Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-53859

Login fails consistently with "No subject alternative DNS name matching login.microsoftonline.com found"

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Component/s: azure-ad-plugin
    • Labels:
      None
    • Environment:
      Docker image: "FROM jenkins/jenkins:lts".
      Runs on Debian GNU/Linux 9 (stretch).
    • Similar Issues:

      Description

      Jenkins installation has been running fine for a few months, using Azure AD version 0.3.1. Suddenly (first failure encountered on 30-SEP-2018 - was definitely working on 28-SEP-2018) all logins through Azure SSO fails with the "Oops!" Jenkins error and error message "java.security.cert.CertificateException: No subject alternative DNS name matching login.microsoftonline.com found."

      Full stack trace is attached as "StackTrace.txt".

      The Azure SSO account used for login works fine on the Azure portal and another internal site, so I do not suspect that the user account is the problem. I would suspect either an expired certificate somewhere or perhaps a policy change based on the current time?

        Attachments

          Activity

          Hide
          azure_devops Azure DevOps added a comment -

          investigating

          Show
          azure_devops Azure DevOps added a comment - investigating
          Hide
          oletolshave Ole Tolshave added a comment -

          I am so sorry! This was due to a configuration error on our side.

          What happened was that a NAT rule was set up on the docker host running Jenkins. This had the effect of redirecting HTTPS traffic for all docker containers. When logging on with the Azure AD plugin the outbound request for https://login.microsoftonline.com ended up at the wrong host, which caused the "No subject alternative DNS name matching login.microsoftonline.com found." The wrong target host actually had HTTPS running, but of course using a different certificate.

          I fixed the NAT rule on the host and Azure AD logon works again!

          So this issue can be closed. I apologize for wasting anyones time.

          Show
          oletolshave Ole Tolshave added a comment - I am so sorry! This was due to a configuration error on our side. What happened was that a NAT rule was set up on the docker host running Jenkins. This had the effect of redirecting HTTPS traffic for all docker containers. When logging on with the Azure AD plugin the outbound request for https://login.microsoftonline.com ended up at the wrong host, which caused the "No subject alternative DNS name matching login.microsoftonline.com found." The wrong target host actually had HTTPS running, but of course using a different certificate. I fixed the NAT rule on the host and Azure AD logon works again! So this issue can be closed. I apologize for wasting anyones time.

            People

            • Assignee:
              jieshe Jie Shen
              Reporter:
              oletolshave Ole Tolshave
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: