After upgrading Bamboo, connectivity to LDAP with SSL fails: No subject alternative names
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Problem
After upgrading Bamboo to 5.10.x, authentication to LDAP with SSL (LDAPS) fails and the following is written in atlassian-bamboo.log:
1
com.atlassian.user.impl.ldap.repository.LdapConnectionFailedException: javax.naming.CommunicationException: <hostname>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address <hostIP> found]Diagnosis
Environment
Using Java 1.8u51, 1.8u60, 1.7.0_85+ or 1.6.0_101+
Cause
Bamboo verifies the hostname on the SSL certificates when communicating with an LDAP server over SSL. The hostname must match that on the SSL certificate or Bamboo will not be able to connect to the directory. If accessing the LDAP server through the IP address, Java will not allow this as it is very strict in enforcing server identify.
Solution
Workaround
There are two options to bypass this issue:
Add
<verifySslCertificateHostname>false</verifySslCertificateHostname>to the LDAP configured at<BAMBOO_HOME>/xml-data/configuration/atlassian-user.xml.Edit
/etc/hoststo allow using the incorrect name on the certificate. Add the FQDN on the certificate and match it to the IP address of the LDAP server.
Resolution
There are two options to resolve this issue:
Fix the certificate to contain the correct hostname.
Update Java to any version higher than 1.8.0_65.
Was this helpful?