Automation for Jira and/or Jira webhooks fail with SSLPeerUnverifiedException
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Webhooks testing or execution in Jira or the Automation for Jira app fails with HTTP 500.
This may happen while testing a Microsoft Teams webhook after Microsoft deprecated the webhooks API outlook.office.com/webhook.
Diagnosis
The following error is logged:
1
2021-04-07 19:46:51,190+0900 http-nio-8080-exec-18 WARN user_name 1186x2267834x1 sdlkxe 10.121.10.101,10.101.19.70,0:0:0:0:0:0:0:1 /rest/cb-automation/latest/project/17316/rule/outgoing-webhook/validate [c.c.t.api.http.HttpClientImpl] Unexpected problem sending request [POST https://subdomain.webhook.office.com/webhookb2 HTTP/1.1]: SSLPeerUnverifiedException: Certificate for <subdomain.webhook.office.com> doesn't match any of the subject alternative names: [*.internal.outlook.com, *.outlook.com, outlook.com, office365.com, *.office365.com, *.outlook.office365.com, *.office.com, outlook.office.com, substrate.office.com, attachment.outlook.live.net, attachment.outlook.office.net, attachment.outlook.officeppe.net, attachments.office.net, *.clo.footprintdns.com, *.nrb.footprintdns.com, ccs.login.microsoftonline.com, ccs-sdf.login.microsoftonline.com, substrate-sdf.office.com, attachments-sdf.office.net, *.live.com, mail.services.live.com, hotmail.com, *.hotmail.com]Cause
During SSL validation on the Java HTTP client, the FQDN of the host reached has to match at least one of hosts defined in the SSL certificate.
With SNI disabled, the wildcard matching occurs as per RFC 6125 > 6.4.3. Checking of Wildcard Certificates:
"2. If the wildcard character is the only character of the left-most label in the presented identifier, the client SHOULD NOT compare against anything but the left-most label of the reference identifier (e.g., *.example.com would match foo.example.com but not bar.foo.example.com or example.com)."
In the error above, subdomain.webhook.office.com could not be matched with *.office.com.
Solution
If you have -Djsse.enableSNIExtension=false in your JVM parameters, remove it.
Was this helpful?