Skip to main content
J
jonathan_8813
Participant
October 7, 2024
Question

CFLDAP "One or more of the required attributes may be..." when changing from CF2018 to CF2023

  • October 7, 2024
  • 3 replies
  • 537 views

In the process of migrating sites from an environment that has ColdFusion 2018 to one that has ColdFusion2023. New environment has Java 17.0.6. The cacerts has been copied over exactly from the CF2018 to CF2023. This is not occurring on all sites that have LDAP configuration only some. Removed all restrictions in java.security. Not seeing anything at the time of failure in Coldfusion-error.log. Able to access LDAP endpoints from a LDAP tool on the servers so no blocking from the LDAP server end. 

 

While I have not specifically gotten the LDAP server certificate manually to import into keystore I am presuming that if it exists in keystore and works in CF2018 there should not be a reason that it wouldnt work in CF2023.

    This topic has been closed for replies.

    3 replies

    BKBK
    Community Expert
    BKBKCommunity Expert
    Community Expert
    October 7, 2024

    Could you share the full error message?

    J
    jonathan_8813Author
    Participant
    October 16, 2024

    added it to the other comment but 

    Thanks! This led me to finding the below error (removed any information unique to this error entry like timestamp and IP)
    "
    javax.net.ssl|ERROR|F9 F4|ajp-nio-127.0.0.1-8022-exec-101|*****|TransportContext.java:363|Fatal (CERTIFICATE_UNKNOWN): No subject alternative names matching IP address ***** found (
    "throwable" : {
    java.security.cert.CertificateException: No subject alternative names matching IP address ***** found
    at java.base/sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:165)
    at java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:101)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:456)

    "

    I cannot figure out why the CF2018 configuration is able to find the certificate for the URL from an IP but CF2023 setup cannot. any input would be great. 

     

    As far as immediate response updated all configured IPs for LDAP to be the URL instead and that has resolved my issue for now but would love to get root cause understandign and resolution. 

    J
    jonathan_8813Author
    Participant
    October 16, 2024

    The stacktrace following " java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:456)" might contain useful debugging hints.

     

    In any case,  I would take the hint from the error. The message 

     

    java.security.cert.CertificateException: No subject alternative names matching IP address ***** found

     

     suggests that the certificate should include the IP ***** as a subject alternative name value.


    Ill check the debugging hints. 

     

    I am just trying to figure out where it is being set because in the current CF2018 environment (inherited from others) the certs do not have the IP but are working with IP attempts 

    D
    Community Expert
    Dave WattsCommunity Expert
    Community Expert
    October 7, 2024

    I suspect CF 2023 won't just use your CF 2018 cacerts file and keystore as-is. I suggest you retrieve the certificate chain for the intermediate and root servers (in that order) using openssl.

     

    openssl s_client -showcerts -connect :{your.cfldap.server}:636

     

    Copy the retrieved certificates from the command prompt and paste them in your cacerts file. Then try adding these arguments to jvm.config:

     

    -Djavax.net.debug=ssl,handshake,verbose -Djavax.net.ssl.trustStore=/path/to/your/jdk/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=changeit

     

    I'm assuming you haven't changed your password yet, nobody bothers to do that. If you have changed it, change your jvm.config accordingly! You probably don't need the trustStore location in there, but it won't hurt.

     

    This should either fix your problem, or at least give you more information about your problem. Good luck!

     

    Dave Watts, Eidolon LLC
      J
      jonathan_8813Author
      Participant
      October 9, 2024

      Thanks! This led me to finding the below error (removed any information unique to this error entry like timestamp and IP)
      "
      javax.net.ssl|ERROR|F9 F4|ajp-nio-127.0.0.1-8022-exec-101|*****|TransportContext.java:363|Fatal (CERTIFICATE_UNKNOWN): No subject alternative names matching IP address ***** found (
      "throwable" : {
      java.security.cert.CertificateException: No subject alternative names matching IP address ***** found
      at java.base/sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:165)
      at java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:101)
      at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:456)

      "

      I cannot figure out why the CF2018 configuration is able to find the certificate for the URL from an IP but CF2023 setup cannot. any input would be great. 

       

      As far as immediate response updated all configured IPs for LDAP to be the URL instead and that has resolved my issue for now but would love to get root cause understandign and resolution. 

      J
      jonathan_8813Author
      Participant
      October 7, 2024

      Should also mention this is on Windows Server 2022 Datacenter

      Terms & ConditionsAccessibility statement
      Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices