Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Errors with subject alternative name SSL certificate even when they are matching

g1patnaik
g1patnaik
Contributor
February 2, 2019

Hi,

I am receiving the following error with some plugins:

javax.net.ssl.SSLPeerUnverifiedException: Certificate for <192.168.60.5> doesn't match any of the subject alternative names: [192.168.60.5, localhost, 127.0.0.1]

As you can see, the servername mentioned DOES match with one of the alternative names. (I have regenerated the certificate when they were really NOT matching)

  • I am just evaluating JIRA on a local desktop VMs and not using any DNS naming for the JIRA IP: 192.168.60.5
  • I have setup a proxy with nginx running on 443 with SSL enabled.
  • I have imported my server certificate that I use with nginx to java keystore (and the Suggested Alternative Names in the above error message are read from that server certiticate)
  • My JIRA application is running on 8080 without SSL and using https scheme and my proxy on 443.

Now, I can see the JIRA application is reachable and looks okay. But some plugins like HealthCheck  gets the above error. 

Certificate in Keystore:

#keytool -list -v -keystore /etc/pki/java/cacerts -alias jiratest
Enter keystore password:
Alias name: jiratest
Creation date: Feb 2, 2019
Entry type: trustedCertEntry

Owner: CN="JIRA Test - Jeevan", O=MyCompany, L=Hyderabad, ST=Telangana, C=IN
Issuer: CN="JIRA Test - Jeevan", O=MyCompany, L=Hyderabad, ST=Telangana, C=IN
Serial number: efa8e2ffe8548025
Valid from: Sat Feb 02 15:14:20 IST 2019 until: Sun Feb 02 15:14:20 IST 2020
Certificate fingerprints:
 MD5: A7:1A:5B:7A:D7:9C:72:E3:D0:83:C1:06:8A:5E:F4:D3
 SHA1: BD:09:AE:E8:BD:3D:3B:28:15:38:52:42:AC:3A:51:96:3F:6A:A6:09
 SHA256: 61:F2:AA:16:F8:A9:B9:32:0B:8A:64:D0:83:0C:27:EB:59:CF:74:EE:9A:42:B6:0E:3B:23:34:C9:5F:95:7E:12
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
 DNSName: 192.168.60.5
 DNSName: localhost
 DNSName: 127.0.0.1
]

Any ideas please? 

 

Thanks you!

Answer
Watch
Like Be the first to like this
29403 views

1 answer

0 votes
Andy Heinzer
Andy Heinzer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 6, 2019

Take a look at https://stackoverflow.com/questions/2043617/is-it-possible-to-have-ssl-certificate-for-ip-address-not-domain-name

It looks like it was once possible to do this with private IP addresses, but from looking at the 3rd answer it seems this isn't possible anymore.

The short answer is yes, as long as it is a public IP address.

Issuance of certificates to reserved IP addresses is not allowed, and all certificates previously issued to reserved IP addresses were revoked as of 1 October 2016.

According to the CA Browser forum, there may be compatibility issues with certificates for IP addresses unless the IP address is in both the commonName and subjectAltName fields. This is due to legacy SSL implementations which are not aligned with RFC 5280, notably, Windows OS prior to Windows 10.

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security