No subject alternative names - LDAP with SSL

Miscellaneous

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

Symptoms

When using SSL to connect Stash to an LDAP directory, if the name on the certificate does not match the hostname of the server, the following error can be seen in atlassian-stash.log:

2012-10-18 01:03:41,007 ERROR [scheduler_Worker-1]  c.a.c.d.DbCachingDirectoryPoller Error occurred while refreshing the cache for directory [ 229377 ].
com.atlassian.crowd.exception.OperationFailedException: java.util.concurrent.ExecutionException: com.atlassian.crowd.exception.OperationFailedException: org.springframework.ldap.PartialResultException: nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: <HOST_NAME.DOMAIN_NAME>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching <HOST_NAME.DOMAIN_NAME> found.]]
...
Caused by: java.util.concurrent.ExecutionException: com.atlassian.crowd.exception.OperationFailedException: org.springframework.ldap.PartialResultException: nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: <HOST_NAME.DOMAIN_NAME>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching <HOST_NAME.DOMAIN_NAME> found.]]
...

Cause

Stash verifies the hostname on the SSL certificates when communicating with an LDAP server over SSL. The hostname must match that on the SSL certificate or Stash will not be able to connect to the directory. If accessing the LDAP server through the IP address, Java will not allow this as it is very strict in enforcing server identify.

Workaround

There are two options to bypass this issue:

  • Edit /etc/hosts to allow using the incorrect name on the certificate. Add the FQDN on the certificate and match it to the IP address of the LDAP server.
  • Under the "Advanced Settings" of your User Directory configuration, uncheck the "Secure SSL" option whose main goal is to verify that the SSL certificate is valid for this connection. This option is automatically checked by default when you check "Use SSL" on the User Directory configuration.

    Since the new version of Java 1.8u51, resolving against a hostname address is no longer trusted when using SSL, and so it tries to verify a IP that doesn't exist in the certificate. See STASH-7741 - Getting issue details... STATUS

Resolution

Fix the certificate to contain the correct hostname.

If running Java 1.8.0_51 or 1.8.0_60, update to 1.8.0_65 as it contains a fix for the issue described in STASH-7741 - Getting issue details... STATUS .

Last modified on Mar 30, 2016

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.