Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] LDAP over SSL error - CertificateException

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] LDAP over SSL error - CertificateException

Chronological Thread 
  • From: Al Lilianstrom <>
  • To: " Mailing List" <>
  • Subject: Re: [grouper-users] LDAP over SSL error - CertificateException
  • Date: Mon, 15 Feb 2021 19:18:01 +0000
  • Arc-authentication-results: i=1; 1; spf=pass; dmarc=pass action=none; dkim=pass; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=meruBPgC79VuZQ3Finmp2QD+ikyyaHdST8JIeiAvh1w=; b=B/mB1aRtRsZhW/zYAVmXViX6Ur+mslWAq9Z/VFlyYzbUJ8DEIvgMAmzgRyZ6RAdbP7RmsXnO2aeB7buLAf7sj5IawyHHIj5nV0Cuo/C+MMsS68BrH/Ikc2Pyoy/9laibGe4qV8F0AFFKB5KTscb60aJXixpGPTnL7F6fm6c3iBDf35S7jWc6iLCV9Bnc7Fuzxz7SGv9f1mZsyCSBQlWT1aUZpn6TqtzXNFvuKjFy3mfMkuK9dULjKaxop45dPF3Y1kipx6wqOXjz97jyN/Y9tOVuUlyiOAUF5QVhuzNFOe2Dx/nvMLwBnOVTTMgMCgsMJe7rxaXtdRG6F4c/cIuvOg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=eVJq6VOzCY5wFYmbtOiANFLHgOBVkdY/ifk22A7HIeMCAOqbv2f/1MJINvzlvdxOAsoMvMjI/L3FJANLGXNTaXzq5VwKnmD5D6hoecyQfcEFWBfi80h156C5tQADwz/hvu4l0dyiCPyqVyp748ZU6+cEcHtIN2StJIA/NUKu43MBwL/3bi2YU1HfJJZSMMDxjAdm3zPgy9aDkYAi9+Y+vl2mf2Q8sDRGObqz3CHmkJo+nfqDbcaKOx3srEQygGQ6ioHEz1gGN2ZkiD6GEI48dFse4a35WTgq0JZU3eCcUIadsrWr1pYC9t4pU4vwiz4N8dnejXNwacRIzZdSoZE3pQ==

Hi Chris,

Thanks for the response. I'll ask to join slack channel.

Adding follow didn't change anything but I decided to look at the certs again
(based on your last comment) as this particular domain is using certs from
our internal CA rather than a commercial CA. Turns out that the certificate
issued for to enable smartcard usage also had also had client and server
authentication enabled on it and no SANs. Once I fixed the template and
reissued the cert it worked as expected.

Thanks again for the assist.


Al Lilianstrom
Authentication Services

Fermi National Accelerator Laboratory

From: Hyzer, Chris <>
Sent: Monday, February 15, 2021 8:58 AM
To: Mailing List; Al Lilianstrom
Subject: Re: LDAP over SSL error - CertificateException

Are you slack to discuss this? 🙂

(ask to join incommon-grouper slack):<>

can you try in (or database config):

ldap.fsLdap.referral = follow

or maybe we need to add all the certs into java as trusted... hmmm
<> on behalf of Al Lilianstrom
Sent: Monday, February 15, 2021 9:21 AM
To: Mailing List <>
Subject: [grouper-users] LDAP over SSL error - CertificateException

New to grouper. Running 2.5.41 in one container. Postgres and Shibboleth in
separate containers. ADLDS over plain LDAP for the subject database.

All good.

Adding a AD domain over SSL to grouper. Trying to use the domain name for the
connection as we do with other apps.


ldap.fsLdap.configFileFromClasspath =
ldap.fsLdap.user = CN=dirm,OU=FSA,DC=fs,DC=fnal,DC=gov
ldap.fsLdap.pass = NotIt


Getting the following error in the web interface when testing the connection
(under Miscellaneous | External systems)

CertificateException: Hostname '[]' does not match the hostname in
the server's certificate ''

The domain name is in the certificate as a Subject Alternative Name


If I disable SSL the test is successful. Or if I switch to a single DC.


Any thoughts on getting this to work?

Al Lilianstrom
Authentication Services

Fermi National Accelerator Laboratory<>

Archive powered by MHonArc 2.6.24.

Top of Page