How do i install SSL certificate for HipChat Data center?

We have installed HipChat data center but there are no documentation on how to install SSL certificate and the previous version of documentation does not work as there are no such menus in the Data Center version. 

Where can i read about installing the certificate? 

2 answers

1 accepted

Accepted Answer
2 votes

Hi Anna, 

Unlike HipChat Server, SSL is terminated at the load balancer for HipChat Data Center. Thus, the SSL certificated will be installed in the load balancer as indicated in Deploy HipChat Data Center:
* a load balancer with an SSL certificate for your domain

Additionally, from HipChat Data Center architecture:
a load balancer that directs connections to the HipChat nodes and handles SSL termination
(i) A load balancer is required, even for deployments that only have one HipChat node.

I hope this helps. 

So what about when implementing a small scale deployment.There is documentation for using nginx but ssl issues still persist. 

Ahmad Danial Atlassian Team Jun 18, 2018

Hi, Noni.

I believe that you are referring to the How to configure a basic Nginx reverse proxy for Hipchat Data Center where it is mentioned in the step 3 of the Configure section:

  • ssl_certificate and ssl_certificate_key indicate the location of your SSL certificate and key respectively.

Can you please share what specific SSL issue that you are running into?

Hi Ahmad 

 

The issue was that when accessing hipchat using the url we set for it , it would redirect to the ip address and compalin about the ssl certs. Even after following the steps on the nginx 

So this issue for us was solved by modifying the database to use a specific url instead of using the ip address. 

 

Thanks 

Ahmad Danial Atlassian Team Jun 18, 2018

Hi, Noni.

Since you mentioned about the modification of database, do you mind sharing which table specifically you made changes to? Are you referring to the configurations table, specifically under the fqdn column?

On my end, I verified that the fqdn was set to use URL that I type in to the web browser to access the web interface of the data center deployment.

Hi Ahmad

Yes I do mean the fqdn column.

In our situation,  the certs were self signed. Another solution is to do an import of the certificate ( file should contain the cert and key) to the keystore of the hipchat datacenter server ..

Command  hipchat certificates -i  <certifcate name>

Ahmad Danial Atlassian Team Jun 19, 2018

Hi, Noni.

Awesome. Thanks for sharing! I am sure that it will benefit other users who might run into the same issue in the future. 

Noni/Ahmad,

   I'm not following...  According to other docs, and to Ahmad's May 2nd comment here: 

https://community.atlassian.com/t5/Hipchat-questions/New-Install-How-to-update-SSL-certificate/qaq-p/787504  

    There is NO "hipchat certificate --import", as the "certificate" namespace DOES NOT EXIST in Hipchat DATACENTER (v3.1.4). 

   Can you please clarify if you are using Hipchat SERVER (v2.xx) ?? I am looking to import a cert into DATACENTER, but finding this to be unsupported??

Thanks! 

Ahmad Danial Atlassian Team Jul 19, 2018

Hi there, Jorge.

HipChat Data Center introduces a new way of implementing SSL. Instead of configuring it through the hipchat certificate command, the certificate is to be applied on the load balancer / reverse proxy level as mentioned in the following documentations:

While the command is no longer supported on data center, I suggest you to have the SSL certificate configured on the reverse proxy / load balancer for connections on port 443 to ensure that it is successfully implemented. Can you give that a try and let me know how it works for you?

Thanks, what I was getting at was that Noni's response only applies to Hipchat < v3.x.  For Datacenter I am doing a POC and thus we did not setup a load balancer because our production load balancer is not supposed/allowed to point to non-prod hosts.  

   Eventually, what I found was that the default Hipchat cert is stored in these files, which I overwrote with my own certificate/key (generated via Java keytool):

/hipchat/certs/tmp/star_hipchat_com_chain.crt
/hipchat/certs/tmp/star_hipchat_com.key

  This allowed me to integrate with our other Atlassian tools.  I simply imported the public version of the certificate into the <java>/jre/lib/security/cacerts of the JVM that the Atlassian products run on.

People must keep in mind that there are two ways to setup Atlassian products.  One comes shipped with the JRE under <Bamboo/JIRA/Confluence/Bitbucket INSTALL DIR>/jre/ ;  the other installation method requires that you provide the Java runtime, usually via JAVA_HOME environment variable.

Hi Jorge 

 

Will verfiy the version for you as soon as I can. Whenever I tried to override the certs in those folders with my own , they somehow got regenerated. Were you able to get that right?. 

Hi Jorge

Sorry for responding late.

I am running version 3.1.1

I realised I wrote -import in my command instead of -i .

So i modified my previous comment.

Remember we have chosen to install hipchat using the small scale deployment guide.

I also added my cert and key into the /hipchat/certs folder.

hipchat certimport.PNGabove is an image showing you my command.

and it is what i use to successfully import my certs. 

The cert i imported has the key appended to it.

Thanks, Noni. 

This is interesting, originally I thought you were using 2.x because when I tried to follow your instructions the problem I encountered is that the 'certificate' option is not available.

hipchat_missing_namespace.png

But when you posted your screen shot I noticed that you used the plural form "certificateS" which looks like it's an undocumented feature in 3.x.

hipchat_missing_namespace2.png

Please update your original posts to add the "s," at least for posterity.

And in answer to your question as to how I was able to get the new certificate to stick, I have not come across an instance in which it has been overwritten, so I don't know.  What I do know is that I created the certificate using 'keytool' and simply replaced the files.  They are owned by 'root' so they cannot be removed by the hipchat user.  I have restarted the hipchat service, but have not rebooted the machine, so I don't know if there is something in OS startup that would cause replacing the files.

hipchat_cert_owner.png

For an unsupported workaround please see my answers.  We are doing this because we are in try-out PoC mode and don't want to commit too many resources to the trial.  It is working for us with a self-signed cert.

We will be moving to a proper load-balanced/r-proxy solution when we go live in production.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Aug 10, 2018 in Hipchat

What should I think about when migrating HipChat to Slack?

...from the beginning. We have built up a lot of content in HipChat, with it being a core tool in our distributed company model. While it is true that we didn’t need to move to Slack immediately, we felt it...

508 views 1 10
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you