By: Lars Van Casteren user 10 Dec 2018 at 2:38 p.m. CST

2 Responses
Lars Van Casteren gravatar
Hello, I succesfully configured an Active Directory authentication backend using port 389, cache refresh runs and I can log in with an AD user but when changing the backend to SSL 636 I get this error when cache refresh runs: ``` 2018-12-10 21:26:03,176 ERROR [ForkJoinPool.commonPool-worker-0] [org.gluu.oxtrust.ldap.service.StatusCheckerTimer] (StatusCheckerTimer.java:216) - Can not download ssl certificate javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:1.8.0_181] at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964) ~[?:1.8.0_181] at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328) ~[?:1.8.0_181] at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) ~[?:1.8.0_181] at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614) ~[?:1.8.0_181] at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:1.8.0_181] at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) ~[?:1.8.0_181] at sun.security.ssl.Handshaker.process_record(Handshaker.java:987) ~[?:1.8.0_181] at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) ~[?:1.8.0_181] at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) ~[?:1.8.0_181] at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) ~[?:1.8.0_181] at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) ~[?:1.8.0_181] at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) ~[?:1.8.0_181] at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) ~[?:1.8.0_181] at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:162) ~[?:1.8.0_181] at org.gluu.oxtrust.ldap.service.StatusCheckerTimer.setCertificateExpiryAttributes(StatusCheckerTimer.java:204) [classes/:?] at org.gluu.oxtrust.ldap.service.StatusCheckerTimer.processInt(StatusCheckerTimer.java:162) [classes/:?] at org.gluu.oxtrust.ldap.service.StatusCheckerTimer.process(StatusCheckerTimer.java:129) [classes/:?] at org.gluu.oxtrust.ldap.service.StatusCheckerTimer$Proxy$_$$_WeldSubclass.process$$super(Unknown Source) [classes/:?] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_181] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_181] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_181] at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_181] at org.jboss.weld.interceptor.proxy.TerminalAroundInvokeInvocationContext.proceedInternal(TerminalAroundInvokeInvocationContext.java:51) [weld-core-impl-3.0.5.Final.jar:3.0.5.Final] at org.jboss.weld.interceptor.proxy.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:78) [weld-core-impl-3.0.5.Final.jar:3.0.5.Final] at org.xdi.service.cdi.async.AsynchronousInterceptor$1.get(AsynchronousInterceptor.java:36) [oxcore-service-3.1.4.Final.jar:?] at java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1590) [?:1.8.0_181] at java.util.concurrent.CompletableFuture$AsyncSupply.exec(CompletableFuture.java:1582) [?:1.8.0_181] at java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:289) [?:1.8.0_181] at java.util.concurrent.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1056) [?:1.8.0_181] at java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1692) [?:1.8.0_181] at java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:157) [?:1.8.0_181] Caused by: java.security.cert.CertificateException: No subject alternative names present at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:145) ~[?:1.8.0_181] at sun.security.util.HostnameChecker.match(HostnameChecker.java:94) ~[?:1.8.0_181] at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455) ~[?:1.8.0_181] at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1026) ~[?:1.8.0_181] at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:993) ~[?:1.8.0_181] at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596) ~[?:1.8.0_181] ... 27 more ``` I tried added the downloaded AD SSL cert to cacerts but that didn't seem to help. Where should I start looking? Thanks for any hints! L

By Lars Van Casteren user 11 Dec 2018 at 6:16 a.m. CST

Lars Van Casteren gravatar
I've updated the Active Directory LDAP cert to include all possible SAN's but still I get the same error when running cache refresh. Downloading the cert via openssl shows it has multiple SAN's starting with: DNS Name= Authentication with that LDAP however works. Thanks for any help! L

By Lars Van Casteren user 11 Dec 2018 at 6:48 a.m. CST

Lars Van Casteren gravatar
I've created a github issue with some more information : https://github.com/GluuFederation/oxTrust/issues/1402