要約

Learn how to adjust and fix the issue where, when using SSL to connect Crowd, or Embedded Crowd, to an LDAP directory results in "java.security.cert.CertificateException: No subject alternative DNS name matching <hostname> found."

診断

When you attempt to use SSL to connect Crowd, you run into the error "java.security.cert.CertificateException: No subject alternative DNS name matching <hostname> found."

原因

This error is caused if the name on the certificate does not match the hostname of the server. In 2.3.6, Crowd now verifies the hostname on SSL certificates when communicating with an LDAP server over SSL. This was documented in this JAC issue: CWD-2690 - Crowd must verify the hostname on SSL certificates when communicating with an LDAP server over SSL.

What this means is that the hostname must match that on the SSL certificate, or Crowd will not be able to connect to the directory. This is by design. 

ソリューション

There are some options on how to fix this. You can do either of the following:

• Fix the certificate to contain the correct name. This is the preferred (and most secure) fix.
• Use an 'ldaps' connection URL and leaving 'Secure SSL' (on Crowd) or 'Use SSL' (in Embedded Crowd) unchecked in the Crowd Console will use an SSL connection but will not verify that the hostname and certificate match.
• Edit the server's hosts file to allow you to use the incorrect name in the certificate. Add the FQDN on the certificate and match it to the IP address of the server.
• Verify "Follow Referrals" is not selected in the User Directory configuration.