java.security.cert.CertificateException: No subject alternative DNS name matching <hostname> found

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

症状

Connection from JIRA to LDAPS (LDAP with SSL enabled) fails with the above exception.

The following appears in atlassian-jira.log:

com.atlassian.crowd.exception.OperationFailedException: java.util.concurrent.ExecutionException: com.atlassian.crowd.exception.OperationFailedException:
org.springframework.ldap.PartialResultException: nested exception is javax.naming.PartialResultException
[Root exception is javax.naming.CommunicationException: simple bind failed: <hostname>:636
[Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching <hostname> found.]]

OR

nested exception is javax.naming.CommunicationException: <hostname>:636
[Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching <hostname> found.]

診断

One or more of the following scenarios may apply:

  1. The LDAP server hostname has changed but it's still using an old SSL certificate that refers to the old hostname
  2. JIRA and/or Java has recently been upgraded/updated whereby JIRA is now using Java version 1.8.0_181 or above
  3. There are a bunch of LDAP servers in the same forest that can communicate with one another with Follow Referrals enabled

原因

原因 1

According to CWD-2690, JIRA now verifies if the CN/SANs of the SSL certificate matches the hostname of the LDAP server. If there's a mismatch, JIRA will fail the connection and throws the above error. For example:

原因 2

JIRA is connected to LDAP server 1 with Follow Referrals enabled. With this configuration, LDAP server 1 may attempt to communicate with LDAP server 2 that may have a different hostname and/or SSL certificate, causing an unexpected mismatch.

回避策

For Cause 1

回避策 1

Edit the hosts file in the JIRA server and map the CN of the SSL certificate to the IP address of the LDAP server. Then connect JIRA to LDAP using that CN.

tip/resting Created with Sketch.

Following the example in Cause 1 section:

回避策 2

Disable Secure SSL by editing the LDAP directory and unchecking that box from Advanced Settings.

If JIRA is using Java 1.8.0_181 or above (refer to JRASERVER-66241), the following JVM parameter must also be set following Setting properties and options on startup:

-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

Refer to JDK 8u181 Update Release Notes for more details on this.

For Cause 2

Disable Follow Referrals by editing the LDAP directory and unchecking that box from Advanced Settings.

ソリューション

tip/resting Created with Sketch.

This applies to Cause 1 only

  • Fix the SSL certificate to contain the right LDAP server hostname (recommended and most secure)

最終更新日 2018 年 11 月 1 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.