SOLVED: LDAPS Intermittent Issue - No subject alternative DNS name matching dns_url_server found

So we have Nexus 3 Repository and we are using LDAPS (not LDAP) for connecting to our Active Directory server.
If we use LDAP (389) we have no issues. However, when we set this to LDAPS (and change it to port 636). It works fine for 5 minutes or so then this error occurs, then after a minute it works again for another 5 minutes or so:
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching dns_url_server found.

We have the timeout set as - -Dcom.sun.jndi.ldap.connect.pool.timeout=180000

Full trace stack trace set (annoymised some data in the log for security reasons)
dns_url_server - replace valid DNS url
dc=domain_start,dc=domain_end - replaces valid domain string
valid_ldap_user - remove valid ldap username
specific_user - remove valid ldap username

2019-07-30 14:56:03,402+0100 WARN  [qtp1783462355-4605]  *UNKNOWN org.sonatype.nexus.ldap.internal.connector.FailoverLdapConnector - Problem connecting to LDAP server:  Caused by: javax.naming.CommunicationException: dns_url_server:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching dns_url_server found.] Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching dns_url_server found. Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching dns_url_server found.
org.sonatype.nexus.ldap.internal.connector.dao.LdapDAOException: Failed to retrieve ldap information for user.
	at org.sonatype.nexus.ldap.internal.connector.DefaultLdapConnector.getUser(DefaultLdapConnector.java:143)
	...
	at java.lang.Thread.run(Thread.java:748)
Caused by: javax.naming.CommunicationException: dns_url_server:636
	at com.sun.jndi.ldap.Connection.<init>(Connection.java:238)
	...
	at org.sonatype.nexus.ldap.internal.connector.DefaultLdapConnector.getUser(DefaultLdapConnector.java:129)
	... 80 common frames omitted
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching dns_url_server found.
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	...
	at com.sun.jndi.ldap.Connection.<init>(Connection.java:215)
	... 99 common frames omitted
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching dns_url_server found.
	at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:214)
  ...
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
	... 108 common frames omitted

The error indicates a problem with the SSL certificate installed on the LDAP server, the subject alternative name in the certificate does not match the host name being used to access the LDAP server. I suggest having your IT department investigate this.

Regards,

Rich

Hi,

So I have checked it on all of our servers and all of them have a valid SSL certificate. We are using Active Directory and port 636.

It seems to work fine on all the servers. It then seem the connection is either being closed/timing out. The next SSL connection check fails as the connection is not valid. I assume because the connection has been closed the cert is invalid. After a timeout, it seems the connection is torn down and re-created then SSL works. At least that is what it looks like is happening?

Does anyone else use Active Directory LDAPS port 636 successfully? I am aware we have some connection management at the active directory layer which is why I ask.

Thank you
Karl

It seems to work fine on all the servers. It then seem the connection is either being closed/timing out. The next SSL connection check fails as the connection is not valid. I assume because the connection has been closed the cert is invalid. After a timeout, it seems the connection is torn down and re-created then SSL works. At least that is what it looks like is happening?

The error message is pretty clear, the certificate isn’t trusted. Is there a pool of LDAP servers? If so, you will likely need to import the root certificate for these into the Nexus SSL truststore, rather than the certificate from whatever LDAP server is reached from the SSL truststore UI. Import the root certificate using the “paste pem” option, and remove any certificates that you’ve added previously:

https://help.sonatype.com/display/NXRM3/Configuring+SSL#ConfiguringSSL-OutboundSSL-TrustingSSLCertificatesGlobally

The issue was not that the cert was not accepted but the fact the certs DNS/SAN was not set to the URL I was using. One out of 8 thus the intermittent issue.

What I did was get the IP list of the ldap_url then ran this command on every LDAP IP

echo -n | openssl s_client -connect 10.56.100.47:636 | openssl x509 -noout -text | grep DNS:

The output then showed one was missing the ldap_url. All certs were valid and signed, just not for the ldap_url being used.