We have an internal Stash and JIRA environment working great.  We decided that we want to have both these to be delivered over SSL utilizing a self-signed cert.  So as I have looked at it, I see that the process to do both of these is slightly different.  I'd prefer the process to be similar for maintenance.

Documented Stash Process In A Nutshell

  1. $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -sigalg SHA256withRSA -keystore <stash-home>/conf/stash.jks
  2. Edit <stash-home>/conf/server.xml and add:
    <Connector port="8443"
      keystoreFile="<stash-home>/conf/stash.jks" />
  3. Comment out port 7990 config
  4. Restart Stash

I'd prefer the process be more like the JIRA documentation to wit.  Can I make the generated key alias stash? then add something like the JIRA connector config parameters modified below?


1 answer

1 accepted

1 vote
Answer accepted

Hi Patrick,

Despite the docs may be slightly different you can perfectly use the options you are mentioning - consider that Stash, as JIRA, runs over a Tomcat platform, so these options are common to the Tomcat connector.


Gustavo Refosco

Great I'm going to work out the processes and try to implement within the next few days. I'll ping back here with the results!

Does setting up ssl only on Stash and JIRA have any effect on the application connection between Stash and JIRA?

Hi Patrick, If the Application Link is already created, it must be re-created, using the new Base URLs of both apps. You also need to make sure they'll be able to communicate via SSL, so the proper certificates need to be imported into the truststore used by each app. Regards, Gustavo Refosco

Thanks Gustavo, Yes I had the non-ssl http environment working including application links between Stash and JIRA. I got SSL working on both JIRA and Stash, and I went to Application Links and put the new https url in after clicking Relocate. But both now say that the link is not responding. OK seeing I'm made my big SSL change that would make sense. But I'm not sure how to import the proper certificates to enable this communcitation between the two apps. You say I need to do this in the truststore (keystore?) used by each Stash and Jira? I'm not sure how I do that. The environment -> each app uses the keystore call /opt/atlassian-common/atlassian.jks with only one key named either stash or jira. Could you advise what I need to do to get them communicating with each other?

Is the truststore different then the keystore?

Say for JIRA I tried exporting the Stash cert from the chrome that was connected to stash using Export-DER cert. Then using portecle, I imported the it as Trusted Certificate. Then I did the Examine SSL/TSL of the stash system port 8443 and this appeared to have worked fine as it showed me the cert from stash. I did the same for Stash for the JIRA connection. Then I re-started both Stash and JIRA. Checked the app links but neither connect to the https url. BTW I can cut and paste the app links url into a browser and it works. Next I tried the above with a cert exported from Portecle-Export-Head-DER. This also had the same result. So I think I'm still not able to get the Stash and JIRA servers to SSL with each other. What am I missing? Is the truststore different then the keystore?

Hi Patrick, Yes, they are different. I'd like to point you to the document https://confluence.atlassian.com/display/FISHKB/PKIX+Path+Building+Failed+-+Cannot+Set+Up+Trusted+Applications+To+SSL+Services as it may help you importing the certificates. It basically gives you steps on how to import your certs into your truststores. To clarify, you need to find out the JVM being used by each application, and them import the certs as needed in its truststore. You should be able to find out the JVM being used by each application in the app's Administration > Atlassian Support Tools > System Information. The default truststore for the JVM is then JAVA_HOME/jre/lib/security/cacerts - the default password for cacerts is "changeit". Regards, Gustavo Refosco

I did some searching and just found out about cacerts is the truststore and had come back hoping you had a clearer answer. You did and with your info I hopefully will locate the truststore and import the certs. I will ping back when I have tried it!

OK that did it. The SSLPoke really helped (gonna keep that one handy...). We use Oracle Java so the truststore is /usr/java/default/jre/lib/security/cacerts. I noticed that I didn't have to restart Stash and JIRA once I got the certs imported. Either exported certs work (exported in Portecle or Chrome). Thanks Gustavo!

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Mar 14, 2019 in Bitbucket Pipelines

Building a Bitbucket Pipe as a casual coder

...ipe.sh :  #!/bin/bash source "$(dirname "$0")/common.sh" enable_debug extra_args="" if [[ "${DEBUG}" == "true" ]]; then extra_args="--verbose" fi # mandatory variables R...

240 views 0 12
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you