Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] grouper subject engine LDAP cert errors

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] grouper subject engine LDAP cert errors


Chronological Thread 
  • From: Liam Hoekenga <>
  • To: "Hyzer, Chris" <>
  • Cc: "" <>
  • Subject: Re: [grouper-users] grouper subject engine LDAP cert errors
  • Date: Wed, 31 Jan 2018 15:49:54 -0600
  • Ironport-phdr: 9a23:w69VHRPHkIKmWyI280Ml6mtUPXoX/o7sNwtQ0KIMzox0Iv37rarrMEGX3/hxlliBBdydt6odzbKO+4nbGkU4qa6bt34DdJEeHzQksu4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1Ov71GonPhMiryuy+4ZLebxlViDanfb9+MAi9oBnMuMURnYZsMLs6xAHTontPdeRWxGdoKkyWkh3h+Mq+/4Nt/jpJtf45+MFOTav1f6IjTbxFFzsmKHw65NfqtRbYUwSC4GYXX3gMnRpJBwjF6wz6Xov0vyDnuOdxxDWWMMvrRr0yRD+s7bpkSAXwhSgFOT438G/ZhM9tgqxFvB2svAZwz5LObYyPKPZyYqHQcNUHTmRBRMZRUClBD5u6YYsOFeUBOPtToYv6p1QQrhuxGw+sBOz1xTRVgXL22aw63P4kEQHcxwEgAtcOsHXIo9X1LqsdT/26zLTRwDjFcvhY1zD96I3SfRAgp/GBRa9wcc/QyUYzFwPJlEufppH4Pz+N1OQCqXab4PBvVO61jW4otR1xrz6yzckvkonEnpwZx1HY+Sh7xYs1K961R1VnbdOhH5Zcqz2WOJVzT8w+X21kpCM3x7gYtZO1YiQHzoksyQTFZPydaYeI5wruVOaPLjd8g3JoYLe/iAyz8Uik0+H8Tse03EpToitKjNXBuG4B2wbc6siATft98UOh1iiV2w/P7eFEJFg4lavdK5E/3r49joQfvEXfEiL0nUj2gqybeV449uWt5OnrfqnqqYGZOoBolg3yLqEjl8mhDek2LAQCR22b9v691L3n8035WrJKjvgun6ndsZDVP8EbprSiDg9I14Yj6gqwDze83NsGgHYHMUpJeAibgIjxJ1HOPPf4AO+wg1S2lzdr2ujGMaP7ApnUM3jDi6nufaxm60NHzAozzMtf545PCr0fOv7zW0nxtMDGAR8jNQy73frnBMtn2owARG2PH/zRDKSH+3+Z9O81Z6GnZJUUo3y1f/0u5+/8gGURmEQWO7Sx0J0RLn20A6I1DV+eZC/Ig94EWUcNswkzSuPjwAmGUDdWfV6vWqM35nc2BJ/wXtSLfZyknLHUhHTzJZZRfG0TUl0=

The new cert had a subjectAltName but did not include the hostname as an altname.   Apparently, the cert's CN is only checked if no altname is present.

sorry for the noise.
Liam

On Wed, Jan 31, 2018 at 2:28 PM, Liam Hoekenga <> wrote:
I apologize.  I checked my logs, and you're right, the error predates the patches.

It looks like there were some recent changes that I was unaware of - the cert on the LDAP server /was/ changed on 1/25/18
My loader noticed and started complaining about on 1/26.  I guess I haven't been in this sandbox environment since that change.

That said, the CN on the cert does match the hostname, and the CA cert is the trustStore.  :\

2018-01-26 06:15:00,832: [DefaultQuartzScheduler_Worker-5] ERROR DefaultLdapFactory.create(109) -  - unabled to connect to the ldap
javax.naming.CommunicationException: simple bind failed: mcqa-vault2.dsc.umich.edu:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Hostname '[mcqa-vault2.dsc.umich.edu]' does not match the hostname in the server's certificate]

[liamr@grouper1 conf]$ openssl s_client -connect mcqa-vault2.dsc.umich.edu:636 -showcerts
CONNECTED(00000003)
depth=1 OU = Organizational CA, O = MCOMMUNITYQA
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
 0 s:/O=MCOMMUNITYQA/CN=mcqa-vault2.dsc.umich.edu
   i:/OU=Organizational CA/O=MCOMMUNITYQA

I guess I'll keep poking at it.

Liam

On Wed, Jan 31, 2018 at 2:06 PM, Hyzer, Chris <> wrote:

You could revert those two patches and see if you can connect, I have a feeling you wont be able to since its unrelated, but please let me know.

 

Was the cert changed recently or the java version or something?

 

Thanks

Chris

 

From: [mailto:] On Behalf Of Liam Hoekenga
Sent: Wednesday, January 31, 2018 3:02 PM
To:
Subject: [grouper-users] grouper subject engine LDAP cert errors

 

I just installed API patches 90 and 91, and now I can't connect to the LDAP server defined in my subject.properties. 

 

The logs say...

2018-01-31 14:40:51,016: [localhost-startStop-1] ERROR DefaultLdapFactory.create(109) -  - unabled to connect to the ldap

javax.naming.CommunicationException: simple bind failed: mcqa-vault2.dsc.umich.edu:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Hostname '[mcqa-vault2.dsc.umich.edu]' does not match the hostname in the server's certificate]

 

Seems straightforward enough... but...

I've checked the cert's CN using "openssl s_client", and it's a match.

I've verified that the CA cert for our institutional CA that signed the cert is in the javax.net.ssl.trustStore being used for Tomcat.

 

Any ideas?

 

Liam






Archive powered by MHonArc 2.6.19.

Top of Page