Environment
GroupWise 18
Situation
GroupWise is configured with an LDAP connection using SSL. The LDAP sync fails with no obvious error message in the MTA log. In the LDAP Directory configuration screen, clicking on Test Connection fails with a generic error message. The SSL certificate is not expired.
Resolution
Ensure a valid certificate with a proper host name in the Subject Alternative Names field is being used.
Cause
Due to recent changes in Java if the address provided to connect to an LDAP server does not match the CN of the LDAP server certificate, or Subject Alternative Names, the handshake will fail by default.
Additional Information
With the log level of the gwadminservice set to debug, the following error message will be observed in the gwadmin-console.log file:
2018-09-26 14:03:12 LdapServer [DEBUG] Creating LDAP connection at ldaps://10.0.0.52:636/
2018-09-26 14:03:12 LdapServer [FATAL] Error building connection to ldap server 'ROOT'
javax.naming.CommunicationException: 10.0.0.52:636
and further down after the Java error information:
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 10.0.0.52 found
2018-09-26 14:03:12 LdapServer [DEBUG] Creating LDAP connection at ldaps://10.0.0.52:636/
2018-09-26 14:03:12 LdapServer [FATAL] Error building connection to ldap server 'ROOT'
javax.naming.CommunicationException: 10.0.0.52:636
and further down after the Java error information:
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 10.0.0.52 found