You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Robert Levas (JIRA)" <ji...@apache.org> on 2018/08/09 16:32:00 UTC
[jira] [Created] (AMBARI-24447) No subject alternative DNS name
exception encountered when Enabling Kerberos against an Active Directory
even when SSL verification is off
Robert Levas created AMBARI-24447:
-------------------------------------
Summary: No subject alternative DNS name exception encountered when Enabling Kerberos against an Active Directory even when SSL verification is off
Key: AMBARI-24447
URL: https://issues.apache.org/jira/browse/AMBARI-24447
Project: Ambari
Issue Type: Bug
Components: ambari-server
Affects Versions: 2.7.0
Reporter: Robert Levas
Assignee: Robert Levas
Fix For: 2.7.1
No subject alternative DNS name exception encountered when Enabling Kerberos against an Active Directory even when SSL verification is off.
{noformat}
2018-08-09 14:48:28,275 WARN [ambari-client-thread-35] ADKerberosOperationHandler:471 - Failed to communicate with the Active Directory at ldaps://adserver.example.com:636: adserver.example.com:636
javax.naming.CommunicationException: adserver.example.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching adserver.example.com found.]
at com.sun.jndi.ldap.Connection.<init>(Connection.java:238)
at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
...
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching adserver.example.com found.
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)
...
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching adserver.example.com found.
at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:214)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:96)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:459)
at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1026)
at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:993)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
{noformat}
Note: This occurs when the hostname embedded in the SSL certificate does not match the hostname of the Active Directory host and Open JDK 1.8.181-b13 is used. This is not seen when Oracle JDK is used.
{noformat:title=Observed with this version of JDK}
openjdk version "1.8.0_181"
OpenJDK Runtime Environment (build 1.8.0_181-b13)
OpenJDK 64-Bit Server VM (build 25.181-b13, mixed mode)
{noformat}
{noformat:title=Not observed with this version of JDK}
java version "1.8.0_112"
Java(TM) SE Runtime Environment (build 1.8.0_112-b15)
Java HotSpot(TM) 64-Bit Server VM (build 25.112-b15, mixed mode)
{noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)