Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Active Directory LDAP SSL

Oskar
Oskar
Contributor
August 31, 2018

I'm trying to activate SSL for my Active Directory LDAP connection but am getting the following error:

"java.security.cert.CertificateException: No subject alternative DNS name matching domain.local found."

I've specified "DC1.domain.local" as hostname in server settings for the LDAP User Directory and imported DC1's computer certificate into the Java KeyStore. The Certificate has "DC1.domain.local" in SAN but not "domain.local".

Is this required eventhough I'm not specifying "domain.local" as the hostname? If so, how can I add that to the SAN?

What are the certificate requirements? Currently I include DNS name in the subject name, is SPN also needed?

Answer
Watch
Like Be the first to like this
1438 views

1 answer

0 votes
J van Leeuwen
J van Leeuwen
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 7, 2018

Hello Oskar, 

I hope this finds you well. I would recommend reviewing our KB article, java.security.cert.CertificateException: No subject alternative DNS name matching <hostname> found. It was written for Confluence but will also apply to Jira. 

This type of issue can have multiple causes, however, it's important that the hostname used to connect to the LDAP server (in server settings) matches that of the SSL certificate (SAN), or Jira will not be able to connect to the directory. This is by design.

Hope this helps! 

Jennifer

View More Comments
Oskar
Oskar
Contributor
September 10, 2018

Hi Jennifer,

in hostname I have put DC1.domain.local and I have grabbed the DC public certificate from that server and added it to the JKS, and that certificate then (of course) has DC1.domain.local in the SAN. The error message still says "domain.local", not "DC1.domain.local".

I get 404 on the URL you posted (it works if you remove everything past the .html).
I have actually read that post before and I get it to work if I either disable "Follow Referrals" or "Secure SSL".

Looking at the "Secure SSL" option it states that it is used to verify the hostnames supplied in the SSL certificate. Disabling this seems unsecure to me.

Looking at the "Follow Referral" option I find 2 descriptions of this setting:
1. When "Follow Referrals" is enabled, requests to objects that include the Domain Component (such as dc=example,dc=local) will cause a DNS request to be made to example.local.
2. Choose whether to allow the directory server to redirect requests to other servers. It is generally needed for Active Directory servers configured without proper DNS.
It seems to me that this is what's causing the lookup to "domain.local" instead of to "DC1.domain.local" (as stated in point 1), but would disabling this cause authentication to fail if DC1 is unavailable even if DC2 is available? This would not be ideal.

For these reasons I would like to get it to work with the "Fix the certificate"-solution if possible. How would I "Fix the certificate to contain the correct name."?

Additional info:
Domain.local is the only domain in the forrest. We use DNS and both domain.local and DC1.domain.local can be resolved by the Application (JIRA) server. Both DC1 and DC2 public certificates has been added to the JKS. Both the root CA and sub CA certificates has been added to the JKS.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.