SSLHandshakeException certificate for <IP> doesn't match any of the subject alternative names <FQDN>

Question

I'm trying to switch application authentication from LDAP (which works fine) to LDAPS via JAAS. The application runs on JVM. I followed vendor how-to (Rundeck - problem with jaas LDAPS configuration), but I am facing a problem.

From log:

Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: javax.net.ssl.SSLPeerUnverifiedException: Certificate for <ActiveDirectoryIP> doesn't match any of the subject alternative names: <ActiveDirectoryFQDN>

I noticed that ActiveDirectoryFQDN in DNS is lowercase but in cert/pem imported from openssl s_client command is uppercase. SSL certs should not be case sensitive, but maybe Java treats it other way around? As a workaround I tried to add uppercase entry for ActiveDirectoryFQDN in /etc/hosts, and modifying /etc/nsswitch to:

hosts: files [success=return] dns

but without joy. I cannot modify DNS.

Is there a argument to ignore SSLHandshakeException errors and/or generally disable SSL validation for JVM (trough OPTS)?

Answer 1

No idea why I didn't thought about it earlier - solution is quite easy: simply replaced in application configuration <ActiveDirectoryIP> with <ActiveDirectoryFQDN> as AD cert has been issued only for AD FQDN (no alt's for IPs).