Hi there,
I try to connect from Confluence 7.1 to our LDAPS-Server and the server always throws the error message :
Caused by: javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: pnw.loc:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: critical policy qualifiers present in certificate]]
I imported our root-ca, sub-ca, server-cert and ldaps-cert into the only truststore from the Confluence 7.1 installation and checked the ssl connection via SSL Poke
E:\Confluence-home\jre\bin>java.exe SSLPoke adldaps.pnw.loc 636 Successfully connected
This works... but as you can see from the error message COnfluence wants to connect to "pnw.loc 636". When I try that with SSLPoke
E:\Confluence-home\jre\bin>java.exe SSLPoke pnw.loc 636 sun.security.validator.ValidatorException: PKIX path validation failed: java.sec urity.cert.CertPathValidatorException: critical policy qualifiers present in cer tificate at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:36 2) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.jav a:259) at sun.security.validator.Validator.validate(Validator.java:262) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.j ava:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerIm pl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustMan agerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker. java:1621) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.jav a:223) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) at sun.security.ssl.Handshaker.process_record(Handshaker.java:965) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl. java:1367) at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:750) at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123) at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:138) at SSLPoke.main(SSLPoke.java:31) Caused by: java.security.cert.CertPathValidatorException: critical policy qualif iers present in certificate at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(P KIXMasterCertPathValidator.java:135) at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCer tPathValidator.java:233) at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCer tPathValidator.java:141) at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(P KIXCertPathValidator.java:80) at java.security.cert.CertPathValidator.validate(CertPathValidator.java: 292) at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:35 7) ... 15 more Caused by: java.security.cert.CertPathValidatorException: critical policy qualif iers present in certificate at sun.security.provider.certpath.PolicyChecker.processPolicies(PolicyCh ecker.java:487) at sun.security.provider.certpath.PolicyChecker.checkPolicy(PolicyChecke r.java:225) at sun.security.provider.certpath.PolicyChecker.check(PolicyChecker.java :180) at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(P KIXMasterCertPathValidator.java:125) ... 20 more
you see??
I had a look at the config-DB and the LDAP-server is set correctly (adldaps.pnw.loc).
I asked Atlassian.... and they asked me to ask you...
Anyone an idea?
Kind Regards
Tim
Hi @Tim Wisian !
I've done some research and it seems that there may be something wrong with your certificates. From here we can see the cause of this error:
// retrieve policy qualifiers from cert
Set<PolicyQualifierInfo> pQuals = curPolInfo.getPolicyQualifiers();
// the policyQualifiersRejected flag is set in the params
if (!pQuals.isEmpty() && rejectPolicyQualifiers && policiesCritical)
{ throw new CertPathValidatorException("critical policy qualifiers present in certificate", null, null, -1, PKIXReason.INVALID_POLICY); }
So, the reason should be "the policyQualifiersRejected flag is set in the params".
Here's some theory:
https://www.sysadmins.lv/blog-en/certificate-policies-extension-all-you-should-know-part-1.aspx
I hope it helps somehow.
One more thing is, that the wanted server to connect to is adldaps.pnw.loc and the error message is pnw.loc 636....
When I try to connect to pnw.loc via 636 I do understand the error message, but not when connecting to adldaps.pnw.loc.
...
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
How can I debug COnfluence to get a closer look at whats going on?
Where to set "-Xdebug -Xnoagent -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=5005"... within the jvm-options?
Kind Regards
Tim
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.