java.security.cert.CertificateException: No subject alternative DNS name matching <hostname> found

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

症状

Using SSL to connect Confluence to an LDAP directory can result in the following error:

java.security.cert.CertificateException: No subject alternative DNS name matching <hostname> found

This error may be found within the UI when testing the directory connection or when testing user retrieval. The error also appears in <confluence_home>/logs/atlassian-confluence.log.

原因

There can be multiple causes to this issue.

Due to changes introduced Confluence starting at version 4.2, Confluence may check the hostname on SSL certificates when communicating with an LDAP server over SSL. What this means is that the hostname used to connect to the LDAP server must match that of the SSL certificate, or Confluence will not be able to connect to the directory. This is by design.

Another possible cause for this issue is if Advanced Settings > Follow Referrals is enabled unnecessarily in User Directory Configurations when connecting to a single-node LDAP directory without cross-domain memberships.

ソリューション

Try them in following order:

  1. Fix the certificate to contain the correct name. This is the preferred (and most secure) fix.
  2. Uncheck "Advanced Settings > Secure SSL" in User Directory Configurations while still configuring an SSL connection. Confluence will connect to the LDAP server over SSL but will not verify that the hostname and certificate match.
    NOTE This option is only found in Confluence 5.1.3 and later, as per CONF-26049 - Getting issue details... STATUS
  3. Edit /etc/hosts to allow you to use the incorrect name in the certificate. Add the FQDN on the certificate and match it to the IP address of the server.
  4. Disable "Follow Referrals" in the User Directory configuration, if cross-domain memberships are not used.
  5. If you are using JDK 1.8.0_51 or later (bundled in Confluence 5.8.8 and later), the JDK no longer performs reverse name lookup for IP addresses by default, as per this java doc. You can re-enable reverse lookup by adding '-Djdk.tls.trustNameService=true' to your system parameters.

If an application does need to perform reverse name lookup for raw IP addresses in SSL/TLS connections, and encounter endpoint identification compatibility issue, System property "jdk.tls.trustNameService" can be used to switch on reverse name lookup. Note that if the name service is not trustworthy, enabling reverse name lookup may be susceptible to MITM attacks.

 

最終更新日 2018 年 11 月 2 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.