LDAPS integration with Hipchat Server fails with SSLHandshakeException - PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the server and data center platforms.

 

 

Problem

LDAPS integration with Hipchat Server fails. When running the directory connection test, the error "Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors" is thrown in the UI.

The following appears in the atlassian-crowd.log

Caused by: java.util.concurrent.ExecutionException: com.atlassian.crowd.exception.OperationFailedException: org.springframework.ldap.PartialResultException: nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: hostname.domain.org:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors]]
	at java.util.concurrent.FutureTask.report(FutureTask.java:122)
	at java.util.concurrent.FutureTask.get(FutureTask.java:188)

Diagnosis

  • Make sure the LDAP Server's SSL certificate has been installed into the Hipchat Server's Crowd Java keystore. See How To Install LDAP SSL Certificate into Hipchat Server Keystore.

  • Run the SSLPoke test (refer to the Diagnosis section in this article.). This will help ensure that the truststore contains the correct certificates. Note: Replace the port number in the article with the actual port that the LDAP server is listening on. 

Cause

  • Hipchat Server's Crowd Java keystore does not trust the SSL certificate presented to it by the LDAP server.

Resolution

  1. Double check the SSL certificate presented from the LDAP server. 
  2. Import the missing certificate into the Hipchat Server's Crowd Java keystore

  3. Restart the Crowd service 

    sudo dont-blame-hipchat -c "service crowd restart"

(info) During the import, if the keytool error: java.lang.Exception: Certificate not imported, alias <mykey> already exists error is encountered,  use a different alias name to import the certificate. 

 

 

Last modified on Nov 2, 2018

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.