Crowd 2.12 with https and self-signed certificate?

Deleted user January 10, 2018

Hello,

 

is it possible to set-up Crowd Server 2.12 with https and a self-signed certificate?

 

I'm trying to set-up my Atassian Apps (Jira, Confluence, Crucible, Bitbucket, Crowd) to https. For Testing I do this on a Ubuntu Server Test Instance VM.

So far I can access Crowd over https but when I try to login I get following message:

"Connection to authentication server failed. Please review the logs for more information."

 

The error message in catalina.out are:

"sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

"PluginSchedulerTask-com.atlassian.analytics.client.upload.RemoteFilterRead:job INFO [com.amazonaws.http.AmazonHttpClient] Unable to execute HTTP request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

 "Failed to connect to the authentication server, please check your crowd.properties
org.springframework.security.authentication.AuthenticationServiceException: Could not invoke service.. Nested exception is org.codehaus.xfire.fault.XFireFault: Couldn't send message."

"http-nio-8096-exec-17 ERROR [xfire.transport.http.HttpChannel] javax.net.ssl.SSLException: java.security.cert.CertificateException: No name matching localhost found"

 

I noticed something like that also in the Application Links of Jira & Confluence.

For the production server I will get a Certificate signed by our IT or I get one from another CA. But for testing I want to use a self-signed Cert.

 

Is that possible?

 

Thanks and kind regards

Andreas

 

1 answer

1 vote
Marcin Kempa
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 10, 2018

Hi @[deleted],

 

It is possible to add your's self signed certificates to Java trust store. In order to do so, please follow the documentation mentioned here.

However I think it might be easier for you, for testing purpose, to try out the https://letsencrypt.org/ solution. 

Here you can see which Java versions and browsers supports those certificates https://community.letsencrypt.org/t/which-browsers-and-operating-systems-support-lets-encrypt/4394.

 

Please make sure that you use proper certificates in your production environment.

 

Hope that helps,

Marcin Kempa

Deleted user January 10, 2018

Hi Mercin Kempa,

thanks for reply.

As the server is only visible in our factory network, letsencrypt would have problems verifiying the server. Until now I don't know another way to sign my csr -file with letsencrypt.

I will try to add my self-signed certificate to java keystore.

 

Kind regards

Andreas

Marcin Kempa
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 10, 2018

Since the IdenTrust "DST Root CA X3" certificate provided by letsencrypt was added to certain versions of Java (https://community.letsencrypt.org/t/which-browsers-and-operating-systems-support-lets-encrypt/4394.) and this certificate is used to cross sign the automatically generated, I guess it could still work without the internet access. But frankly I did not test it, it is just another approach you might give a try.

 

EDIT:

While the above would work once the certificate is in place, the problem would be to generate one, as letsencrypt need to know that you are the one owning the domain.

 

Best Regards,

Marcin Kempa

Marcin Kempa
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 24, 2018

Hi @[deleted]

Did you manage to setup crowd https with those self signed certificates?

 

Best Regards,

Marcin Kempa

Deleted user January 25, 2018

Hello Marcin,

finally I got it to work.

I hade some Problems with my Certificate. Since I use a virtual machine, I always added the IP of the VM to the Certificate. But in our Netzwork the IP changed and Crowd hat some problems with that.

I also didn't configure the Remote Addresses for the Crowd Application in the Application Settings.

I made a complete new self-signed Cert with the hostname of my VM. An I also accessed the Applications over that. Than I also added the signed certificate (*.cer) to the keystore of the used JavaVM (in my case every Atlassian App uses either its own Java or OpenJDK or Oracle Java which I've installed on the server, I had to look in the System Information of every App). This also helped me with the Problem that the Application Links between the Atlassian Apps didn't work.

 

By the way: it would be nice if you could update your "Crowd https setup" articles. For example I needed to add some lines to a "web.xml" but this was not mentioned in the help site.

 

Kind regards

Andreas

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events