Bitbucket server throws error No subject alternative names matching IP address

関連コンテンツ

  • 関連コンテンツがありません

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

症状

When using SSL to connect Bitbucket Server to an LDAP directory, if the name on the certificate does not match the hostname of the server, the following error can be seen in atlassian-bitbucket.log:

2012-10-18 01:03:41,007 ERROR [scheduler_Worker-1]  c.a.c.d.DbCachingDirectoryPoller Error occurred while refreshing the cache for directory [ 229377 ].
com.atlassian.crowd.exception.OperationFailedException: java.util.concurrent.ExecutionException: com.atlassian.crowd.exception.OperationFailedException: org.springframework.ldap.PartialResultException: nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: <HOST_NAME.DOMAIN_NAME>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching <HOST_NAME.DOMAIN_NAME> found.]]
...
Caused by: java.util.concurrent.ExecutionException: com.atlassian.crowd.exception.OperationFailedException: org.springframework.ldap.PartialResultException: nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: <HOST_NAME.DOMAIN_NAME>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching <HOST_NAME.DOMAIN_NAME> found.]]
...

原因

We've identified 2 causes for this:

  • Bitbucket Server verifies the hostname on the SSL certificates when communicating with an LDAP server over SSL and they don't match. The hostname must match that on the SSL certificate or Bitbucket Server will not be able to connect to the directory. 
  • A change to JRE 1.8.0_51 and 1.8.0_60 is causing the issue.
  • A change introduced in JRE 1.8u181 is causing the issue. 

回避策

There are 3 options to bypass this issue:

Specific to LDAP directories secured with SSL (bypassing the SSL on the LDAP config):

Under the "Advanced Settings" of your User Directory configuration, uncheck the "Secure SSL" option whose main goal is to verify that the SSL certificate is valid for this connection. This option is automatically checked by default when you check "Use SSL" on the User Directory configuration. This is not the recommended way to do it, though.


Other SSL scenarios:

  • Workaround 1 (certificate mismatch related): 
    • Edit /etc/hosts to allow using the incorrect name on the certificate. Add the FQDN on the certificate and match it to the IP address of the LDAP server.


  • Workaround 2 (JRE related):
    • Since the new version of Java 1.8u51, resolving against a hostname address is no longer trusted when using SSL, and so it tries to verify a IP that doesn't exist in the certificate. See BSERV-7741 - Getting issue details... STATUS . If that's your case and you don't want to install a new JRE or your instance is using the JRE 1.8.0_60 that we shipped with Bitbucket Server, a valid workaround consists in:
      • Editing <BITBUCKET_INSTALL>/bin/setenv.sh

      • Changing:

        #
# Occasionally Atlassian Support may recommend that you set some specific JVM arguments.  You can use this variable
# below to do that.
#
JVM_SUPPORT_RECOMMENDED_ARGS=""

        Into:

        #
# Occasionally Atlassian Support may recommend that you set some specific JVM arguments.  You can use this variable
# below to do that.
#
JVM_SUPPORT_RECOMMENDED_ARGS="-Djdk.tls.trustNameService=true"
      • Restarting your Bitbucket server
  • Workaround 3 (JRE 1.8u181+)
    • According to the release notes of 1.8u181: JDK 8u181 Update Release Notes :
      "Endpoint identification has been enabled on LDAPS connections.

      To improve the robustness of LDAPS (secure LDAP over TLS) connections, endpoint identification algorithms have been enabled by default.

      Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property: com.sun.jndi.ldap.object.disableEndpointIdentification.

      Define this system property (or set it to true) to disable endpoint identification algorithms."

           In this case,  set  JVM_SUPPORT_RECOMMENDED_ARGS="-Dcom.sun.jndi.ldap.object.disableEndpointIdentification"

 

Bitbucket Server 5.0+ では setenv と環境変数に変更があります

Bitbucket Server 5.0 以降では setenv.shsetenv.bat が取り除かれています。これらのファイルで設定されていたオプションは、環境変数で設定できるようになりました。環境変数の設定場所は、実行先のオペレーティング システムに応じます。

Linux

When using the atlbitbucket service on Linux, the environment variables are ignored. You must set the parameters in _start-webapp.sh (or start-bitbucket.sh). These values will be read when the service starts.

たとえば、 JVM_SUPPORT_RECOMMENDED_ARGS を設定するには、ファイルに次の行を追加します。

JVM_SUPPORT_RECOMMENDED_ARGS=-XX:+HeapDumpOnOutOfMemoryError

Windows

Bitbucket Server を実行しているユーザーで、パラメーターを環境変数として設定します。たとえば、JVM_SUPPORT_RECOMMENDED_ARGS を設定したい場合、それを環境変数として作成して適切な値を割り当てます。Bitbucket Server がスタートアップ スクリプトやサービスを利用して起動する際に、この値が取得および適用されます。

ソリューション

Certificate mismatch:

  • Fix the certificate to contain the correct hostname.

JRE:

If running Java 1.8.0_51 or 1.8.0_60, update to 1.8.0_65 as it contains a fix for the issue described in STASH-7741 - Getting issue details... STATUS .

In addition, we are going to ship 1.8.0_65 as our embedded JRE soon: BSERV-8258 - Getting issue details... STATUS

最終更新日 2022 年 5 月 13 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する

関連コンテンツ

  • 関連コンテンツがありません
Powered by Confluence and Scroll Viewport.