Bitbucket server throws error No subject alternative names matching IP address
Symptoms
When using SSL to connect Bitbucket Server to an LDAP directory, if the name on the certificate does not match the hostname of the server, the following error can be seen in atlassian-bitbucket.log
:
2012-10-18 01:03:41,007 ERROR [scheduler_Worker-1] c.a.c.d.DbCachingDirectoryPoller Error occurred while refreshing the cache for directory [ 229377 ].
com.atlassian.crowd.exception.OperationFailedException: java.util.concurrent.ExecutionException: com.atlassian.crowd.exception.OperationFailedException: org.springframework.ldap.PartialResultException: nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: <HOST_NAME.DOMAIN_NAME>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching <HOST_NAME.DOMAIN_NAME> found.]]
...
Caused by: java.util.concurrent.ExecutionException: com.atlassian.crowd.exception.OperationFailedException: org.springframework.ldap.PartialResultException: nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: <HOST_NAME.DOMAIN_NAME>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching <HOST_NAME.DOMAIN_NAME> found.]]
...
Cause
We've identified 2 causes for this:
- Bitbucket Server verifies the hostname on the SSL certificates when communicating with an LDAP server over SSL and they don't match. The hostname must match that on the SSL certificate or Bitbucket Server will not be able to connect to the directory.
- A change to JRE 1.8.0_51 and 1.8.0_60 is causing the issue.
- A change introduced in JRE 1.8u181 is causing the issue.
Workaround
There are 3 options to bypass this issue:
Specific to LDAP directories secured with SSL (bypassing the SSL on the LDAP config):
Under the "Advanced Settings" of your User Directory configuration, uncheck the "Secure SSL" option whose main goal is to verify that the SSL certificate is valid for this connection. This option is automatically checked by default when you check "Use SSL" on the User Directory configuration. This is not the recommended way to do it, though.
Other SSL scenarios:
- Workaround 1 (certificate mismatch related):
- Edit
/etc/hosts
to allow using the incorrect name on the certificate. Add the FQDN on the certificate and match it to the IP address of the LDAP server.
- Edit
- Workaround 2 (JRE related):
- Since the new version of Java 1.8u51, resolving against a hostname address is no longer trusted when using SSL, and so it tries to verify a IP that doesn't exist in the certificate. See - BSERV-7741Getting issue details... STATUS . If that's your case and you don't want to install a new JRE or your instance is using the JRE 1.8.0_60 that we shipped with Bitbucket Server, a valid workaround consists in:
- Editing
<BITBUCKET_INSTALL>/bin/setenv.sh
Changing:
# # Occasionally Atlassian Support may recommend that you set some specific JVM arguments. You can use this variable # below to do that. # JVM_SUPPORT_RECOMMENDED_ARGS=""
Into:
# # Occasionally Atlassian Support may recommend that you set some specific JVM arguments. You can use this variable # below to do that. # JVM_SUPPORT_RECOMMENDED_ARGS="-Djdk.tls.trustNameService=true"
- Restarting your Bitbucket server
- Editing
- Workaround 3 (JRE 1.8u181+)
- According to the release notes of 1.8u181: JDK 8u181 Update Release Notes :
"Endpoint identification has been enabled on LDAPS connections.To improve the robustness of LDAPS (secure LDAP over TLS) connections, endpoint identification algorithms have been enabled by default.
Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property:
com.sun.jndi.ldap.object.disableEndpointIdentification
.Define this system property (or set it to
true
) to disable endpoint identification algorithms."
- According to the release notes of 1.8u181: JDK 8u181 Update Release Notes :
In this case, set JVM_SUPPORT_RECOMMENDED_ARGS="-Dcom.sun.jndi.ldap.object.disableEndpointIdentification"
setenv and environment variable changes in Bitbucket Server 5.0+
Starting with Bitbucket Server 5.0, setenv.sh
and setenv.bat
have been removed. The options that were set in this file can now be set via environment variables. Where to set the environment variable depends on which Operating System you're running on.
Linux
When using the atlbitbucket
service on Linux, the environment variables are ignored. You must set the parameters in _start-webapp.sh (or start-bitbucket.sh)
. These values will be read when the service starts.
As an example, to set JVM_SUPPORT_RECOMMENDED_ARGS
, you would add this line to the file:
JVM_SUPPORT_RECOMMENDED_ARGS=-XX:+HeapDumpOnOutOfMemoryError
Windows
Set the parameter as an environment variable for the user running Bitbucket Server. For example, if you want to set JVM_SUPPORT_RECOMMENDED_ARGS
, create it as an environment variable and assign the appropriate value to it. When Bitbucket Server starts using the startup scripts or service, it will pick up and apply this value.
Resolution
Certificate mismatch:
- Fix the certificate to contain the correct hostname.
JRE:
If running Java 1.8.0_51 or 1.8.0_60, update to 1.8.0_65 as it contains a fix for the issue described in - STASH-7741Getting issue details... STATUS .
In addition, we are going to ship 1.8.0_65 as our embedded JRE soon: - BSERV-8258Getting issue details... STATUS