Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Active Directory SSL Integration

Mark Hodges
Mark Hodges September 26, 2017

Currently we have LDAPS configured on our AD controller with a certificate from an external PKI.  I have followed the instructions on how to add the certificate(s) to the keystore but I still get an error.

I've added the Root and the Intermediate to the cacerts file with their own alias's and then imported the server cert from the ad controller.  The error I get seems to suggest that the chain is not able to be followed:

 

Connection test failed. Response from the server:
adserver.fqdn.local:636; nested exception is javax.naming.CommunicationException: adserver.fqdn.local:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

I've tried a few other things but I can't seem to figure out how to link the certs together.  it seems like it should use the thumbprint from each cert to follow the chain of trust but doesn't seem to be working...

 

Answer
Watch
Like Be the first to like this
3955 views

4 answers

2 accepted

2 votes
Answer accepted
Davin Studer
Davin Studer
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 26, 2017

Did you restart Confluence after importing the certs? Also, try opening the keystore in "keystore explorer". See if it all looks good through there.

View More Comments
Davin Studer
Davin Studer
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 26, 2017

Also, did you import the certs to {ConfluenceInstall}/jre/lib/security/cacerts?

Like
Reply
1 vote
Answer accepted
AnnWorley
AnnWorley
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 26, 2017

I imagine you saw this page, since you are aware of the cacerts truststore for Java: Unable to Connect to SSL Services due to PKIX Path Building Failed

That error PKIX path building failed is definitely an SSL error as you surmised. The article I linked above has several points to check under the resolution section. It also links to diagnostic tools that can help you find where the misconfiguration is. Sometimes it's as simple as adding the certs to the right truststore.

Reply
0 votes
Mark Hodges
Mark Hodges September 27, 2017

Ok..another wrinkle...the LDAP connection to the AD controller is working and passing testing but I can't look up any users.

 

Test retrieve user : Failedorg.springframework.ldap.PartialResultException: nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: domain.local:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching domain.local found]]

Obviously the ldap is pointing a the AD controller using a certificate for the ADcontroller name....and also obviously there are no certificates for just the domain.local (its just a self signed cert and NOT a SAN cert.

Why does it keep trying to just lookup domain.local when doing a user test.

Our users are just using the account part of the upn (or samAccountName) to login

Reply
0 votes
Mark Hodges
Mark Hodges September 27, 2017

I didn't actually see that PKIX website...thanks for that....

C:\Program Files\Atlassian\Confluence\jre\bin>java SSLPoke ad01server.domain.local 636
Successfully connected

So it did connect successfully so the trust is in place it looks like.

You both get a gold star because once i confirmed the ssl cert, I restarted the server (which i didn't see in any of the instructions before) and its working now

Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events