Jira Server SSL issue

Hi Reneesh,
I tried it but unfortunately not working. I am still facing same issue.

Please let me know @Reneesh Kottakkalathil  if you can help me out. I need to secure my Jira server on an urgent basis.

1. Do you have the certs configured in the front end web server(Apache, ngix,..) or inside Jira?
2. Do you see any error in the logs? If so, can you please share the error.
3. Do you have any SAN name in the certs?

1. Certs are configured in Windows 2016 Azure Virtual machine, and JIRA is installed in that Azure virtual machine.

2. Logs which might be helpful to you:

2020-11-16 11:46:32,791+0000 HealthCheck:thread-7 ERROR      [c.a.t.j.healthcheck.support.GadgetFeedUrlHealthCheck] An error occurred when performing the Gadget feed URL healthcheckjavax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targetCaused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)        at sun.security.validator.Validator.validate(Validator.java:262)        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)        ... 26 moreCaused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target



2020-11-18 14:37:55,056+0000 HealthCheck:thread-3 ERROR      [c.a.t.j.healthcheck.support.GadgetFeedUrlHealthCheck] An error occurred when performing the Gadget feed URL healthcheckjavax.net.ssl.SSLPeerUnverifiedException: Certificate for <northview-jira.nvwonaz.com> doesn't match any of the subject alternative names: [*.nvwonaz.org, nvwonaz.org]        at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:507)        at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:437)        at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)        at

3. I tried fetching SAN name using below command. 
openssl s_client -connect website.com:443 </dev/null 2>/dev/null | openssl x509 -noout -text | grep DNS:
But I am not getting the results.

Installing the root or chain certificate in the JDK certificate store may fix your issue

Yes Reneesh I imported the certificate in cacerts store file. 
Let me know if I need to do anything else. I am new to these things.

I think cacert is the default java store. And I imported the certificate into this cacert file using Portcle app.

Yes cacert is the default java store. Restart jira and test again. 

Yes I did couple of times. But no luck. Anything else that you suspect that might be causing this issue.

Are you sure you're using the same JDK that is used by Jira to import the root cert?

That Might be the issue. I am not sure.
How can we verify that.
Can u please help.

You can find the JDK path in the jira startup logs.

Lakshay, Any luck?

Hi @Reneesh Kottakkalathil 
I can find attlassian-jira.log file in my Jira directory.
Below are the details:- (there are lot of details actually, I'm sending some imp. details)

Application Server : Apache Tomcat/8.5.57 - Servlet API 3.1
Java Version : 1.8.0_202 - AdoptOpenJdk
Current Working Directory : C:\Program Files\Atlassian\Jira\bin
JVM version is 1.8
Java Version = 1.8.0_202

Please let me know if anything else is required.

What is your jira version? You dont see the JDK path in the logs? Can you send me the JDK path to which you imported the root cert?

Yes @Reneesh Kottakkalathil I will check and update you.

Also, today I got a reply from Atlassian support and they are suspecting some issue with certificate.

What they are saying is that my Jira base URL is ending with ".com" while certificate is issued for ".org".

For example: my Jira server URL is xxx.COM

However, JIRA certificate is issue for: xxx.ORG

Can this be the cause. What do you think. Can you suggest something.

Thanks

Lakshay Arora

Yes. That could be possible as well.

Yes @Reneesh Kottakkalathil  I am also thinking that. So, is it possible that if we change our Jira base URL to xxx.ORG

What do you say. Will it work. I think we need to made some DNS changes.

Hi @Reneesh Kottakkalathil 

I have updated the record set in my private DNS zone.
I have deleted the record set from the old DNS zone which was .COM and created the same record set in other DNS zone with .ORG.

Is that fine or do I need to configure some more details.

Your Jira URL must match what is in the Base URL.

Could you please elaborate.
I actually changed .com to .org. Is that fine.