Connect to LDAPs

Tim Wisian January 16, 2020

Hi there,

I try to connect from Confluence 7.1 to our LDAPS-Server and the server always throws the error message :

Caused by: javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: pnw.loc:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: critical policy qualifiers present in certificate]]

I imported our root-ca, sub-ca, server-cert and ldaps-cert into the only truststore from the Confluence 7.1 installation and checked the ssl connection via SSL Poke

E:\Confluence-home\jre\bin>java.exe SSLPoke adldaps.pnw.loc 636
Successfully connected

 This works... but as you can see from the error message COnfluence wants to connect to "pnw.loc 636". When I try that with SSLPoke 

E:\Confluence-home\jre\bin>java.exe SSLPoke pnw.loc 636
sun.security.validator.ValidatorException: PKIX path validation failed: java.sec
urity.cert.CertPathValidatorException: critical policy qualifiers present in cer
tificate
        at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:36
2)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.jav
a:259)
        at sun.security.validator.Validator.validate(Validator.java:262)
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.j
ava:324)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerIm
pl.java:229)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustMan
agerImpl.java:124)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.
java:1621)
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.jav
a:223)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.
java:1367)
        at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:750)
        at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
        at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:138)
        at SSLPoke.main(SSLPoke.java:31)
Caused by: java.security.cert.CertPathValidatorException: critical policy qualif
iers present in certificate
        at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(P
KIXMasterCertPathValidator.java:135)
        at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCer
tPathValidator.java:233)
        at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCer
tPathValidator.java:141)
        at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(P
KIXCertPathValidator.java:80)
        at java.security.cert.CertPathValidator.validate(CertPathValidator.java:
292)
        at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:35
7)
        ... 15 more
Caused by: java.security.cert.CertPathValidatorException: critical policy qualif
iers present in certificate
        at sun.security.provider.certpath.PolicyChecker.processPolicies(PolicyCh
ecker.java:487)
        at sun.security.provider.certpath.PolicyChecker.checkPolicy(PolicyChecke
r.java:225)
        at sun.security.provider.certpath.PolicyChecker.check(PolicyChecker.java
:180)
        at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(P
KIXMasterCertPathValidator.java:125)
        ... 20 more

you see??

I had a look at the config-DB and the LDAP-server is set correctly (adldaps.pnw.loc).

I asked Atlassian.... and they asked me to ask you...

Anyone an idea?

Kind Regards

Tim 

1 answer

0 votes
Grigory Salnikov
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
January 16, 2020

Hi @Tim Wisian !

I've done some research and it seems that there may be something wrong with your certificates. From here we can see the cause of this error:

// retrieve policy qualifiers from cert 
Set<PolicyQualifierInfo> pQuals = curPolInfo.getPolicyQualifiers();
// the policyQualifiersRejected flag is set in the params
if (!pQuals.isEmpty() && rejectPolicyQualifiers && policiesCritical)
{
throw new CertPathValidatorException("critical policy qualifiers present in certificate", null, null, -1, PKIXReason.INVALID_POLICY); }

So, the reason should be "the policyQualifiersRejected flag is set in the params".

Here's some theory:

https://www.sysadmins.lv/blog-en/certificate-policies-extension-all-you-should-know-part-1.aspx

I hope it helps somehow.

Tim Wisian January 16, 2020

One more thing is, that the wanted server to connect to is adldaps.pnw.loc and the error message is pnw.loc 636....

When I try to connect to pnw.loc via 636 I do understand the error message, but not when connecting to adldaps.pnw.loc.

...

Tim Wisian January 17, 2020

How can I debug COnfluence to get a closer look at whats going on?

Where to set "-Xdebug -Xnoagent -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5005"... within the jvm-options?

Kind Regards

Tim

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events