Crowd 2.12 with https and self-signed certificate?

Hello,

 

is it possible to set-up Crowd Server 2.12 with https and a self-signed certificate?

 

I'm trying to set-up my Atassian Apps (Jira, Confluence, Crucible, Bitbucket, Crowd) to https. For Testing I do this on a Ubuntu Server Test Instance VM.

So far I can access Crowd over https but when I try to login I get following message:

"Connection to authentication server failed. Please review the logs for more information."

 

The error message in catalina.out are:

"sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

"PluginSchedulerTask-com.atlassian.analytics.client.upload.RemoteFilterRead:job INFO [com.amazonaws.http.AmazonHttpClient] Unable to execute HTTP request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

 "Failed to connect to the authentication server, please check your crowd.properties
org.springframework.security.authentication.AuthenticationServiceException: Could not invoke service.. Nested exception is org.codehaus.xfire.fault.XFireFault: Couldn't send message."

"http-nio-8096-exec-17 ERROR [xfire.transport.http.HttpChannel] javax.net.ssl.SSLException: java.security.cert.CertificateException: No name matching localhost found"

 

I noticed something like that also in the Application Links of Jira & Confluence.

For the production server I will get a Certificate signed by our IT or I get one from another CA. But for testing I want to use a self-signed Cert.

 

Is that possible?

 

Thanks and kind regards

Andreas

 

1 answer

1 vote
Marcin Kempa Atlassian Team Jan 10, 2018

Hi @Andreas Zeiler,

 

It is possible to add your's self signed certificates to Java trust store. In order to do so, please follow the documentation mentioned here.

However I think it might be easier for you, for testing purpose, to try out the https://letsencrypt.org/ solution. 

Here you can see which Java versions and browsers supports those certificates https://community.letsencrypt.org/t/which-browsers-and-operating-systems-support-lets-encrypt/4394.

 

Please make sure that you use proper certificates in your production environment.

 

Hope that helps,

Marcin Kempa

Hi Mercin Kempa,

thanks for reply.

As the server is only visible in our factory network, letsencrypt would have problems verifiying the server. Until now I don't know another way to sign my csr -file with letsencrypt.

I will try to add my self-signed certificate to java keystore.

 

Kind regards

Andreas

Since the IdenTrust "DST Root CA X3" certificate provided by letsencrypt was added to certain versions of Java (https://community.letsencrypt.org/t/which-browsers-and-operating-systems-support-lets-encrypt/4394.) and this certificate is used to cross sign the automatically generated, I guess it could still work without the internet access. But frankly I did not test it, it is just another approach you might give a try.

 

EDIT:

While the above would work once the certificate is in place, the problem would be to generate one, as letsencrypt need to know that you are the one owning the domain.

 

Best Regards,

Marcin Kempa

Marcin Kempa Atlassian Team Jan 24, 2018

Hi @Andreas Zeiler

Did you manage to setup crowd https with those self signed certificates?

 

Best Regards,

Marcin Kempa

Hello Marcin,

finally I got it to work.

I hade some Problems with my Certificate. Since I use a virtual machine, I always added the IP of the VM to the Certificate. But in our Netzwork the IP changed and Crowd hat some problems with that.

I also didn't configure the Remote Addresses for the Crowd Application in the Application Settings.

I made a complete new self-signed Cert with the hostname of my VM. An I also accessed the Applications over that. Than I also added the signed certificate (*.cer) to the keystore of the used JavaVM (in my case every Atlassian App uses either its own Java or OpenJDK or Oracle Java which I've installed on the server, I had to look in the System Information of every App). This also helped me with the Problem that the Application Links between the Atlassian Apps didn't work.

 

By the way: it would be nice if you could update your "Crowd https setup" articles. For example I needed to add some lines to a "web.xml" but this was not mentioned in the help site.

 

Kind regards

Andreas

Suggest an answer

Log in or Sign up to answer
Atlassian Community Anniversary

Happy Anniversary, Atlassian Community!

This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.

Read more
Community showcase
Maggie Roney
Published Feb 27, 2018 in Crowd

The Crowd team is looking for feedback on Server & Data Center customers' identity strategies!

Do you own more than one Server or Data Center product? Do you have challenges provisioning users across your Atlassian products? Are you spending a lot of time integrating each Atlassian product wit...

573 views 6 13
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you