cancel
Showing results for 
Search instead for 
Did you mean: 

LDAPS fails with "No trusted certificate found"

betawayoflife
Champ on-the-rise
Champ on-the-rise

Hi,

heres the ldaps setup:

1.) Export Root-CA Cert to C:\etc\rootca.cer

2.) Create keystore:

E:\Alfresco6\java\bin\keytool -importcert -alias rootca -file "C:\etc\rootca.cer" -keystore "E:\Alfresco6\alf_data\keystore\rootca.keystore" -storepass xxxxx -storetype JCEKS

3.) LDAP Properties:

ldap.authentication.java.naming.provider.url=ldaps://dc01.domain.loc
ldap.authentication.truststore.path=${dir.keystore}/rootca.keystore
ldap.authentication.truststore.passphrase=xxxxx
ldap.authentication.truststore.type=JCEKS
ldap.authentication.java.naming.security.protocol=ssl

4.) Tomcat Settings:

-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

See https://issues.alfresco.com/jira/browse/MNT-21030

So far so good.... Now the strange thing.

If i restart alfresco the ldap sync works for ~ 1 out of 10 trys.... 9 trys fails with "No trusted certificate found"
Any ideas?

Heres the stacktrace:

2020-04-29 08:07:53,486 INFO [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronizing users and groups with user registry 'ldap1'
 2020-04-29 08:07:53,533 INFO [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Retrieving groups changed since Apr 28, 2020, 8:09:42 PM from user registry 'ldap1'
 2020-04-29 08:07:54,095 ERROR [security.sync.ChainingUserRegistrySynchronizer] [localhost-startStop-1] Synchronization aborted due to error
 org.alfresco.error.AlfrescoRuntimeException: 03290001 Error during LDAP Search. Reason:null
 at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.processQuery(LDAPUserRegistry.java:1335)
 at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.getGroups(LDAPUserRegistry.java:713)
 at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.syncWithPlugin(ChainingUserRegistrySynchronizer.java:993)
 at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.synchronizeInternal(ChainingUserRegistrySynchronizer.java:739)
 at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.access$16(ChainingUserRegistrySynchronizer.java:474)
 at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer$7.doWork(ChainingUserRegistrySynchronizer.java:2138)
 at org.alfresco.repo.security.authentication.AuthenticationUtil.runAs(AuthenticationUtil.java:623)
 at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.onBootstrap(ChainingUserRegistrySynchronizer.java:2132)
 at org.springframework.extensions.surf.util.AbstractLifecycleBean.onApplicationEvent(AbstractLifecycleBean.java:56)
 at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.onApplicationEvent(ChainingUserRegistrySynchronizer.java:2495)
 at org.springframework.context.event.SimpleApplicationEventMulticaster.doInvokeListener(SimpleApplicationEventMulticaster.java:172)
 at org.springframework.context.event.SimpleApplicationEventMulticaster.invokeListener(SimpleApplicationEventMulticaster.java:165)
 at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:139)
 at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:127)
 at org.alfresco.repo.management.subsystems.ChildApplicationContextFactory$ChildApplicationContext.publishEvent(ChildApplicationContextFactory.java:569)
 at org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:882)
 at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:549)
 at org.alfresco.repo.management.subsystems.ChildApplicationContextFactory$ApplicationContextState.start(ChildApplicationContextFactory.java:824)
 at org.alfresco.repo.management.subsystems.AbstractPropertyBackedBean.start(AbstractPropertyBackedBean.java:1098)
 at org.alfresco.repo.management.subsystems.AbstractPropertyBackedBean.onApplicationEvent(AbstractPropertyBackedBean.java:637)
 at org.alfresco.repo.management.SafeApplicationEventMulticaster.multicastEventInternal(SafeApplicationEventMulticaster.java:221)
 at org.alfresco.repo.management.SafeApplicationEventMulticaster.multicastEvent(SafeApplicationEventMulticaster.java:186)
 at org.alfresco.repo.management.SafeApplicationEventMulticaster.multicastEvent(SafeApplicationEventMulticaster.java:206)
 at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:398)
 at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:355)
 at org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:882)
 at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:549)
 at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:400)
 at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:291)
 at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:103)
 at org.alfresco.web.app.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:70)
 at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4770)
 at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5236)
 at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
 at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:754)
 at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:730)
 at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:734)
 at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:624)
 at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1834)
 at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
 at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
 at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
 at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
 at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: simple bind failed: domain.loc:636 [Root exception is javax.net.ssl.SSLHandshakeException: No trusted certificate found]]
 at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:237)
 at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreReferrals(AbstractLdapNamingEnumeration.java:347)
 at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:227)
 at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMore(AbstractLdapNamingEnumeration.java:189)
 at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.processQuery(LDAPUserRegistry.java:1316)
 ... 43 more
Caused by: javax.naming.CommunicationException: simple bind failed: domain.loc:636 [Root exception is javax.net.ssl.SSLHandshakeException: No trusted certificate found]
 at java.naming/com.sun.jndi.ldap.LdapReferralContext.<init>(LdapReferralContext.java:96)
 at java.naming/com.sun.jndi.ldap.LdapReferralException.getReferralContext(LdapReferralException.java:151)
 at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreReferrals(AbstractLdapNamingEnumeration.java:325)
 at java.naming/com.sun.jndi.ldap.AbstractLdapNamingEnumeration.hasMoreImpl(AbstractLdapNamingEnumeration.java:227)
 ... 47 more
Caused by: javax.net.ssl.SSLHandshakeException: No trusted certificate found
 at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
 at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
 at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
 at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:259)
 at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:642)
 at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:461)
 at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:361)
 at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
 at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
 at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
 at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:178)
 at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
 at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
 at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
 at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
 at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:716)
 at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:970)
 at java.base/java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:81)
 at java.base/java.io.BufferedOutputStream.flush(BufferedOutputStream.java:142)
 at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:398)
 at java.naming/com.sun.jndi.ldap.Connection.writeRequest(Connection.java:371)
 at java.naming/com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359)
 at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
 at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2795)
 at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:320)
 at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
 at java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:151)
 at java.naming/com.sun.jndi.url.ldap.ldapURLContextFactory.getObjectInstance(ldapURLContextFactory.java:52)
 at java.naming/javax.naming.spi.NamingManager.getURLObject(NamingManager.java:608)
 at java.naming/javax.naming.spi.NamingManager.processURL(NamingManager.java:385)
 at java.naming/javax.naming.spi.NamingManager.processURLAddrs(NamingManager.java:365)
 at java.naming/javax.naming.spi.NamingManager.getObjectInstance(NamingManager.java:337)
 at java.naming/com.sun.jndi.ldap.LdapReferralContext.<init>(LdapReferralContext.java:119)
 ... 50 more
Caused by: sun.security.validator.ValidatorException: No trusted certificate found
 at java.base/sun.security.validator.SimpleValidator.buildTrustedChain(SimpleValidator.java:411)
 at java.base/sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:135)
 at java.base/sun.security.validator.Validator.validate(Validator.java:264)
 at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:321)
 at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:221)
 at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
 at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:626)
 ... 78 more
1 ACCEPTED ANSWER

Solved.

Because of the bug MNT-21030 (mentioned in my first post) LDAPS uses "domain.loc:636" for the ldap bind.

I only configured one dc with a correct certificate, but i've 7 dc's running.
The dns resolution for "domain.loc" is round-robin, so ~ 1/7 of the syncs was working.

Now i configured all dc's and it's running fine.

View answer in original post

5 REPLIES 5

nadeaumr
Confirmed Champ
Confirmed Champ

Hi,

  I don"t have an answer for you but just want to say that i've got the same problem. Sometimes synch works but most of the time not. Hope that someone will have a solution. I'll let you know if i found something.

My setup;

-alfresco 6.0.1

-ldaps with windows active directory

Regards

Marc

betawayoflife
Champ on-the-rise
Champ on-the-rise

Anyone else some ideas?

nadeaumr
Confirmed Champ
Confirmed Champ

Hi,

    For myself, it's working w/o errors for 2 days now.

Here's what i did. 

- Add this in java: -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

-import root CA certificate to the keystore with keytool. Now keystore contains ldaps certificate and CA certificate.

Hope that this would help you. I will let this running for the next days and see if it will hold on

Regards,

Marc

Hi,

i did it like this:

E:\Alfresco6\java\bin\keytool -importcert -alias domain.loc -file "C:\etc\rootca.cer" -keystore "E:\Alfresco6\alf_data\keystore\rootca.keystore" -storepass xxxxx -storetype JCEKS

In the Tomcat options i added this:

-Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true

My settings are like this:

ldap.authentication.java.naming.provider.url=ldaps://dc01.domain.loc:636
ldap.authentication.truststore.path=${dir.keystore}/rootca.keystore
ldap.authentication.truststore.passphrase=xxxxx
ldap.authentication.truststore.type=JCEKS
ldap.authentication.java.naming.security.protocol=ssl

Why does i need the ldaps cert? Isn't the root cert enough?
The ldaps cert is every year a new one in an active directory environment...

Thanks, Joe

Solved.

Because of the bug MNT-21030 (mentioned in my first post) LDAPS uses "domain.loc:636" for the ldap bind.

I only configured one dc with a correct certificate, but i've 7 dc's running.
The dns resolution for "domain.loc" is round-robin, so ~ 1/7 of the syncs was working.

Now i configured all dc's and it's running fine.