Get 'Hostname in certificate didn't match' error when integrating with Crowd SSO

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Problem

The problem happens when:

  1. Login JIRA as admin.

  2. Going to JIRA admin pages but it fails with 500 error message.

The following appears in the atlassian-jira.log:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 2016-04-09 05:54:28,815 http-bio-443-exec-24 ERROR anonymous 354x59x1 1x99dcq 192.168.0.3 /rest/gadget/1.0/login [jira.security.login.JiraSeraphAuthenticator] Error occurred while trying to authenticate user 'captain.planet'. com.atlassian.crowd.exception.runtime.OperationFailedException at com.atlassian.crowd.embedded.core.CrowdServiceImpl.convertOperationFailedException(CrowdServiceImpl.java:922) at com.atlassian.crowd.embedded.core.CrowdServiceImpl.authenticate(CrowdServiceImpl.java:81) at com.atlassian.crowd.embedded.core.DelegatingCrowdService.authenticate(DelegatingCrowdService.java:37) at com.atlassian.crowd.embedded.core.FilteredCrowdServiceImpl.authenticate(FilteredCrowdServiceImpl.java:51) at com.atlassian.jira.security.login.JiraSeraphAuthenticator.crowdServiceAuthenticate(JiraSeraphAuthenticator.java:91) at com.atlassian.jira.security.login.JiraSeraphAuthenticator.authenticate(JiraSeraphAuthenticator.java:55) ... at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Caused by: javax.net.ssl.SSLException: hostname in certificate didn't match: <jira.atlassian.com> != <*.atlassian.net> OR <*.atlassian.net> OR <atlassian.net> at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:238) at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54) at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:159) at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:140) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:301) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:259) at org.apache.http.impl.conn.HttpClientConnectionOperator.connect(HttpClientConnectionOperator.java:125) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:319)

Diagnosis

  • When attempting to connect to Crowd (either to login, or synchronise with the directory) the above exception is thrown.

  • Crowd is being served behind SSL (either at a reverse-proxy or on Tomcat directly).

Cause

There are several causes:

  • The JIRA application in Crowd is using using an old hostname URL.

  • The certificate being served by Crowd does not match the domain it is being accessed on. This may be due to an incorrectly served certificate or the JIRA served is accessing it on an A record, or the hosts file has bene modified.

Solution

Workaround

  1. Check the correct certificate is served by Crowd.

  2. Update JIRA to use the correct hostname. If unable to login, re-enable the internal directory and access an internal admin user as per Retrieving the JIRA Administrator.

  3. Remove the old hostname name from Crowd Remote Addresses. For more details information, you can refer Specifying an Application's Address or Hostname.

  4. Add the new hostname to Crowd Remote Addresses.

  5. If Crowd is behind a reverse-proxy, ensure the IP of the proxy is in the Crowd Remote Addresses.

ℹ️ You can also edit the hosts file of JIRA to redirect the incorrect hostname to the correct one. Using the example above, put a mapping in jira.atlassian.com to map to the jira.atlassian.net IP, then update the Crowd URL in JIRA. This will then connect to the same hostname as the certificate.

Updated on April 2, 2025
Platform
Data Center only
Product
Jira Software Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community