Today I updated my SSL certificate and everything went fine, until it was time to login on my Crowd and other applications.
I couldn't do it.
I decided to go back to my old expired certificate, but I had the very same problem I was already having with Crowd:
Connection to authentication server failed. Please review the logs for more information.
After doing some research I played with my crowd.properties file (which, until now, it was working perfectly). After switching my crowd.server.url and my login.url to http instead of https, the login at crowd works, while the login in other apps are still not working at all.
I tried to switch back to my old expired SSL certificate, but the result was the same.
I have tried everything almost, with no luck whatsoever.
Please, could somebody help me?
This is my log:
Hi @Danel Sánchez,
Your log files looks pretty similar to those mentioned in this community post. However, It is still unclear to me, why reapplying old certificate did not restore the service.
It might be related to the SNI support enabled by default since Java 7. Please take a look at this KB article and try to apply the suggested solution.
Please let me know if this helped you.
Best Regards,
Marcin Kempa
Thank you for your reply, Marcin.
I took some time to review the issue and followed your recommendation and added this to my JAVA-OPTS:
-Djsse.enableSNIExtension=false
However, the result remains the same. No matter the kind of certificate I use, I get this on my log:
018-02-20 20:12:10,990 http-bio-MYIP-MYPORT-exec-8 INFO [service.soap.client.SecurityServerClientImpl] Existing application token is null, authenticating ...
2018-02-20 20:12:11,142 http-bio-MYIP-MYPORT-exec-8 ERROR [xfire.transport.http.HttpChannel] javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
Sometimes it prompts me to:
2018-02-20 20:12:11,217 http-bio-MYIP-MYPORT-exec-8 ERROR [crowd.console.action.Login] Failed to connect to the authentication server, please check your crowd.properties
I'm entirely lost over here.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Danel Sánchez,
In you first post you've mentioned that you updated the certificate. Did you also added this new certificate to Java's key-store as described here?
Best Regards,
Marcin Kempa
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello @Marcin Kempa,
I did not, and maybe it would have helped, however, I didn't have to: I finally got it solved. Probably nobody will come up with the same mistake as I, but I'll share how I fixed this just in case:
Comparing the two keystores I had (which are the same, but I made a backup just in case) I noticed a subtle difference:
I didn't append my domain validation certificate to the key. Awkwardly, Confluence, JIRA and Bitbucket worked flawlessly without appending it, but Crowd did not.
After appending the domain validation certificate to the key, Crowd worked over HTTPS without any problems, the SSO started to work instantly and everything went back to normal.
----------------------------
Notes for noobies like me:
After the old certificate expired, Crowd stopped working:
The new certificate was not properly configured, which made Crowd to show the very same behavior as before with the expired one:
The errors, however, were mostly the same.
----------------------------
Hope this helps somebody in the future.
Thank you for your time, Marcin.
Kind regards,
Danel Sánchez
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I am glad that you were able to resolve the issue.
So if I get it right the issue was that your domain validating certificate could not be verified by the JVM running Crowd and adding it to the key store solved the problem?
Best Regards,
Marcin Kempa
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
After appending the domain validation certificate to the key
Can you describe this process in more detail?
You just pasted the cert and into the same file as the private key?
I don't understand this requirement.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.