[CONFSERVER-26826] Verify hostname fails when using own Windows CA and connecting to Active Directory over SSL - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Low Engagement
Priority: Low
Fix Version/s: None
Affects Version/s: 4.3
Component/s: User - Management
Labels:

Support reference count:
2
Symptom Severity:
Severity 3 - Minor
UIS:
0
Bug Fix Policy:
View Atlassian Server bug fix policy

When connecting to an Active Directory over SSL using a certificate issued by an Windows Certificate Authority, Confluence fails to verify the hostname.

In Confluence logs, the following error is shown:

2012-09-28 12:30:25,300 ERROR [scheduler_Worker-2] [atlassian.crowd.directory.DbCachingDirectoryPoller] pollChanges Error occurred while refreshing the cache for directory [ 73039875 ].
com.atlassian.crowd.exception.OperationFailedException: java.util.concurrent.ExecutionException: com.atlassian.crowd.exception.OperationFailedException: org.springframework.ldap.PartialResultException: nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: office.devexperts.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching example.domain.com found.]]
        at com.atlassian.crowd.directory.ldap.cache.UsnChangedCacheRefresher.synchroniseAllUsers(UsnChangedCacheRefresher.java:268)
        at com.atlassian.crowd.directory.ldap.cache.AbstractCacheRefresher.synchroniseAll(AbstractCacheRefresher.java:83)
        at com.atlassian.crowd.directory.ldap.cache.UsnChangedCacheRefresher.synchroniseAll(UsnChangedCacheRefresher.java:225
...

The workaround purposed in ~~CONF-26049~~ is also valid in this case:
Backup Confluence database beforehand for safety purpose

Run the following SQL query:

UPDATE cwd_directory_attribute
SET attribute_value='false'
WHERE attribute_name='ldap.secure'
AND directory_id  = <desired_directory_ID>;

Restart Confluence

Note: The above option will always reverted to its default ('true') whenever you edit the user directory settings. Therefore, you'll need to run that query every time you do any changes on the user directory settings.

relates to

CONFSERVER-26049 Add an option in User Directory settings to make an SSL LDAP connection but without verifying that the hostname and certificate match

Closed

mentioned in: Page Loading...

Assignee:: Unassigned

Reporter:: Alejandro Conde Carrillo (Inactive)

Affected customers:: 2 This affects my team

Watchers:: 6 Start watching this issue

Created:: 08/Oct/2012 4:58 PM

Updated:: 10/Apr/2025 10:13 AM

Resolved:: 10/Apr/2025 10:13 AM

Details

Description

Attachments

Issue Links

Forms

Activity

People

Dates