[Solved] java.security.cert.CertificateException: No subject alternative names present

The “java.security.cert.CertificateException: No subject alternative names present” exception can be thrown when you are trying to make a secure connection over SSL and if the hostname you are trying to connect is not valid under the SSL certificate of the server.

When the server certificate is having SANs (subject alternative names), the requesting home name must match with one of the subject alternative names. If the server’s SSL certificate does not have subject alternative names, then the requesting home name must match with the CN (common name) of the certificate.

Note: This blog is about a specific issue which is related to LDAP connectivity after you upgrade/change the java version. If your issue is not related to LDAP, please follow one of the links below to have a general idea on this error message.

Question

Following error blocking up the startup of the WSO2 Identity Server after moving to Java version 1.8.0_181 from 1.8.0_151.

ERROR {org.wso2.carbon.user.core.common.AbstractUserStoreManager} - Cannot create org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

Caused by: org.wso2.carbon.user.core.UserStoreException: Cannot create connection to LDAP server. Error message Error obtaining connection. 186.116.60.21:636

Caused by: org.wso2.carbon.user.core.UserStoreException: Error obtaining connection. <LDAP_HOST>:<LDAP_PORT>

Caused by: javax.naming.CommunicationException: <LDAP_HOST>:<LDAP_PORT> [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present]

Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present

Caused by: java.security.cert.CertificateException: No subject alternative names present

Answer

The reason this error in java 1.8.0_181 is because this update includes security improvements for LDAP support. “Endpoint identification” has been enabled on LDAPS connections.

According to JDK 8u181 Update Release Notes, endpoint identification algorithms have been enabled by default to improve the robustness of LDAPS (secure LDAP over TLS) connections.

This update applies to all of the following Java versions and their future releases.

  • 1.8.0_181-b13
  • 1.7.0_191-b08
  • 1.6.0_201-b07
There may be situations where some applications that were previously able to successfully connect to an LDAPS server may no longer be able to do so. Such applications may, if they deem appropriate, disable endpoint identification using a new system property: com.sun.jndi.ldap.object.disableEndpointIdentification.

As a quick fix for this, we can disable endpoint identification by adding the following property after the line “$JAVA_OPTS \” in the <WSO2_HOME>/bin/wso2server.sh

-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true \

But in the production environment, it's not recommended to disable this feature. So, better to solve by regenerating the LDAP server certificate with the certificate’s subject alternate name or certificate’s subject name matching the hostname of LDAP server configured in primary or secondary userstores which a defined in following locations.

  • <WSO2_HOME>/repository/conf/user-mgt.xml
  • <WSO2_HOME>/repository/deployment/server/userstores/

Hope this article would help you to add Subject Alternate Name (SAN) to a self-signed certificate.

For CA-signed certificates, we have to renew the existing certificate with SAN. To add SANs to a certificate, we can generate a Certificate Signing Request (CSR), submit to the Certification Authority and get the certificate renewed. This won’t generate new public/private keys, hence will not cause any issues in the existing deployment.