Problem

After upgrading Bamboo to 5.10.x, authentication to LDAP with SSL (LDAPS) fails and the following is written in atlassian-bamboo.log:

com.atlassian.user.impl.ldap.repository.LdapConnectionFailedException: javax.naming.CommunicationException: <hostname>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address <hostIP> found]

Diagnosis

Environment

• Using Java 1.8u51, 1.8u60, 1.7.0_85+ or 1.6.0_101+

Cause

Bamboo verifies the hostname on the SSL certificates when communicating with an LDAP server over SSL. The hostname must match that on the SSL certificate or Bamboo will not be able to connect to the directory. If accessing the LDAP server through the IP address, Java will not allow this as it is very strict in enforcing server identify.

Workaround

There are two options to bypass this issue:

• Add <verifySslCertificateHostname>false</verifySslCertificateHostname> to the LDAP configured at <BAMBOO_HOME>/xml-data/configuration/atlassian-user.xml.
• Edit /etc/hosts to allow using the incorrect name on the certificate. Add the FQDN on the certificate and match it to the IP address of the LDAP server.

Resolution

There are two options to resolve this issue:

• Fix the certificate to contain the correct hostname.
• Update Java to any version higher than 1.8.0_65.