I am setting up Confluence Datacenter using the latest version of java and am having issues connecting to ldaps, verified that i could connect to ldap unsecured. Error is the following:
ldap.server.com:636; nested exception is javax.naming.CommunicationException: ldap.server.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching ldap.server.com found.]
Could be as a result of LDAPS being more robust in this new version of java, not sure how to fix this.
Change to LDAPS: https://www.oracle.com/technetwork/java/javase/8u181-relnotes-4479407.html#JDK-8200666
Thanks,
Hamzah Mirza
Hi ,
please try the below in setenv.sh.
JAVA_OPTS="$JAVA_OPTS -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true"
it works for me in confluence 5.10.2 data centre version.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Our ldap servers are a large cluster environment. I don't believe i would have to add it to the /etc/hosts file as the connection to ldap unsecure is being made so servers are reachable.
As a side note, our jira setup had a similar issue but was fixed by us adding
-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true"
to /opt/atlassian/jira/bin/setenv.sh JAVA_OPTS. This fix did not work with confluence.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
@Hamzah Mirzait seems you're having a similar issue to this: https://jira.atlassian.com/browse/CONFSERVER-38853
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
This looks promising. looks like there are 2 fixes from issue https://jira.atlassian.com/browse/CONFSERVER-39309.
I wont disable ssl, but the first option says to add the jvm argument
-Djdk.tls.trustNameService=true
where would i add this in the setenv.sh?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
@Hamzah Mirza You can add that into the setenv.sh file, add a new line like the following:
CATALINA_OPTS="-Djdk.tls.trustNameService=true ${CATALINA_OPTS}"
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
@[deleted] i tried adding that to the setenv.sh file and restarting confluence, unfortunately it didn't fix the issue.
My setenv.sh:
# See the CATALINA_OPTS below for tuning the JVM arguments used to start Confluence.
echo "If you encounter issues starting up Confluence, please see the Installation guide at http://confluence.atlassian.com/display/DOC/Confluence+Installation+Guide"
# set the location of the pid file
if [ -z "$CATALINA_PID" ] ; then
if [ -n "$CATALINA_BASE" ] ; then
CATALINA_PID="$CATALINA_BASE"/work/catalina.pid
elif [ -n "$CATALINA_HOME" ] ; then
CATALINA_PID="$CATALINA_HOME"/work/catalina.pid
fi
fi
export CATALINA_PID
PRGDIR=`dirname "$0"`
if [ -z "$CATALINA_BASE" ]; then
if [ -z "$CATALINA_HOME" ]; then
LOGBASE=$PRGDIR
LOGTAIL=..
else
LOGBASE=$CATALINA_HOME
LOGTAIL=.
fi
else
LOGBASE=$CATALINA_BASE
LOGTAIL=.
fi
PUSHED_DIR=`pwd`
cd $LOGBASE
cd $LOGTAIL
LOGBASEABS=`pwd`
cd $PUSHED_DIR
echo ""
echo "Server startup logs are located in $LOGBASEABS/logs/catalina.out"
# IMPORTANT NOTE: Only set JAVA_HOME or JRE_HOME above this line
# Get standard Java environment variables
if $os400; then
# -r will Only work on the os400 if the files are:
# 1. owned by the user
# 2. owned by the PRIMARY group of the user
# this will not work if the user belongs in secondary groups
. "$CATALINA_HOME"/bin/setjre.sh
else
if [ -r "$CATALINA_HOME"/bin/setjre.sh ]; then
. "$CATALINA_HOME"/bin/setjre.sh
else
echo "Cannot find $CATALINA_HOME/bin/setjre.sh"
echo "This file is needed to run this program"
exit 1
fi
fi
echo "---------------------------------------------------------------------------"
echo "Using Java: $JRE_HOME/bin/java"
CONFLUENCE_CONTEXT_PATH=`$JRE_HOME/bin/java -jar $CATALINA_HOME/bin/confluence-context-path-extractor.jar $CATALINA_HOME`
export CONFLUENCE_CONTEXT_PATH
$JRE_HOME/bin/java -jar $CATALINA_HOME/bin/synchrony-proxy-watchdog.jar $CATALINA_HOME
echo "---------------------------------------------------------------------------"
# Set the JVM arguments used to start Confluence. For a description of the options, see
# http://www.oracle.com/technetwork/java/javase/tech/vmoptions-jsp-140102.html
CATALINA_OPTS="-XX:-PrintGCDetails -XX:+PrintGCDateStamps -XX:-PrintTenuringDistribution ${CATALINA_OPTS}"
CATALINA_OPTS="-Xloggc:$LOGBASEABS/logs/gc-`date +%F_%H-%M-%S`.log -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=2M ${CATALINA_OPTS}"
CATALINA_OPTS="-XX:G1ReservePercent=20 ${CATALINA_OPTS}"
CATALINA_OPTS="-Djava.awt.headless=true ${CATALINA_OPTS}"
CATALINA_OPTS="-Datlassian.plugins.enable.wait=300 ${CATALINA_OPTS}"
CATALINA_OPTS="-Xms10240m -Xmx10240m -XX:+UseG1GC ${CATALINA_OPTS}"
CATALINA_OPTS="-Dsynchrony.enable.xhr.fallback=true ${CATALINA_OPTS}"
CATALINA_OPTS="-Dorg.apache.tomcat.websocket.DEFAULT_BUFFER_SIZE=32768 ${CATALINA_OPTS}"
CATALINA_OPTS="${START_CONFLUENCE_JAVA_OPTS} ${CATALINA_OPTS}"
CATALINA_OPTS="-Dconfluence.context.path=${CONFLUENCE_CONTEXT_PATH} ${CATALINA_OPTS}"
CATALINA_OPTS="-XX:ReservedCodeCacheSize=256m -XX:+UseCodeCacheFlushing ${CATALINA_OPTS}"
CATALINA_OPTS="-Djdk.tls.trustNameService=true ${CATALINA_OPTS}"
export CATALINA_OPTS
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.