java.security.cert.CertificateException: No subject alternative DNS name matching <hostname> found

Still need help?

The Atlassian Community is here for you.

Symptoms

Using SSL to connect Confluence to an LDAP directory can result in the following error:

java.security.cert.CertificateException: No subject alternative DNS name matching <hostname> found

This error may be found within the UI when testing the directory connection or when testing user retrieval. The error also appears in <confluence_home>/logs/atlassian-confluence.log.

Cause

There can be multiple causes to this issue.

Due to changes introduced Confluence starting at version 4.2, Confluence may check the hostname on SSL certificates when communicating with an LDAP server over SSL. What this means is that the hostname used to connect to the LDAP server must match that of the SSL certificate, or Confluence will not be able to connect to the directory. This is by design.

Another possible cause for this issue is if Advanced Settings > Follow Referrals is enabled unnecessarily in User Directory Configurations when connecting to a single-node LDAP directory without cross-domain memberships.

Resolution

Try them in following order:

1. Fix the certificate to contain the correct name. This is the preferred (and most secure) fix.
2. Uncheck "Advanced Settings > Secure SSL" in User Directory Configurations while still configuring an SSL connection. Confluence will connect to the LDAP server over SSL but will not verify that the hostname and certificate match.
NOTE This option is only found in Confluence 5.1.3 and later, as per CONF-26049 - Getting issue details... STATUS
3. Edit /etc/hosts to allow you to use the incorrect name in the certificate. Add the FQDN on the certificate and match it to the IP address of the server.
4. Disable "Follow Referrals" in the User Directory configuration, if cross-domain memberships are not used.
5. If you are using JDK 1.8.0_51 or later (bundled in Confluence 5.8.8 and later), the JDK no longer performs reverse name lookup for IP addresses by default, as per this java doc. You can re-enable reverse lookup by adding '-Djdk.tls.trustNameService=true' to your system parameters.

If an application does need to perform reverse name lookup for raw IP addresses in SSL/TLS connections, and encounter endpoint identification compatibility issue, System property "jdk.tls.trustNameService" can be used to switch on reverse name lookup. Note that if the name service is not trustworthy, enabling reverse name lookup may be susceptible to MITM attacks.