java.security.cert.CertificateException: No subject alternative DNS name matching <hostname> found

Still need help?

The Atlassian Community is here for you.

Ask the community

Symptoms

Connection from JIRA to LDAPS (LDAP with SSL enabled) fails with the above exception.

The following appears in atlassian-jira.log:

com.atlassian.crowd.exception.OperationFailedException: java.util.concurrent.ExecutionException: com.atlassian.crowd.exception.OperationFailedException:
org.springframework.ldap.PartialResultException: nested exception is javax.naming.PartialResultException
[Root exception is javax.naming.CommunicationException: simple bind failed: <hostname>:636
[Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching <hostname> found.]]

OR

nested exception is javax.naming.CommunicationException: <hostname>:636
[Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching <hostname> found.]

Diagnosis

One or more of the following scenarios may apply:

  1. The LDAP server hostname has changed but it's still using an old SSL certificate that refers to the old hostname
  2. JIRA and/or Java has recently been upgraded/updated whereby JIRA is now using Java version 1.8.0_181 or above
  3. There are a bunch of LDAP servers in the same forest that can communicate with one another with Follow Referrals enabled

Causes

Cause 1

According to CWD-2690, JIRA now verifies if the CN/SANs of the SSL certificate matches the hostname of the LDAP server. If there's a mismatch, JIRA will fail the connection and throws the above error. For example:

Cause 2

JIRA is connected to LDAP server 1 with Follow Referrals enabled. With this configuration, LDAP server 1 may attempt to communicate with LDAP server 2 that may have a different hostname and/or SSL certificate, causing an unexpected mismatch.

Workarounds

For Cause 1

Workaround 1

Edit the hosts file in the JIRA server and map the CN of the SSL certificate to the IP address of the LDAP server. Then connect JIRA to LDAP using that CN.

tip/resting Created with Sketch.

Following the example in Cause 1 section:

Workaround 2

Disable Secure SSL by editing the LDAP directory and unchecking that box from Advanced Settings.

If JIRA is using Java 1.8.0_181 or above (refer to JRASERVER-66241), the following JVM parameter must also be set following Setting properties and options on startup:

-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

Refer to JDK 8u181 Update Release Notes for more details on this.

For Cause 2

Disable Follow Referrals by editing the LDAP directory and unchecking that box from Advanced Settings.

Resolution

tip/resting Created with Sketch.

This applies to Cause 1 only

  • Fix the SSL certificate to contain the right LDAP server hostname (recommended and most secure)

Last modified on Nov 1, 2018

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.