Issue
-
When trying to authenticate in Jenkins using ldaps, I am getting the error shown below:
[Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching XXXXX found.]];
Environment
Resolution
-
In recent versions of the JDK there was a change on the way that the ldap hostname is validated. The change was to increase the security and thus the exception reported is a valid error that you should correct. You can get additional details on the change that we are talking about by reviewing the 1.8.181 Release Notes under the Improve LDAP Support section.
In order to correct this appropriately you should ensure that you include the complete URL for your ldap server in the certificate, you can do it in the Subject or Alternate Name extension of the certificate.
There is a short term solution to workaround through this exception and it is by adding the following parameter to the Java Options.
-
-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true
Please, be sure that your security team validates this change as it is disabling the extra security element included in the JDK as mentioned previously
Tested product/plugin versions
-
CloudBees CI (CloudBees Core) on traditional platforms - Client controller v2.89.3.4
-
JVM Implementation Version: 25.181-b25