No Subject Alternative Names
Symptoms
Your Stash backup client or Stash application fails while connecting to a HTTPS URL and throws a No subject alternative names present
Java error on the logs.
Possible situations:
1) Backup client fails
The following appears in the Backup client logs (<path/to/backup/client>/log/atlassian-sbc-YYYY-MM-DD-HHMM.log
):
$ java -jar stash-backup-client.jar
2014-12-16 18:11:42,929 INFO Initializing
2014-12-16 18:11:44,479 DEBUG HTTP GET https://127.0.0.1:8443/mvc/maintenance, headers: [Accept:[application/json], Authorization:[Basic amVmZjpqZWZm], User-Agent:[Wink Client v1.1.2]]
2014-12-16 18:11:44,479 DEBUG HTTP GET https://127.0.0.1:8443/rest/api/latest/application-properties, headers: [Accept:[application/json], Authorization:[Basic amVmZjpqZWZm], User-Agent:[Wink Client v1.1.2]]
2014-12-16 18:11:44,691 ERROR A backup could not be created. Reason: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
org.apache.wink.client.ClientRuntimeException: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
at org.apache.wink.client.internal.ResourceImpl.invoke(ResourceImpl.java:241) ~[wink-client-1.4.jar:1.4]
at org.apache.wink.client.internal.ResourceImpl.invoke(ResourceImpl.java:189) ~[wink-client-1.4.jar:1.4]
... 17 more frames available in the log file
2) Stash fails
The following appears in the atlassian-stash.log
while trying to create AppLinks:
2015-06-10 07:36:05,271 ERROR [http-nio-7990-exec-6] <USERNAME> @1MXVZCJx456x13355x0 18aal9q <YOUR_IP>,127.0.0.1 "GET /rest/applinks/2.0/applicationlinkForm/manifest.json HTTP/1.1" c.a.a.c.r.u.CreateApplicationLinkUIResource ManifestNotFoundException thrown while retrieving manifest
com.atlassian.applinks.spi.manifest.ManifestNotFoundException: javax.net.ssl.SSLException: java.security.cert.CertificateException: No subject alternative names present
at com.atlassian.applinks.core.manifest.AppLinksManifestDownloader.download1(AppLinksManifestDownloader.java:201) ~[applinks-plugin-4.3.7_1433795434000.jar:na]
at com.atlassian.applinks.core.manifest.AppLinksManifestDownloader.access$000(AppLinksManifestDownloader.java:44) ~[applinks-plugin-4.3.7_1433795434000.jar:na]
at com.atlassian.applinks.core.manifest.AppLinksManifestDownloader$1$1.<init>(AppLinksManifestDownloader.java:86) ~[applinks-plugin-4.3.7_1433795434000.jar:na]
Caused by: javax.net.ssl.SSLException: java.security.cert.CertificateException: No subject alternative names present
...
at com.atlassian.sal.core.net.HttpClientRequest.executeAndReturn(HttpClientRequest.java:360) ~[sal-core-2.13.4.jar:na]
at com.atlassian.applinks.core.manifest.AppLinksManifestDownloader.download1(AppLinksManifestDownloader.java:150) ~[applinks-plugin-4.3.7_1433795434000.jar:na]
... 31 common frames omitted
Caused by: java.security.cert.CertificateException: No subject alternative names present
at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:144) ~[na:1.8.0_45]
at sun.security.util.HostnameChecker.match(HostnameChecker.java:93) ~[na:1.8.0_45]
at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.verifyHostName(SSLProtocolSocketFactory.java:284) ~[commons-httpclient-3.1-atlassian-2.jar:na]
... 43 common frames omitted
Cause
No subject alternative names present
is caused when accessing an application over HTTPS by using the IP address on the URL rather than the domain contained in the remote SSL certificate and the SSL certificate being fetched does not contain the Subject Alternative Name (SAN) parameter with the matching IP address as an alternative attribute. Java is very strict about enforcing that the certificate contains a SAN entry for the IP address, if that is how it's being accessed.
Resolution
Commonly the certificate being fetched by Stash or the backup client is self-signed can be loaded into 2 different locations:
- Either directly into Stash's Tomcat as described on Securing Stash with Tomcat using SSL
- Or in the Apache proxy Securing Stash with Apache using SSL
Therefore resolving this will require 2 different approaches.