How to avoid certificate exception: no subject alternate names present

Home Forums ForgeRock Products Directory Services How to avoid certificate exception: no subject alternate names present

Learn more about our upcoming Identity Summits

Tagged: 

This topic has 3 replies, 2 voices, and was last updated 1 year, 2 months ago by Jatinder Singh.

  • Author
    Posts
  • May 14, 2020 at 7:13 pm #27932
     dae
    Participant

    I attempted install of OpenDJ version 3.0 on rhel 7 server (having Java 1.8.0_251). During install process (rpm), I selected no to ssl/tls however when I started it up after installation was complete, I ran into following exception:

    Error reading configuration. Details:
javax.naming.CommunicationException: simple bind failed: 0.0.0.0:4444 [Root
exception is javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: No subject alternative names present]

    Can someone expound me why I am getting ^ exception? Thank you for your time!

    • This topic was modified 1 year, 2 months ago by Peter Major.
    May 14, 2020 at 8:11 pm #27933
     dae
    Participant

    So my 2nd attempt of install, I gave proper fqdn and set yes to ssl/tls to generate self signed cert. When I ran service opendj status, it says Running so far so good however when I executed /opt/opendj/bin/status which asked me user dn and its password, I still got same cert exception as earlier post describes. Maybe OpenDJ is running…and that exception is misleading somehow (I could be wrong on that assumption of course). what proper test I can run in order to verify OpenDJ is running safe and sound? I set base dn entry but it is empty now. I plan to import schema from Oracle OUD into OpenDJ.

    So atm, I like to know how to verify this ldap server is running? ldapsearch cmd?

    May 14, 2020 at 10:09 pm #27934
     dae
    Participant

    Plz bear with me. I wasn’t sure how to edit my 1st or 2nd post so that I decided to create another post.

    I followed: https://backstage.forgerock.com/knowledge/kb/article/a54816700 to verify if OpenDJ I stood up is handling ldap request…

    I ran this cmd first:

    ./ldapsearch --hostname foo.domain.com --port 636 --useSsl --trustAll --bindDN "cn=Directory Manager" --bindPassword password --baseDN "" --searchScope base "(objectclass=*)" 1.1
dn:

    Then I ran this cmd:

    ./ldapsearch --port 389 --baseDN "" --searchScope base "(&)" alive healthy
dn:

    Both returned empty dn: response. I like to know what this response means.. Again current OpenDJ is empty (no ldap schema is imported yet).

    May 15, 2020 at 9:25 pm #27941
     Jatinder Singh
    Participant

    The exception generally means the value (host) you are using to access your LDAP server does not match the SAN hostnames (DNS entries) present in your certificate. You have to use the same FQDN you used to set-up your Directory Server and is resolvable.

    Did you check your access logs to see if the BIND request was successful? If you were successfully able to connect but got an empty response, perhaps there’s nothing in your DS? The status will print the # of entries present.

  • Author
    Posts
Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

Leaderboard

The leaderboard is based on our rockin' informal points system, read about it here.
Visit our blog

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?