No subject alternative names - LDAP with SSL
症状
When using SSL to connect Stash to an LDAP directory, if the name on the certificate does not match the hostname of the server, the following error can be seen in atlassian-stash.log:
2012-10-18 01:03:41,007 ERROR [scheduler_Worker-1] c.a.c.d.DbCachingDirectoryPoller Error occurred while refreshing the cache for directory [ 229377 ].
com.atlassian.crowd.exception.OperationFailedException: java.util.concurrent.ExecutionException: com.atlassian.crowd.exception.OperationFailedException: org.springframework.ldap.PartialResultException: nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: <HOST_NAME.DOMAIN_NAME>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching <HOST_NAME.DOMAIN_NAME> found.]]
...
Caused by: java.util.concurrent.ExecutionException: com.atlassian.crowd.exception.OperationFailedException: org.springframework.ldap.PartialResultException: nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: <HOST_NAME.DOMAIN_NAME>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching <HOST_NAME.DOMAIN_NAME> found.]]
...
原因
Stash verifies the hostname on the SSL certificates when communicating with an LDAP server over SSL. The hostname must match that on the SSL certificate or Stash will not be able to connect to the directory. If accessing the LDAP server through the IP address, Java will not allow this as it is very strict in enforcing server identify.
回避策
There are two options to bypass this issue:
- Edit
/etc/hoststo allow using the incorrect name on the certificate. Add the FQDN on the certificate and match it to the IP address of the LDAP server. Under the "Advanced Settings" of your User Directory configuration, uncheck the "Secure SSL" option whose main goal is to verify that the SSL certificate is valid for this connection. This option is automatically checked by default when you check "Use SSL" on the User Directory configuration.
Since the new version of Java 1.8u51, resolving against a hostname address is no longer trusted when using SSL, and so it tries to verify a IP that doesn't exist in the certificate. See STASH-7741 - Getting issue details... STATUS
ソリューション
Fix the certificate to contain the correct hostname.
If running Java 1.8.0_51 or 1.8.0_60, update to 1.8.0_65 as it contains a fix for the issue described in STASH-7741 - Getting issue details... STATUS .