LDAPS integration with Hipchat Server fails with SSLHandshakeException - PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

プラットフォームについて: サーバーと Data Center のみ。この記事は、サーバーおよび Data Center プラットフォームのアトラシアン製品にのみ適用されます。

 

 

問題

LDAPS integration with Hipchat Server fails. When running the directory connection test, the error "Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors" is thrown in the UI.

atlassian-crowd.log に次のメッセージが出力される。

Caused by: java.util.concurrent.ExecutionException: com.atlassian.crowd.exception.OperationFailedException: org.springframework.ldap.PartialResultException: nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: hostname.domain.org:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors]]
	at java.util.concurrent.FutureTask.report(FutureTask.java:122)
	at java.util.concurrent.FutureTask.get(FutureTask.java:188)

診断

  • Make sure the LDAP Server's SSL certificate has been installed into the Hipchat Server's Crowd Java keystore. See How To Install LDAP SSL Certificate into Hipchat Server Keystore.
  • Run the SSLPoke test (refer to the Diagnosis section in this article.). This will help ensure that the truststore contains the correct certificates. Note: Replace the port number in the article with the actual port that the LDAP server is listening on. 

原因

  • Hipchat Server's Crowd Java keystore does not trust the SSL certificate presented to it by the LDAP server.

ソリューション

  1. Double check the SSL certificate presented from the LDAP server. 
  2. Import the missing certificate into the Hipchat Server's Crowd Java keystore
  3. Restart the Crowd service 

    sudo dont-blame-hipchat -c "service crowd restart"

(info) During the import, if the keytool error: java.lang.Exception: Certificate not imported, alias <mykey> already exists error is encountered,  use a different alias name to import the certificate. 

 

 

最終更新日 2018 年 11 月 2 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.