Hipchat (server beta) + JIRA: General SSLEngine problem

I'm trying to integrate Jira/Confluence with our Hipchat server beta.  When I go to add the API path and token, I get this error:

 javax.net.ssl.SSLHandshakeException: General SSLEngine problem

The certificate for the API path is signed by a CA that I verified is trusted in the java trust-store under both JIRA and Confluence.  

Is there a way to enable additional logging for this?  I'm not sure what else might be the issue - I can browse to the API path from the JIRA server, and the signing CA is in the trust store, so what does that leave?

1 answer

1 vote
Boris Berenberg Community Champion Jan 02, 2015

Which application logs provide you this error? If it is from HipChat server, then have you ensured that your HipChat application can consume your JIRA server's SSL cert? Check out the "Still having problems" portion of this kb: https://confluence.atlassian.com/display/JIRAKB/Unable+to+Connect+to+SSL+Services+due+to+PKIX+Path+Building+Failed+sun.security.provider.certpath.SunCertPathBuilderException and use the SSLPoke utility to doublecheck that the certificate is properly being read from JIRA.

I get it from the JIRA server, under Hipchat Configuration, not from the hipchat server.  I ran sslpoke and got:

C:\>"C:\Program Files (x86)\Java\jre7\bin\java.exe" SSLPoke hipchat.redacted.net 443
sun.security.validator.ValidatorException: PKIX path building failed: sun.securi
ty.provider.certpath.SunCertPathBuilderException: unable to find valid certifica
tion path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Sour
ce)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source
)
at sun.security.ssl.SSLSocketImpl.writeRecord(Unknown Source)
at sun.security.ssl.AppOutputStream.write(Unknown Source)
at sun.security.ssl.AppOutputStream.write(Unknown Source)
at SSLPoke.main(SSLPoke.java:31)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 16 more

It's a wildcard certificate being used, and Qualys SSL Labs says the intermediate certificate is an "extra download".  Do I need to provide the intermediate cert to the hipchat server somehow?

 

Boris Berenberg Community Champion Jan 02, 2015

Yes you will need to install the intermediate cert as well into JIRA's and Confluence's Java keystores. When it is properly installed, SSLPoke will come back all good, and then you can try the JIRA connection again.

Okay, I trusted the cert in cacert in the jre/lib/security folder for both Confluence and JIRA and also in the Program Files folder for Java. SSLPoke now reports "Successfully connected". Integration still doesn't work - do I need to restart the services?

Boris Berenberg Community Champion Jan 02, 2015

Yes you should restart both JIRA and Confluence. Then if the issue persists, you will need to monitor the logs to see what the error being thrown is.

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Published Mar 26, 2018 in Hipchat Data Center

Migration of Hipchat server to Data Center - a retrospective

...able to use the clients After a bunch of testing (rooms, memberships, check for private message history, and most importantly - the custom emoticons!) nearly everything was looking as we needed, however...

452 views 2 6
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you