You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ambari.apache.org by "Robert Levas (JIRA)" <ji...@apache.org> on 2018/08/09 16:32:00 UTC

[jira] [Created] (AMBARI-24447) No subject alternative DNS name exception encountered when Enabling Kerberos against an Active Directory even when SSL verification is off

Robert Levas created AMBARI-24447:
-------------------------------------

             Summary: No subject alternative DNS name exception encountered when Enabling Kerberos against an Active Directory even when SSL verification is off
                 Key: AMBARI-24447
                 URL: https://issues.apache.org/jira/browse/AMBARI-24447
             Project: Ambari
          Issue Type: Bug
          Components: ambari-server
    Affects Versions: 2.7.0
            Reporter: Robert Levas
            Assignee: Robert Levas
             Fix For: 2.7.1


No subject alternative DNS name exception encountered when Enabling Kerberos against an Active Directory even when SSL verification is off.

{noformat}
2018-08-09 14:48:28,275  WARN [ambari-client-thread-35] ADKerberosOperationHandler:471 - Failed to communicate with the Active Directory at ldaps://adserver.example.com:636: adserver.example.com:636
javax.naming.CommunicationException: adserver.example.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching adserver.example.com found.]
        at com.sun.jndi.ldap.Connection.<init>(Connection.java:238)
        at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
...
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching adserver.example.com found.
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)
...
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching adserver.example.com found.
        at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:214)
        at sun.security.util.HostnameChecker.match(HostnameChecker.java:96)
        at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:459)
        at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1026)
        at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:993)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
{noformat}

Note: This occurs when the hostname embedded in the SSL certificate does not match the hostname of the Active Directory host and Open JDK 1.8.181-b13 is used.  This is not seen when Oracle JDK is used. 

{noformat:title=Observed with this version of JDK}
openjdk version "1.8.0_181"
OpenJDK Runtime Environment (build 1.8.0_181-b13)
OpenJDK 64-Bit Server VM (build 25.181-b13, mixed mode)
{noformat}


{noformat:title=Not observed with this version of JDK}
java version "1.8.0_112"
Java(TM) SE Runtime Environment (build 1.8.0_112-b15)
Java HotSpot(TM) 64-Bit Server VM (build 25.112-b15, mixed mode)
{noformat}







--
This message was sent by Atlassian JIRA
(v7.6.3#76005)