Using a certificate for https access in AWS

I have (in the past) set up my companies Atlassian tools in AWS with a certificate via haproxy and all works well.

I am trying to set up the same for one of our clients.  They are using internal domain names only (i.e. *.local).  I have Crowd functioning with https securely.  And I can log onto Jira with a local admin account - again working well.  But when I try to configure the https based Crowd as a user directory I get:

{quote}

2017-12-18 00:18:24,907 HealthCheck:thread-7 ERROR ServiceRunner [c.a.j.p.healthcheck.support.BaseUrlHealthCheck] An error occurred when performin
g the Base URL healthcheck:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathB
uilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
at com.atlassian.jira.plugins.healthcheck.support.BaseUrlHealthCheck.doCheck(BaseUrlHealthCheck.java:53)
at com.atlassian.jira.plugins.healthcheck.support.AbstractSupportHealthCheck.check(AbstractSupportHealthCheck.java:23)
at com.atlassian.support.healthcheck.impl.PluginSuppliedSupportHealthCheck.check(PluginSuppliedSupportHealthCheck.java:51)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target

{quote}

What can I do to get this working?

1 answer

0 vote

Hi David,

The first place I would start is by looking at your configuration on the Bamboo side and the article Unable to Connect to SSL Services due to PKIX Path Building Failed for some steps to test why this is occuring:

Use SSLPoke to verify connectivity

Try the Java class SSLPoke to see if your truststore contains the right certificates. This will let you connect to a SSL service, send a byte of input, and watch the output.

  1. Download SSLPoke.class
  2. Execute the class as per the below, changing the URL and port appropriately. Take care that you are running the same Java as what Confluence is running with. If you used the installer you will need to use <confluence-home>/jre/java

    $JAVA_HOME/bin/java SSLPoke jira.example.com 443

    (info) A mail server may be mail.example.com 465.

  • A failed connection would produce the below:

    $JAVA_HOME/bin/java SSLPoke jira.example.com 443
    sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
     at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
     at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
     at sun.security.validator.Validator.validate(Validator.java:260)
     at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
     at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
     at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
     at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1351)
     at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:156)
     at sun.security.ssl.Handshaker.processLoop(Handshaker.java:925)
     at sun.security.ssl.Handshaker.process_record(Handshaker.java:860)
     at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1043)
     at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1343)
     at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:728)
     at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
     at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:138)
     at SSLPoke.main(SSLPoke.java:31)
    Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
     at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
     at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
     at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
     at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
     ... 15 more
  • A successful connection would look like this:

    $JAVA_HOME/bin/java SSLPoke jira.example.com 443
    Successfully connected

If -Djavax.net.ssl.trustStore is present in your JVM arguments, Java will use the keystore specified with that argument. You can verify whether the -Djavax.net.ssl.trustStore parameter is causing problems by running the SSLPoke test and specifying the same JVM argument to use that keystore. For example:

$JAVA_HOME/bin/java -Djavax.net.ssl.trustStore=/my/custom/truststore SSLPoke jira.example.com 443

If this fails (confirming the problem that the truststore doesn't contain the appropriate certificates), then the certificate will need to be imported into that truststore as per the instructions in Connecting to SSL Services.

Once you have gone through the diagnostics and determined the issue here's how you can resolve it based on what you find:

Resolution

  1. Make sure you have imported the public certificate of the target instance into the truststore according to the Connecting to SSL Services instructions.
  2. Make sure any certificates have been imported into the correct truststore; you may have multiple JRE/JDKs. See Installing Java for this.
  3. Check to see that the correct truststore is in use. If -Djavax.net.ssl.trustStore has been configured, it will override the location of the default truststore, which will need to be checked.
  4. Check if your Anti Virus tool has "SSL Scanning" blocking SSL/TLS. If it does, disable this feature or set exceptions for the target addresses (check the product documentation to see if this is possible.)
  5. If connecting to a mail server, such as Exchange, ensure authentication allows plain text.
  6. Verify that the target server is configured to serve SSL correctly. This can be done with the SSL Server Test tool.
  7. If all else fails, your truststore might be out of date. Upgrade Java to the latest version supported by your application.

Take a look at Unable to Connect to SSL Services due to PKIX Path Building Failed and let us know the outcome.

Cheers,

Branden

Suggest an answer

Log in or Sign up to answer
Atlassian Community Anniversary

Happy Anniversary, Atlassian Community!

This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.

Read more
Community showcase
Renan Battaglin
Published May 18, 2017 in Bamboo

FAQ: How to Upgrade Bamboo Server

Bamboo 5.9 will no longer be supported after June 12, 2017. What does this mean? As part of our End of Life policy, Atlassian supports major versions for two years after the first major iteratio...

1,319 views 0 5
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you