How to resolve CertificateException: No subject alternative DNS name matching for LDAP secure connections

Symptom

You have configured a secure LDAPS connection to your LDAP server from a Sonatype server product such as Nexus Repository Manager or Nexus IQ Server.

You determine that the connection is failing and the cause includes the following message:

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching <ldap_server_host_name> found.

You may have just noticed this problem after upgrading a Sonatype server product version that includes its own OpenJDK distribution.

You may have noticed this problem after upgrading the Java version that a Sonatype server product is using to Java 8u181 or newer.

You may have noticed this problem after the Java version being used by your Sonatype server product was automatically updated to a newer version in the background as part of the Java built-in automatic updates.

Cause

Sonatype server products rely on the javax.naming Java APIs to connect to your LDAP server.

In Java 8u181, the release notes note a change to how secure LDAP connections are handled:

core-libs/javax.naming
➜ Improve LDAP support
Endpoint identification has been enabled on LDAPS connections.

To improve the robustness of LDAPS (secure LDAP over TLS) connections, endpoint identification algorithms have been enabled by default.

Note that there may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property: com.sun.jndi.ldap.object.disableEndpointIdentification.

Define this system property (or set it to true) to disable endpoint identification algorithms.

JDK-8200666 (not public)

Solution

Java is trying to make sure the host name in your connection configuration matches the host names in the remote LDAPS TLS server certificate and that those host names in the certificate are valid. The correct solution for a secure connection is to have your LDAP server administrators correct the LDAPs certificate the ldap server is using so that the improved endpoint identification algorithms work. This is for your own protection.

Workaround

The workaround in the release note is brute force and optional. It disables secure some LDAP secure connection validation. If you care enough about having a secure connection to your LDAP server, you won't use this workaround long term.

The workaround can be used if you have no other quick solution to correct the remote LDAP server certificate.

Use the supported server methods to set a Java system property as the Java release note advises.

Nexus Repository Manager 3x

Add a new line to <app-dir>/bin/nexus.vmoptions :

-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

Restart repository manager.

Nexus Repository Manager 2x

Edit <app-dir>/bin/jsw/conf/wrapper.conf. Add a new entry for wrapper.java.additional setting , not re-using any previous numbered item:

wrapper.java.additional.4=-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

Restart repository manager.

Nexus IQ Server

Edit the java command being used to launch IQ server. Make sure to include the system property argument as part of the command - example :

java -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

Restart IQ Server.

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.