Bitbucket throws error No subject alternative names matching IP address
プラットフォームについて: Data Center - この記事は、Data Center プラットフォームのアトラシアン製品に適用されます。
このナレッジベース記事は製品の Data Center バージョン用に作成されています。Data Center 固有ではない機能の Data Center ナレッジベースは、製品のサーバー バージョンでも動作する可能性はありますが、テストは行われていません。サーバー*製品のサポートは 2024 年 2 月 15 日に終了しました。サーバー製品を利用している場合は、アトラシアンのサーバー製品のサポート終了のお知らせページにて移行オプションをご確認ください。
*Fisheye および Crucible は除く
症状
When using SSL to connect Bitbucket Server to an LDAP directory, if the name on the certificate does not match the hostname of the server, the following error can be seen in atlassian-bitbucket.log:
2012-10-18 01:03:41,007 ERROR [scheduler_Worker-1] c.a.c.d.DbCachingDirectoryPoller Error occurred while refreshing the cache for directory [ 229377 ].
com.atlassian.crowd.exception.OperationFailedException: java.util.concurrent.ExecutionException: com.atlassian.crowd.exception.OperationFailedException: org.springframework.ldap.PartialResultException: nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: <HOST_NAME.DOMAIN_NAME>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching <HOST_NAME.DOMAIN_NAME> found.]]
...
Caused by: java.util.concurrent.ExecutionException: com.atlassian.crowd.exception.OperationFailedException: org.springframework.ldap.PartialResultException: nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: <HOST_NAME.DOMAIN_NAME>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching <HOST_NAME.DOMAIN_NAME> found.]]
...
原因
We've identified 2 causes for this:
- Bitbucket Server verifies the hostname on the SSL certificates when communicating with an LDAP server over SSL and they don't match. The hostname must match that on the SSL certificate or Bitbucket Server will not be able to connect to the directory.
- A change to JRE 1.8.0_51 and 1.8.0_60 is causing the issue.
- A change introduced in JRE 1.8u181 is causing the issue.
回避策
There are 3 options to bypass this issue:
Specific to LDAP directories secured with SSL (bypassing the SSL on the LDAP config):
Under the "Advanced Settings" of your User Directory configuration, uncheck the "Secure SSL" option whose main goal is to verify that the SSL certificate is valid for this connection. This option is automatically checked by default when you check "Use SSL" on the User Directory configuration. This is not the recommended way to do it, though.
Other SSL scenarios:
- Workaround 1 (certificate mismatch related):
- Edit
/etc/hoststo allow using the incorrect name on the certificate. Add the FQDN on the certificate and match it to the IP address of the LDAP server.
- Edit
- Workaround 2 (JRE related):
- Since the new version of Java 1.8u51, resolving against a hostname address is no longer trusted when using SSL, and so it tries to verify a IP that doesn't exist in the certificate. See BSERV-7741 - Secure LDAP connections are broken when using Java 1.8u51+, 1.7.0_85+ and 1.6.0_101+. If that's your case and you don't want to install a new JRE or your instance is using the JRE 1.8.0_60 that we shipped with Bitbucket, a valid workaround consists in:
- Editing
<BITBUCKET_INSTALL>/bin/setenv.sh Changing:
# # Occasionally Atlassian Support may recommend that you set some specific JVM arguments. You can use this variable # below to do that. # JVM_SUPPORT_RECOMMENDED_ARGS=""Into:
# # Occasionally Atlassian Support may recommend that you set some specific JVM arguments. You can use this variable # below to do that. # JVM_SUPPORT_RECOMMENDED_ARGS="-Djdk.tls.trustNameService=true"- Restarting your Bitbucket server
- Editing
- Workaround 3 (JRE 1.8u181+)
- According to the release notes of 1.8u181: JDK 8u181 Update Release Notes :
"Endpoint identification has been enabled on LDAPS connections.To improve the robustness of LDAPS (secure LDAP over TLS) connections, endpoint identification algorithms have been enabled by default.
Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property:
com.sun.jndi.ldap.object.disableEndpointIdentification.Define this system property (or set it to
true) to disable endpoint identification algorithms."
- According to the release notes of 1.8u181: JDK 8u181 Update Release Notes :
In this case, set JVM_SUPPORT_RECOMMENDED_ARGS="-Dcom.sun.jndi.ldap.object.disableEndpointIdentification"
Bitbucket Server 5.0+ では setenv と環境変数に変更があります
Bitbucket Server 5.0 以降では setenv.sh と setenv.bat が取り除かれています。これらのファイルで設定されていたオプションは、環境変数で設定できるようになりました。環境変数の設定場所は、実行先のオペレーティング システムに応じます。
Linux
When using the atlbitbucket service on Linux, the environment variables are ignored. You must set the parameters in _start-webapp.sh (or start-bitbucket.sh). These values will be read when the service starts.
たとえば、 JVM_SUPPORT_RECOMMENDED_ARGS を設定するには、ファイルに次の行を追加します。
JVM_SUPPORT_RECOMMENDED_ARGS=-XX:+HeapDumpOnOutOfMemoryErrorWindows
Bitbucket Server を実行しているユーザーで、パラメーターを環境変数として設定します。たとえば、JVM_SUPPORT_RECOMMENDED_ARGS を設定したい場合、それを環境変数として作成して適切な値を割り当てます。Bitbucket Server がスタートアップ スクリプトやサービスを利用して起動する際に、この値が取得および適用されます。
ソリューション
Certificate mismatch:
- Fix the certificate to contain the correct hostname.
JRE:
If running Java 1.8.0_51 or 1.8.0_60, update to 1.8.0_65 as it contains a fix for the issue described in BSERV-7741 - Secure LDAP connections are broken when using Java 1.8u51+, 1.7.0_85+ and 1.6.0_101+.
In addition, we are going to ship 1.8.0_65 as our embedded JRE soon: BSERV-8258 - Upgrade Bitbucket Embedded JRE to 1.8.0_65 from 1.8.0_60