Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Hipchat (server beta) + JIRA: General SSLEngine problem

Alexander_Ray
Alexander Ray December 31, 2014

I'm trying to integrate Jira/Confluence with our Hipchat server beta.  When I go to add the API path and token, I get this error:

 javax.net.ssl.SSLHandshakeException: General SSLEngine problem

The certificate for the API path is signed by a CA that I verified is trusted in the java trust-store under both JIRA and Confluence.  

Is there a way to enable additional logging for this?  I'm not sure what else might be the issue - I can browse to the API path from the JIRA server, and the signing CA is in the trust store, so what does that leave?

Answer
Watch
Like Be the first to like this
797 views

1 answer

1 vote
Boris Berenberg
Boris Berenberg
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 2, 2015

Which application logs provide you this error? If it is from HipChat server, then have you ensured that your HipChat application can consume your JIRA server's SSL cert? Check out the "Still having problems" portion of this kb: https://confluence.atlassian.com/display/JIRAKB/Unable+to+Connect+to+SSL+Services+due+to+PKIX+Path+Building+Failed+sun.security.provider.certpath.SunCertPathBuilderException and use the SSLPoke utility to doublecheck that the certificate is properly being read from JIRA.

View More Comments
Alexander_Ray
Alexander Ray January 2, 2015

I get it from the JIRA server, under Hipchat Configuration, not from the hipchat server.  I ran sslpoke and got:

C:\>"C:\Program Files (x86)\Java\jre7\bin\java.exe" SSLPoke hipchat.redacted.net 443
sun.security.validator.ValidatorException: PKIX path building failed: sun.securi
ty.provider.certpath.SunCertPathBuilderException: unable to find valid certifica
tion path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Sour
ce)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source
)
at sun.security.ssl.SSLSocketImpl.writeRecord(Unknown Source)
at sun.security.ssl.AppOutputStream.write(Unknown Source)
at sun.security.ssl.AppOutputStream.write(Unknown Source)
at SSLPoke.main(SSLPoke.java:31)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 16 more

It's a wildcard certificate being used, and Qualys SSL Labs says the intermediate certificate is an "extra download".  Do I need to provide the intermediate cert to the hipchat server somehow?

 

Like
Boris Berenberg
Boris Berenberg
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 2, 2015

Yes you will need to install the intermediate cert as well into JIRA's and Confluence's Java keystores. When it is properly installed, SSLPoke will come back all good, and then you can try the JIRA connection again.

Like
Boris Berenberg
Boris Berenberg
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 2, 2015

Make sure you take a look at: https://confluence.atlassian.com/display/JIRA/Connecting+to+SSL+services for details

Like
Alexander_Ray
Alexander Ray January 2, 2015

Okay, I trusted the cert in cacert in the jre/lib/security folder for both Confluence and JIRA and also in the Program Files folder for Java. SSLPoke now reports "Successfully connected". Integration still doesn't work - do I need to restart the services?

Like
Boris Berenberg
Boris Berenberg
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 2, 2015

Yes you should restart both JIRA and Confluence. Then if the issue persists, you will need to monitor the logs to see what the error being thrown is.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Hipchat
Hipchat
TAGS
AUG Leaders

Atlassian Community Events

    See all events