SSL setup of application links

JUS November 8, 2019

we got while setting up app links between confluence-jira and vice versa error: "<link> may be using a self-signed SSL certificate or a certificate that was issued by a certificate authority that isn't known locally."

we checked following:

  • a wild card cert (*.xyz.com) incl. ca-chain was installed in jre keystore's for jira.xyz.com:8443 (jira sw) and jcon.xyz.com:8444 (Jira confluence)
  • both server.xml were configured to point to built in jre keystore (above)
  • SSLPoke from jira->confluence and vice versa, e.g. by
    java -Djavax.net.ssl.trustStore=/opt/atlassian/jira/jira.jks SSLPoke jira.xyz.com 8443
    shows
    Successfully connected
  • no SSL errors shown in logs/catalina.out

Are there any other checks, we can execute to test SSL connection?

Many thanks

Jens-Uwe

2 answers

2 accepted

0 votes
Answer accepted
Anurag Jalan November 10, 2019

Hi @JUS ,

You will need to import JIRA SSL Certificate in Confluence JAVA Truststore called cacerts usually located at path <installation directory>/jre/lib/security. 

Similarly import Confluence SSL Certificate in JIRA JAVA Truststore called cacerts again.

After that, restart both services & try to establish Application Link again (make sure you are system admin on both).

I had similar issue in past. Following above steps resolved the issue. It is about JAVA of each application trusting other's connection.

JUS November 11, 2019

Thanks, after fixing the cert issue (complete CA chain added,see above), app links are established now correctly on both sides.

Jens-Uwe

0 votes
Answer accepted
Alexis Robert
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
November 10, 2019

Hi @JUS , 

 

from the error message, I'd say that it's something to do with an intermediate or root certificate, are you sure that you imported the proper root CA in the keystore ? I usually point to this doc for this : https://confluence.atlassian.com/kb/how-to-import-a-public-ssl-certificate-into-a-jvm-867025849.html

If you don't need SSL for your application links, I would suggest configuring a separate connector in server.xml just for this connection : https://confluence.atlassian.com/kb/how-to-bypass-a-reverse-proxy-or-ssl-in-application-links-719095724.html

 

Let me know if this helps, 

 

--Alexis

JUS November 11, 2019

Indeed after in depth investigation, the previously imported cert missed the cert chain. Including the complete chain into pkcs12 and re-importing into keystore solved the problem. many thanks, Jens-Uwe

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events