SSL: Algorithm constraints check failed

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Problem

After copying a cacerts file from an older version of a JDK or JRE, the following appears in the daily log file:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 ERROR [clusterScheduler_Worker-3] c.a.c.d.DbCachingDirectoryPoller Error occurred while refreshing the cache for directory [ 458753 ]. com.atlassian.crowd.exception.OperationFailedException: org.springframework.ldap.CommunicationException: xxx.xxx.xxx.xxx:xxxx; nested exception is javax.naming.CommunicationException: xxx.xxx.xxx.xxx:xxxx [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed: MD5withRSA] ... Caused by: org.springframework.ldap.CommunicationException: xxx.xxx.xxx.xxx:xxxx; nested exception is javax.naming.CommunicationException: xxx.xxx.xxx.xxx:xxxx [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed: MD5withRSA] at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:108) ~[spring-ldap-core-2.0.2.RELEASE.jar:2.0.2.RELEASE] ... Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed: MD5withRSA at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[na:1.8.0_71] ... Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed: MD5withRSA at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:352) ~[na:1.8.0_71] ... Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed: MD5withRSA at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135) ~[na:1.8.0_71]

Diagnosis

Environment

  • JDK/JRE has been updated, and an older cacerts file was copied into to new JDK/JRE path.

Cause

During JVM releases, Oracle will update the cacerts file adding or removing security algorithms. The older cacerts file may not contain all of the expected certificates or algorithms used in the newer JVM

Solution

Resolution

  1. Restore the original cacerts file to the newer JDK/JRE path.

  2. Import your certificates into the new cacerts file

    1 $JAVA_HOME/keytool -import -alias <server_name> -keystore $JAVA_HOME/lib/security/cacerts -file CERTIFICATE_FILE_NAME

  3. Restart the application.

Updated on April 2, 2025
Platform
Data Center only
Product
Bitbucket Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community