I'm trying to integrate Jira/Confluence with our Hipchat server beta. When I go to add the API path and token, I get this error:
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
The certificate for the API path is signed by a CA that I verified is trusted in the java trust-store under both JIRA and Confluence.
Is there a way to enable additional logging for this? I'm not sure what else might be the issue - I can browse to the API path from the JIRA server, and the signing CA is in the trust store, so what does that leave?
Which application logs provide you this error? If it is from HipChat server, then have you ensured that your HipChat application can consume your JIRA server's SSL cert? Check out the "Still having problems" portion of this kb: https://confluence.atlassian.com/display/JIRAKB/Unable+to+Connect+to+SSL+Services+due+to+PKIX+Path+Building+Failed+sun.security.provider.certpath.SunCertPathBuilderException and use the SSLPoke utility to doublecheck that the certificate is properly being read from JIRA.
I get it from the JIRA server, under Hipchat Configuration, not from the hipchat server. I ran sslpoke and got:
C:\>"C:\Program Files (x86)\Java\jre7\bin\java.exe" SSLPoke hipchat.redacted.net 443
sun.security.validator.ValidatorException: PKIX path building failed: sun.securi
ty.provider.certpath.SunCertPathBuilderException: unable to find valid certifica
tion path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Sour
ce)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source
)
at sun.security.ssl.SSLSocketImpl.writeRecord(Unknown Source)
at sun.security.ssl.AppOutputStream.write(Unknown Source)
at sun.security.ssl.AppOutputStream.write(Unknown Source)
at SSLPoke.main(SSLPoke.java:31)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 16 more
It's a wildcard certificate being used, and Qualys SSL Labs says the intermediate certificate is an "extra download". Do I need to provide the intermediate cert to the hipchat server somehow?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Yes you will need to install the intermediate cert as well into JIRA's and Confluence's Java keystores. When it is properly installed, SSLPoke will come back all good, and then you can try the JIRA connection again.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Make sure you take a look at: https://confluence.atlassian.com/display/JIRA/Connecting+to+SSL+services for details
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Okay, I trusted the cert in cacert in the jre/lib/security folder for both Confluence and JIRA and also in the Program Files folder for Java. SSLPoke now reports "Successfully connected". Integration still doesn't work - do I need to restart the services?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Yes you should restart both JIRA and Confluence. Then if the issue persists, you will need to monitor the logs to see what the error being thrown is.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.