java.security.cert.CertificateException: No subject alternative DNS name matching <hostname> found
Connection from JIRA to LDAPS (LDAP with SSL enabled) fails with the above exception.
The following appears in
com.atlassian.crowd.exception.OperationFailedException: java.util.concurrent.ExecutionException: com.atlassian.crowd.exception.OperationFailedException: org.springframework.ldap.PartialResultException: nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: simple bind failed: <hostname>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching <hostname> found.]] OR nested exception is javax.naming.CommunicationException: <hostname>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching <hostname> found.]
One or more of the following scenarios may apply:
- The LDAP server hostname has changed but it's still using an old SSL certificate that refers to the old hostname
- JIRA and/or Java has recently been upgraded/updated whereby JIRA is now using Java version 1.8.0_181 or above
- There are a bunch of LDAP servers in the same forest that can communicate with one another with Follow Referrals enabled
According to CWD-2690, JIRA now verifies if the CN/SANs of the SSL certificate matches the hostname of the LDAP server. If there's a mismatch, JIRA will fail the connection and throws the above error. For example:
- LDAP server hostname is ldapserver.com
- CN/SANs of SSL certificate is jiradirectory.com
- JIRA is using ldapserver.com to connect to LDAP, which differs from jiradirectory.com
JIRA is connected to LDAP server 1 with Follow Referrals enabled. With this configuration, LDAP server 1 may attempt to communicate with LDAP server 2 that may have a different hostname and/or SSL certificate, causing an unexpected mismatch.
For Cause 1
hosts file in the JIRA server and map the CN of the SSL certificate to the IP address of the LDAP server. Then connect JIRA to LDAP using that CN.
Following the example in Cause 1 section:
Disable Secure SSL by editing the LDAP directory and unchecking that box from Advanced Settings.
Refer to JDK 8u181 Update Release Notes for more details on this.
For Cause 2
Disable Follow Referrals by editing the LDAP directory and unchecking that box from Advanced Settings.
This applies to Cause 1 only
- Fix the SSL certificate to contain the right LDAP server hostname (recommended and most secure)