How can i use confluence over SSL?

Hello all,

we have read and implemented

Running Confluence Over SSL or HTTPS from:

https://confluence.atlassian.com/doc/running-confluence-over-ssl-or-https-161203.html

We are running jira and confluence on 1 VM with 2 NICs:

ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.1.13 netmask 255.255.255.0 broadcast 10.10.1.255
ether 00:0c:29:e7:b7:71 txqueuelen 1000 (Ethernet)
RX packets 1381613 bytes 362204221 (345.4 MiB)
RX errors 0 dropped 11 overruns 0 frame 0
TX packets 1812036 bytes 313669051 (299.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

ens192:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.1.10 netmask 255.255.255.0 broadcast 10.10.1.255
ether 00:0c:29:e7:b7:71 txqueuelen 1000 (Ethernet)

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 4413 bytes 707965 (691.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4413 bytes 707965 (691.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255
ether 52:54:00:9a:d4:5d txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

Jira is running fine (over ssl) on address 10.10.1.13, but when we try to access confluence on 10.10.1.10, the tomcat is using jiras security certificate.

We have correctly set DNS entries for jira and for confluence:

[root@jira logs]# nslookup jira.git
Server: 10.10.1.1
Address: 10.10.1.1#53

Non-authoritative answer:
Name: jira.git
Address: 10.10.1.13

[root@jira logs]# nslookup confluence.git
Server: 10.10.1.1
Address: 10.10.1.1#53

Non-authoritative answer:
Name: confluence.git
Address: 10.10.1.10

We have implemented firewalld rules that allow ports 8080 and 8443 (for jira) and 8090 and 8443 (for confluence). We have also implemented port forwarding on firewalld from port 80 to port 8080 and, respectively, 443 to 8443 for both zones:

[root@jira logs]# firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens192
sources:
services: cockpit dhcpv6-client http https ssh
ports: 8080/tcp 8081/tcp 8443/tcp
protocols:
masquerade: yes
forward-ports: port=80:proto=tcp:toport=8080:toaddr=
port=443:proto=tcp:toport=8443:toaddr=
source-ports:
icmp-blocks:
rich rules:

[root@jira logs]# firewall-cmd --zone=work --list-all
work (active)
target: default
icmp-block-inversion: no
interfaces: ens192:0
sources:
services: cockpit dhcpv6-client ssh
ports: 8090/tcp 8443/tcp
protocols:
masquerade: yes
forward-ports: port=80:proto=tcp:toport=8090:toaddr=
port=443:proto=tcp:toport=8443:toaddr=
source-ports:
icmp-blocks:
rich rules:

We have issued SSL certificates for both jira (running on 10.10.1.13) and confluence (running on 10.10.1.10) by our internal authority.

The current behavior is that when we are trying to reach confluence on https://confluence.git, we are getting the certificate from jira. The message is that the certificate was issued for a different hostname/IP and when we look into the certificate, it really tells the browser that it is for jira IP address and DNS entry.

Has anyone seen this before? What are we doing wrong?

Please let me know if you need any more specific details.

1 answer

1 vote

Where did you install the certificates?

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hi Nic,

first of all, thanks a bunch for a quick reply.

The certificate is installed in /opt/atlassian/confluence/confluence.jks:

[root@jira confluence]# keytool -list -keystore confluence.jks -storepass <PASSWORD> -v
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: confluence.git
Creation date: Sep 9, 2020
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: EMAILADDRESS=jan.daniel@osc.cz, CN=confluence.git, CN=Jan Daniel, OU=server confluence, O="OSC, a.s.", L=Brno, ST=Czech Republic, C=CZ
Issuer: CN=OSC-CA, DC=osc, DC=local
Serial number: 4f0000009430d45c135253730d000000000094
Valid from: Wed Sep 09 15:49:43 CEST 2020 until: Sun Mar 20 14:52:21 CET 2022
Certificate fingerprints:
SHA1: 55:CE:AE:CA:28:20:4B:47:BD:87:DB:73:8A:18:74:AE:8D:CE:01:E6
SHA256: 11:21:48:E6:E1:E4:6A:BA:96:70:21:F3:55:84:11:71:EE:DC:F4:56:8F:BE:C4:98:19:FF:15:D3:32:08:22:2C
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.4.1.311.20.2 Criticality=false
0000: 1E 12 00 57 00 65 00 62 00 53 00 65 00 72 00 76 ...W.e.b.S.e.r.v
0010: 00 65 00 72 .e.r

#2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: ldap:///CN=OSC-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=osc,DC=local?cACertificate?base?objectClass=certificationAuthority
]
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: B8 7E 56 87 C6 CE 5C 4E BB B2 3D DC 1A 8B 21 F4 ..V...\N..=...!.
0010: 22 87 97 B5 "...
]
]

#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: ldap:///CN=OSC-CA,CN=Sx2,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=osc,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint]
]]

#5: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
]

#6: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]

#7: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: confluence
DNSName: confluence.git
IPAddress: 10.10.1.10
]

#8: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 08 A3 0C 63 2C 10 E4 10 BE 74 7F 95 FF 08 DA 63 ...c,....t.....c
0010: 1D 94 E9 D0 ....
]
]

Certificate[2]:
Owner: CN=OSC-CA, DC=osc, DC=local
Issuer: CN=OSC-CA, DC=osc, DC=local
Serial number: 4ec85b16dd1deab3486e4dfa40b0876f
Valid from: Mon Mar 20 14:42:21 CET 2017 until: Sun Mar 20 14:52:21 CET 2022
Certificate fingerprints:
SHA1: 9B:AA:44:5F:F9:66:3A:A7:C8:72:A0:66:C3:F9:81:E0:20:5D:38:CB
SHA256: 67:1C:9F:D8:A2:8A:78:AF:01:29:82:46:6A:4B:A2:B2:17:A9:08:4E:3F:85:FE:30:04:83:74:18:DD:7E:35:92
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.4.1.311.20.2 Criticality=false
0000: 1E 04 00 43 00 41 ...C.A

#2: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
0000: 02 01 00 ...

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]

#4: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]

#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: B8 7E 56 87 C6 CE 5C 4E BB B2 3D DC 1A 8B 21 F4 ..V...\N..=...!.
0010: 22 87 97 B5 "...
]
]

*******************************************
*******************************************

Do you need any more details?

Thanks again,

Tomas

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

UPDATE:

I took a look at the jira SSL configuration on the other NIC and i figured i'll have to add rootca as well. I have done that and now the kaystore looks like this:

[root@jira confluence]# keytool -list -keystore confluence.jks -storepass <PASSWORD> -v
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: confluence.git
Creation date: Sep 11, 2020
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: EMAILADDRESS=jan.daniel@osc.cz, CN=confluence.git, CN=Jan Daniel, OU=server confluence, O="OSC, a.s.", L=Brno, ST=Czech Republic, C=CZ
Issuer: CN=OSC-CA, DC=osc, DC=local
Serial number: 4f00000095bfb1c796bbc369ed000000000095
Valid from: Fri Sep 11 09:26:55 CEST 2020 until: Sun Mar 20 14:52:21 CET 2022
Certificate fingerprints:
SHA1: 89:6F:25:D9:1D:70:11:A2:4E:C5:E2:44:C6:87:11:D3:50:30:F2:44
SHA256: 6D:CA:3E:D1:B8:E0:73:35:D5:DE:5D:E6:4A:D3:08:15:97:FB:8C:11:77:E2:2D:5E:01:E8:D4:47:62:6F:4C:78
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.4.1.311.20.2 Criticality=false
0000: 1E 12 00 57 00 65 00 62 00 53 00 65 00 72 00 76 ...W.e.b.S.e.r.v
0010: 00 65 00 72 .e.r

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: B8 7E 56 87 C6 CE 5C 4E BB B2 3D DC 1A 8B 21 F4 ..V...\N..=...!.
0010: 22 87 97 B5 "...
]
]

#5: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
]

#6: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]

#7: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: confluence
DNSName: confluence.git
IPAddress: 10.10.1.10
]

#8: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 08 A3 0C 63 2C 10 E4 10 BE 74 7F 95 FF 08 DA 63 ...c,....t.....c
0010: 1D 94 E9 D0 ....
]
]

Extensions:

#1: ObjectId: 1.3.6.1.4.1.311.20.2 Criticality=false
0000: 1E 04 00 43 00 41 ...C.A

#2: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
0000: 02 01 00 ...

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]

#4: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]

#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: B8 7E 56 87 C6 CE 5C 4E BB B2 3D DC 1A 8B 21 F4 ..V...\N..=...!.
0010: 22 87 97 B5 "...
]
]

*******************************************
*******************************************

Alias name: oscrootca
Creation date: Sep 11, 2020
Entry type: trustedCertEntry

Owner: CN=OSC-CA, DC=osc, DC=local
Issuer: CN=OSC-CA, DC=osc, DC=local
Serial number: 4ec85b16dd1deab3486e4dfa40b0876f
Valid from: Mon Mar 20 14:42:21 CET 2017 until: Sun Mar 20 14:52:21 CET 2022
Certificate fingerprints:
SHA1: 9B:AA:44:5F:F9:66:3A:A7:C8:72:A0:66:C3:F9:81:E0:20:5D:38:CB
SHA256: 67:1C:9F:D8:A2:8A:78:AF:01:29:82:46:6A:4B:A2:B2:17:A9:08:4E:3F:85:FE:30:04:83:74:18:DD:7E:35:92
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.4.1.311.20.2 Criticality=false
0000: 1E 04 00 43 00 41 ...C.A

#2: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
0000: 02 01 00 ...

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]

#4: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]

#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: B8 7E 56 87 C6 CE 5C 4E BB B2 3D DC 1A 8B 21 F4 ..V...\N..=...!.
0010: 22 87 97 B5 "...
]
]

*******************************************
*******************************************

I have also found out that when i connect to jira and look into the certificated received, there is two certificates. One is from the jira server, other one is from ESET. We are probably running some MITM based SSL interception solution internally. I have to talk to our network folks.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Forums

Product Q&A

Community resources

Support

Top groups

Community resources

Support

Learn

Community resources

Support

Events

Community resources

Support

How can i use confluence over SSL?

Running Confluence Over SSL or HTTPS from:

1 answer

Suggest an answer

Was this helpful?

Thanks!

TAGS

Atlassian Community Events