問題

LDAPS integration with Hipchat Server fails. When running the directory connection test, the error "Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors" is thrown in the UI.

atlassian-crowd.log に次のメッセージが出力される。

Caused by: java.util.concurrent.ExecutionException: com.atlassian.crowd.exception.OperationFailedException: org.springframework.ldap.PartialResultException: nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: hostname.domain.org:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors]]
	at java.util.concurrent.FutureTask.report(FutureTask.java:122)
	at java.util.concurrent.FutureTask.get(FutureTask.java:188)

診断

• Make sure the LDAP Server's SSL certificate has been installed into the Hipchat Server's Crowd Java keystore. See How To Install LDAP SSL Certificate into Hipchat Server Keystore.

• Run the SSLPoke test (refer to the Diagnosis section in this article.). This will help ensure that the truststore contains the correct certificates. Note: Replace the port number in the article with the actual port that the LDAP server is listening on. 

原因

• Hipchat Server's Crowd Java keystore does not trust the SSL certificate presented to it by the LDAP server.

ソリューション

1. Double check the SSL certificate presented from the LDAP server. 
2. Import the missing certificate into the Hipchat Server's Crowd Java keystore

3. Restart the Crowd service 

   sudo dont-blame-hipchat -c "service crowd restart"

 During the import, if the keytool error: java.lang.Exception: Certificate not imported, alias <mykey> already exists error is encountered,  use a different alias name to import the certificate.