Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Connect to LDAPs

Hi there,

I try to connect from Confluence 7.1 to our LDAPS-Server and the server always throws the error message :

Caused by: javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: pnw.loc:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: critical policy qualifiers present in certificate]]

I imported our root-ca, sub-ca, server-cert and ldaps-cert into the only truststore from the Confluence 7.1 installation and checked the ssl connection via SSL Poke

E:\Confluence-home\jre\bin>java.exe SSLPoke adldaps.pnw.loc 636
Successfully connected

 This works... but as you can see from the error message COnfluence wants to connect to "pnw.loc 636". When I try that with SSLPoke 

E:\Confluence-home\jre\bin>java.exe SSLPoke pnw.loc 636
sun.security.validator.ValidatorException: PKIX path validation failed: java.sec
urity.cert.CertPathValidatorException: critical policy qualifiers present in cer
tificate
        at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:36
2)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.jav
a:259)
        at sun.security.validator.Validator.validate(Validator.java:262)
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.j
ava:324)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerIm
pl.java:229)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustMan
agerImpl.java:124)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.
java:1621)
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.jav
a:223)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.
java:1367)
        at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:750)
        at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
        at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:138)
        at SSLPoke.main(SSLPoke.java:31)
Caused by: java.security.cert.CertPathValidatorException: critical policy qualif
iers present in certificate
        at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(P
KIXMasterCertPathValidator.java:135)
        at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCer
tPathValidator.java:233)
        at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCer
tPathValidator.java:141)
        at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(P
KIXCertPathValidator.java:80)
        at java.security.cert.CertPathValidator.validate(CertPathValidator.java:
292)
        at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:35
7)
        ... 15 more
Caused by: java.security.cert.CertPathValidatorException: critical policy qualif
iers present in certificate
        at sun.security.provider.certpath.PolicyChecker.processPolicies(PolicyCh
ecker.java:487)
        at sun.security.provider.certpath.PolicyChecker.checkPolicy(PolicyChecke
r.java:225)
        at sun.security.provider.certpath.PolicyChecker.check(PolicyChecker.java
:180)
        at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(P
KIXMasterCertPathValidator.java:125)
        ... 20 more

you see??

I had a look at the config-DB and the LDAP-server is set correctly (adldaps.pnw.loc).

I asked Atlassian.... and they asked me to ask you...

Anyone an idea?

Kind Regards

Tim 

1 answer

Hi @Tim_Wisian !

I've done some research and it seems that there may be something wrong with your certificates. From here we can see the cause of this error:

// retrieve policy qualifiers from cert 
Set<PolicyQualifierInfo> pQuals = curPolInfo.getPolicyQualifiers();
// the policyQualifiersRejected flag is set in the params
if (!pQuals.isEmpty() && rejectPolicyQualifiers && policiesCritical)
{
throw new CertPathValidatorException("critical policy qualifiers present in certificate", null, null, -1, PKIXReason.INVALID_POLICY); }

So, the reason should be "the policyQualifiersRejected flag is set in the params".

Here's some theory:

https://www.sysadmins.lv/blog-en/certificate-policies-extension-all-you-should-know-part-1.aspx

I hope it helps somehow.

One more thing is, that the wanted server to connect to is adldaps.pnw.loc and the error message is pnw.loc 636....

When I try to connect to pnw.loc via 636 I do understand the error message, but not when connecting to adldaps.pnw.loc.

...

How can I debug COnfluence to get a closer look at whats going on?

Where to set "-Xdebug -Xnoagent -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5005"... within the jvm-options?

Kind Regards

Tim

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Posted in Confluence

Lessons and Learnings: Six Months of Working Remote [Discussion]

Hey there, folks! For most of us, the past six months- yes, you read that right- have been a journey. More people than ever before have pivoted to working remotely, and navigating being on-scre...

8,559 views 6 7
Join discussion

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you