Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Crowd: 'Connection to authentication server failed' after switching to https

Danel Sánchez February 3, 2018

Today I updated my SSL certificate and everything went fine, until it was time to login on my Crowd and other applications.
I couldn't do it.

I decided to go back to my old expired certificate, but I had the very same problem I was already having with Crowd:
Connection to authentication server failed. Please review the logs for more information.

After doing some research I played with my crowd.properties file (which, until now, it was working perfectly). After switching my crowd.server.url and my login.url to http instead of https, the login at crowd works, while the login in other apps are still not working at all.

I tried to switch back to my old expired SSL certificate, but the result was the same.

I have tried everything almost, with no luck whatsoever.
Please, could somebody help me?

This is my log:

https://justpaste.it/1gm7k

1 answer

0 votes
Marcin Kempa
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 4, 2018

Hi @Danel Sánchez,

 

Your log files looks pretty similar to those mentioned in this community postHowever, It is still unclear to me, why reapplying old certificate did not restore the service.

It might be related to the SNI support enabled by default since Java 7. Please take a look at this KB article and try to apply the suggested solution.

 

Please let me know if this helped you.

 

Best Regards,

Marcin Kempa

Danel Sánchez February 20, 2018

Thank you for your reply, Marcin.

I took some time to review the issue and followed your recommendation and added this to my JAVA-OPTS:

-Djsse.enableSNIExtension=false

However, the result remains the same. No matter the kind of certificate I use, I get this on my log:

 

018-02-20 20:12:10,990 http-bio-MYIP-MYPORT-exec-8 INFO [service.soap.client.SecurityServerClientImpl] Existing application token is null, authenticating ...
2018-02-20 20:12:11,142 http-bio-MYIP-MYPORT-exec-8 ERROR [xfire.transport.http.HttpChannel] javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

Sometimes it prompts me to:


2018-02-20 20:12:11,217 http-bio-MYIP-MYPORT-exec-8 ERROR [crowd.console.action.Login] Failed to connect to the authentication server, please check your crowd.properties

I'm entirely lost over here.

Marcin Kempa
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 20, 2018

Hi @Danel Sánchez,

 

In you first post you've mentioned that you updated the certificate. Did you also added this new certificate to Java's key-store as described here?

 

Best Regards,

Marcin Kempa

Danel Sánchez February 20, 2018

Hello @Marcin Kempa,

I did not, and maybe it would have helped, however, I didn't have to: I finally got it solved. Probably nobody will come up with the same mistake as I, but I'll share how I fixed this just in case:

Comparing the two keystores I had (which are the same, but I made a backup just in case) I noticed a subtle difference:

I didn't append my domain validation certificate to the key. Awkwardly, Confluence, JIRA and Bitbucket worked flawlessly without appending it, but Crowd did not.

After appending the domain validation certificate to the key, Crowd worked over HTTPS without any problems, the SSO started to work instantly and everything went back to normal.

----------------------------

Notes for noobies like me:

After the old certificate expired, Crowd stopped working:

  • The access to the webpage worked (after adding the website to exceptions on the browser).
  • The login (more technically speaking, the Crowd Application), and therefore, the login of every application configured with SSO did not work.

The new certificate was not properly configured, which made Crowd to show the very same behavior as before with the expired one:

  • On the first case, because it was expired.
  • On the second case, because it couldn't check it was validated.

The errors, however, were mostly the same.

----------------------------

Hope this helps somebody in the future.

Thank you for your time, Marcin.

 

Kind regards,

Danel Sánchez

Marcin Kempa
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 20, 2018

I am glad that you were able to resolve the issue.

So if I get it right the issue was that your domain validating certificate could not be verified by the JVM running Crowd and adding it to the key store solved the problem?

 

Best Regards,

Marcin Kempa

Aaron Bauman
Contributor
September 4, 2019

After appending the domain validation certificate to the key

Can you describe this process in more detail?

You just pasted the cert and into the same file as the private key?

I don't understand this requirement.

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events