent.js:36:13)
    at Object.onceWrapper (node:events:623:26)
    at Socket.emit (node:events:508:28)
    at Socket.emit (node:domain:489:12)
    at addChunk (node:internal/streams/readable:559:12)
    at readableAddChunkPushByteMode (node:internal/streams/readable:510:3)
    at Readable.push (node:internal/streams/readable:390:5)
    at TCP.onStreamRead (node:internal/stream_base_commons:189:23)
created socket undefined
{
  error: {
    code: 'ERR_TLS_CERT_ALTNAME_INVALID',
    reason: "Host: localhost. is not in the cert's altnames: DNS:github.com, DNS:www.github.com",
    host: 'localhost',
    cert: {
      subject: [Object],
      issuer: [Object],
      subjectaltname: 'DNS:github.com, DNS:www.github.com',
      infoAccess: [Object],
      ca: false,
      modulus: undefined,
      exponent: undefined,
      pubkey: '[object Buffer]',
      bits: 256,
      valid_from: 'Mar  6 00:00:00 2026 GMT',
      valid_to: 'Jun  3 23:59:59 2026 GMT',
      fingerprint: 'AB:58:EA:12:8B:A9:2C:A6:9A:31:B3:6B:4E:54:56:53:EE:D2:A6:CF',
      fingerprint256: '97:16:D3:94:41:CA:65:1C:51:BE:78:E9:69:CA:38:5E:C2:13:EC:17:71:5B:8C:91:F0:1E:E6:52:F9:0F:C6:2C',
      fingerprint512: '1B:67:EA:78:02:24:7D:6E:24:93:4E:32:8B:B5:AA:9B:52:5C:47:63:6C:5C:E6:04:F6:1B:6A:9A:45:CB:C1:8D:1D:8C:6A:85:9A:A1:73:B1:25:27:87:37:70:8B:BA:DD:29:87:32:3A:76:D5:7F:A3:EF:AE:41:F4:32:93:4E:39',
      ext_key_usage: [Array],
      serialNumber: '1DC289C1EADAFB04E9D1CF53D5D72253',
      raw: '[object Buffer]',
      asn1Curve: 'prime256v1',
      nistCurve: 'P-256',
      issuerCertificate: [Object]
    },
    name: 'Error',
    message: "Hostname/IP does not match certificate's altnames: Host: localhost. is not in the cert's altnames: DNS:github.com, DNS:www.github.com",
    stack: "Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: Host: localhost. is not in the cert's altnames: DNS:github.com, DNS:www.github.com\n" +
      '    at Object.checkServerIdentity (node:tls:455:12)\n' +
      '    at TLSSocket.onConnectSecure (node:_tls_wrap:1641:27)\n' +
      '    at TLSSocket.emit (node:events:508:28)\n' +
      '    at TLSSocket.emit (node:domain:489:12)\n' +
      '    at TLSSocket._finishInit (node:_tls_wrap:1077:8)\n' +
      '    at ssl.onhandshakedone (node:_tls_wrap:863:12)'
  }
} socket error
{
  error: {
    code: 'ERR_TLS_CERT_ALTNAME_INVALID',
    reason: "Host: localhost. is not in the cert's altnames: DNS:github.com, DNS:www.github.com",
    host: 'localhost',
    cert: {
      subject: [Object],
      issuer: [Object],
      subjectaltname: 'DNS:github.com, DNS:www.github.com',
      infoAccess: [Object],
      ca: false,
      modulus: undefined,
      exponent: undefined,
      pubkey: '[object Buffer]',
      bits: 256,
      valid_from: 'Mar  6 00:00:00 2026 GMT',
      valid_to: 'Jun  3 23:59:59 2026 GMT',
      fingerprint: 'AB:58:EA:12:8B:A9:2C:A6:9A:31:B3:6B:4E:54:56:53:EE:D2:A6:CF',
      fingerprint256: '97:16:D3:94:41:CA:65:1C:51:BE:78:E9:69:CA:38:5E:C2:13:EC:17:71:5B:8C:91:F0:1E:E6:52:F9:0F:C6:2C',
      fingerprint512: '1B:67:EA:78:02:24:7D:6E:24:93:4E:32:8B:B5:AA:9B:52:5C:47:63:6C:5C:E6:04:F6:1B:6A:9A:45:CB:C1:8D:1D:8C:6A:85:9A:A1:73:B1:25:27:87:37:70:8B:BA:DD:29:87:32:3A:76:D5:7F:A3:EF:AE:41:F4:32:93:4E:39',
      ext_key_usage: [Array],
      serialNumber: '1DC289C1EADAFB04E9D1CF53D5D72253',
      raw: '[object Buffer]',
      asn1Curve: 'prime256v1',
      nistCurve: 'P-256',
      issuerCertificate: [Object]
    },
    name: 'Error',
    message: "Hostname/IP does not match certificate's altnames: Host: localhost. is not in the cert's altnames: DNS:github.com, DNS:www.github.com",
    stack: "Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: Host: localhost. is not in the cert's altnames: DNS:github.com, DNS:www.github.com\n" +
      '    at Object.checkServerIdentity (node:tls:455:12)\n' +
      '    at TLSSocket.onConnectSecure (node:_tls_wrap:1641:27)\n' +
      '    at TLSSocket.emit (node:events:508:28)\n' +
      '    at TLSSocket.emit (node:domain:489:12)\n' +
      '    at TLSSocket._finishInit (node:_tls_wrap:1077:8)\n' +
      '    at ssl.onhandshakedone (node:_tls_wrap:863:12)'
  }
} request error

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions