Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Connect to LDAPs

Tim Wisian
Tim Wisian January 16, 2020

Hi there,

I try to connect from Confluence 7.1 to our LDAPS-Server and the server always throws the error message :

Caused by: javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: pnw.loc:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: critical policy qualifiers present in certificate]]

I imported our root-ca, sub-ca, server-cert and ldaps-cert into the only truststore from the Confluence 7.1 installation and checked the ssl connection via SSL Poke

E:\Confluence-home\jre\bin>java.exe SSLPoke adldaps.pnw.loc 636
Successfully connected

 This works... but as you can see from the error message COnfluence wants to connect to "pnw.loc 636". When I try that with SSLPoke 

E:\Confluence-home\jre\bin>java.exe SSLPoke pnw.loc 636
sun.security.validator.ValidatorException: PKIX path validation failed: java.sec
urity.cert.CertPathValidatorException: critical policy qualifiers present in cer
tificate
        at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:36
2)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.jav
a:259)
        at sun.security.validator.Validator.validate(Validator.java:262)
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.j
ava:324)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerIm
pl.java:229)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustMan
agerImpl.java:124)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.
java:1621)
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.jav
a:223)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.
java:1367)
        at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:750)
        at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
        at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:138)
        at SSLPoke.main(SSLPoke.java:31)
Caused by: java.security.cert.CertPathValidatorException: critical policy qualif
iers present in certificate
        at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(P
KIXMasterCertPathValidator.java:135)
        at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCer
tPathValidator.java:233)
        at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCer
tPathValidator.java:141)
        at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(P
KIXCertPathValidator.java:80)
        at java.security.cert.CertPathValidator.validate(CertPathValidator.java:
292)
        at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:35
7)
        ... 15 more
Caused by: java.security.cert.CertPathValidatorException: critical policy qualif
iers present in certificate
        at sun.security.provider.certpath.PolicyChecker.processPolicies(PolicyCh
ecker.java:487)
        at sun.security.provider.certpath.PolicyChecker.checkPolicy(PolicyChecke
r.java:225)
        at sun.security.provider.certpath.PolicyChecker.check(PolicyChecker.java
:180)
        at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(P
KIXMasterCertPathValidator.java:125)
        ... 20 more

you see??

I had a look at the config-DB and the LDAP-server is set correctly (adldaps.pnw.loc).

I asked Atlassian.... and they asked me to ask you...

Anyone an idea?

Kind Regards

Tim 

Answer
Watch
Like Be the first to like this
880 views

1 answer

0 votes
Grigory Salnikov
Grigory Salnikov
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 16, 2020

Hi @Tim Wisian !

I've done some research and it seems that there may be something wrong with your certificates. From here we can see the cause of this error:

// retrieve policy qualifiers from cert 
Set<PolicyQualifierInfo> pQuals = curPolInfo.getPolicyQualifiers(); 
// the policyQualifiersRejected flag is set in the params 
if (!pQuals.isEmpty() && rejectPolicyQualifiers && policiesCritical) 
{ throw new CertPathValidatorException("critical policy qualifiers present in certificate", null, null, -1, PKIXReason.INVALID_POLICY); }

So, the reason should be "the policyQualifiersRejected flag is set in the params".

Here's some theory:

https://www.sysadmins.lv/blog-en/certificate-policies-extension-all-you-should-know-part-1.aspx

I hope it helps somehow.

View More Comments
Tim Wisian
Tim Wisian January 16, 2020

One more thing is, that the wanted server to connect to is adldaps.pnw.loc and the error message is pnw.loc 636....

When I try to connect to pnw.loc via 636 I do understand the error message, but not when connecting to adldaps.pnw.loc.

...

Like
Tim Wisian
Tim Wisian January 17, 2020

How can I debug COnfluence to get a closer look at whats going on?

Where to set "-Xdebug -Xnoagent -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5005"... within the jvm-options?

Kind Regards

Tim

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.