How do i install SSL certificate for HipChat Data center?

So what about when implementing a small scale deployment.There is documentation for using nginx but ssl issues still persist. 

Hi, Noni.

I believe that you are referring to the How to configure a basic Nginx reverse proxy for Hipchat Data Center where it is mentioned in the step 3 of the Configure section:

• ssl_certificate and ssl_certificate_key indicate the location of your SSL certificate and key respectively.

Can you please share what specific SSL issue that you are running into?

Hi Ahmad 

The issue was that when accessing hipchat using the url we set for it , it would redirect to the ip address and compalin about the ssl certs. Even after following the steps on the nginx 

So this issue for us was solved by modifying the database to use a specific url instead of using the ip address. 

Thanks 

Hi, Noni.

Since you mentioned about the modification of database, do you mind sharing which table specifically you made changes to? Are you referring to the configurations table, specifically under the fqdn column?

On my end, I verified that the fqdn was set to use URL that I type in to the web browser to access the web interface of the data center deployment.

Hi Ahmad

Yes I do mean the fqdn column.

In our situation,  the certs were self signed. Another solution is to do an import of the certificate ( file should contain the cert and key) to the keystore of the hipchat datacenter server ..

Command  hipchat certificates -i  <certifcate name>

Hi, Noni.

Awesome. Thanks for sharing! I am sure that it will benefit other users who might run into the same issue in the future. 

Noni/Ahmad,

   I'm not following...  According to other docs, and to Ahmad's May 2nd comment here: 

https://community.atlassian.com/t5/Hipchat-questions/New-Install-How-to-update-SSL-certificate/qaq-p/787504  

    There is NO "hipchat certificate --import", as the "certificate" namespace DOES NOT EXIST in Hipchat DATACENTER (v3.1.4). 

   Can you please clarify if you are using Hipchat SERVER (v2.xx) ?? I am looking to import a cert into DATACENTER, but finding this to be unsupported??

Thanks! 

Hi there, Jorge.

HipChat Data Center introduces a new way of implementing SSL. Instead of configuring it through the hipchat certificate command, the certificate is to be applied on the load balancer / reverse proxy level as mentioned in the following documentations:

• Small scale HipChat Data Center setup (Reverse Proxy)
• Enterprise scale HipChat Data Center setup (load balancer)

While the command is no longer supported on data center, I suggest you to have the SSL certificate configured on the reverse proxy / load balancer for connections on port 443 to ensure that it is successfully implemented. Can you give that a try and let me know how it works for you?

Thanks, what I was getting at was that Noni's response only applies to Hipchat < v3.x.  For Datacenter I am doing a POC and thus we did not setup a load balancer because our production load balancer is not supposed/allowed to point to non-prod hosts.  

   Eventually, what I found was that the default Hipchat cert is stored in these files, which I overwrote with my own certificate/key (generated via Java keytool):

/hipchat/certs/tmp/star_hipchat_com_chain.crt
/hipchat/certs/tmp/star_hipchat_com.key

  This allowed me to integrate with our other Atlassian tools.  I simply imported the public version of the certificate into the <java>/jre/lib/security/cacerts of the JVM that the Atlassian products run on.

People must keep in mind that there are two ways to setup Atlassian products.  One comes shipped with the JRE under <Bamboo/JIRA/Confluence/Bitbucket INSTALL DIR>/jre/ ;  the other installation method requires that you provide the Java runtime, usually via JAVA_HOME environment variable.

Hi Jorge 

Will verfiy the version for you as soon as I can. Whenever I tried to override the certs in those folders with my own , they somehow got regenerated. Were you able to get that right?. 

Hi Jorge

Sorry for responding late.

I am running version 3.1.1

I realised I wrote -import in my command instead of -i .

So i modified my previous comment.

Remember we have chosen to install hipchat using the small scale deployment guide.

I also added my cert and key into the /hipchat/certs folder.

above is an image showing you my command.

and it is what i use to successfully import my certs. 

The cert i imported has the key appended to it.

Thanks, Noni. 

This is interesting, originally I thought you were using 2.x because when I tried to follow your instructions the problem I encountered is that the 'certificate' option is not available.

But when you posted your screen shot I noticed that you used the plural form "certificateS" which looks like it's an undocumented feature in 3.x.

Please update your original posts to add the "s," at least for posterity.

And in answer to your question as to how I was able to get the new certificate to stick, I have not come across an instance in which it has been overwritten, so I don't know.  What I do know is that I created the certificate using 'keytool' and simply replaced the files.  They are owned by 'root' so they cannot be removed by the hipchat user.  I have restarted the hipchat service, but have not rebooted the machine, so I don't know if there is something in OS startup that would cause replacing the files.