Symptom
You have configured a secure LDAPS connection to your LDAP server from a Sonatype server product such as Nexus Repository or 3 IQ Server.
You determine that the connection is failing and the cause includes the following message:
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching <ldap_server_host_name> found.
You may have just noticed this problem after upgrading a Sonatype server product version that includes its own OpenJDK distribution.
You may have noticed this problem after upgrading the Java version that a Sonatype server product is using to Java 8u181 or newer.
You may have noticed this problem after the Java version being used by your Sonatype server product was automatically updated to a newer version in the background as part of the Java built-in automatic updates.
Cause
Sonatype server products rely on the javax.naming Java APIs to connect to your LDAP server.
In Java 8u181, the release notes note a change to how secure LDAP connections are handled:
core-libs/javax.naming
➜ Improve LDAP support
Endpoint identification has been enabled on LDAPS connections.To improve the robustness of LDAPS (secure LDAP over TLS) connections, endpoint identification algorithms have been enabled by default.
Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property: com.sun.jndi.ldap.object.disableEndpointIdentification.
Define this system property (or set it to true) to disable endpoint identification algorithms.
JDK-8200666 (not public)
Solution
Java is trying to make sure the hostname in your connection configuration matches the host names in the remote LDAPS TLS server certificate and that those host names in the certificate are valid. The correct solution for a secure connection is to have your LDAP server administrators correct the LDAPs certificate the LDAP server is using so that the improved endpoint identification algorithms work. This is for your own protection.
Workaround
The workaround in the release note is brute force and is optional. It disables secure some LDAP secure connection validation. If you care enough about having a secure connection to your LDAP server, you won't use this workaround long-term.
The workaround can be used if you have no other quick solution to correct the remote LDAP server certificate.
Use the supported server methods to set a Java system property as the Java release note advises.
Nexus Repository 3
Add a new line to <app-dir>/bin/nexus.vmoptions :
-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
Restart Nexus Repository 3.
Nexus Repository 2
Edit <app-dir>/bin/jsw/conf/wrapper.conf. Add a new entry for wrapper.java.additional setting , not re-using any previous numbered item:
wrapper.java.additional.4=-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
Restart Nexus Repository 2.
IQ Server
Edit the Java command being used to launch IQ Server. Make sure to include the system property argument as part of the command - for example :
java -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
Restart IQ Server.