We have installed HipChat data center but there are no documentation on how to install SSL certificate and the previous version of documentation does not work as there are no such menus in the Data Center version.
Where can i read about installing the certificate?
Hi Anna,
Unlike HipChat Server, SSL is terminated at the load balancer for HipChat Data Center. Thus, the SSL certificated will be installed in the load balancer as indicated in Deploy HipChat Data Center:
* a load balancer with an SSL certificate for your domain
Additionally, from HipChat Data Center architecture:
a load balancer that directs connections to the HipChat nodes and handles SSL termination
(i) A load balancer is required, even for deployments that only have one HipChat node.
I hope this helps.
So what about when implementing a small scale deployment.There is documentation for using nginx but ssl issues still persist.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi, Noni.
I believe that you are referring to the How to configure a basic Nginx reverse proxy for Hipchat Data Center where it is mentioned in the step 3 of the Configure section:
ssl_certificate
andssl_certificate_key
indicate the location of your SSL certificate and key respectively.
Can you please share what specific SSL issue that you are running into?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ahmad
The issue was that when accessing hipchat using the url we set for it , it would redirect to the ip address and compalin about the ssl certs. Even after following the steps on the nginx
So this issue for us was solved by modifying the database to use a specific url instead of using the ip address.
Thanks
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi, Noni.
Since you mentioned about the modification of database, do you mind sharing which table specifically you made changes to? Are you referring to the configurations table, specifically under the fqdn column?
On my end, I verified that the fqdn was set to use URL that I type in to the web browser to access the web interface of the data center deployment.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ahmad
Yes I do mean the fqdn column.
In our situation, the certs were self signed. Another solution is to do an import of the certificate ( file should contain the cert and key) to the keystore of the hipchat datacenter server ..
Command hipchat certificates -i <certifcate name>
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi, Noni.
Awesome. Thanks for sharing! I am sure that it will benefit other users who might run into the same issue in the future.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Noni/Ahmad,
I'm not following... According to other docs, and to Ahmad's May 2nd comment here:
There is NO "hipchat certificate --import", as the "certificate" namespace DOES NOT EXIST in Hipchat DATACENTER (v3.1.4).
Can you please clarify if you are using Hipchat SERVER (v2.xx) ?? I am looking to import a cert into DATACENTER, but finding this to be unsupported??
Thanks!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi there, Jorge.
HipChat Data Center introduces a new way of implementing SSL. Instead of configuring it through the hipchat certificate command, the certificate is to be applied on the load balancer / reverse proxy level as mentioned in the following documentations:
While the command is no longer supported on data center, I suggest you to have the SSL certificate configured on the reverse proxy / load balancer for connections on port 443 to ensure that it is successfully implemented. Can you give that a try and let me know how it works for you?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks, what I was getting at was that Noni's response only applies to Hipchat < v3.x. For Datacenter I am doing a POC and thus we did not setup a load balancer because our production load balancer is not supposed/allowed to point to non-prod hosts.
Eventually, what I found was that the default Hipchat cert is stored in these files, which I overwrote with my own certificate/key (generated via Java keytool):
/hipchat/certs/tmp/star_hipchat_com_chain.crt
/hipchat/certs/tmp/star_hipchat_com.key
This allowed me to integrate with our other Atlassian tools. I simply imported the public version of the certificate into the <java>/jre/lib/security/cacerts of the JVM that the Atlassian products run on.
People must keep in mind that there are two ways to setup Atlassian products. One comes shipped with the JRE under <Bamboo/JIRA/Confluence/Bitbucket INSTALL DIR>/jre/ ; the other installation method requires that you provide the Java runtime, usually via JAVA_HOME environment variable.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Jorge
Will verfiy the version for you as soon as I can. Whenever I tried to override the certs in those folders with my own , they somehow got regenerated. Were you able to get that right?.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Jorge
Sorry for responding late.
I am running version 3.1.1
I realised I wrote -import in my command instead of -i .
So i modified my previous comment.
Remember we have chosen to install hipchat using the small scale deployment guide.
I also added my cert and key into the /hipchat/certs folder.
above is an image showing you my command.
and it is what i use to successfully import my certs.
The cert i imported has the key appended to it.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks, Noni.
This is interesting, originally I thought you were using 2.x because when I tried to follow your instructions the problem I encountered is that the 'certificate' option is not available.
But when you posted your screen shot I noticed that you used the plural form "certificateS" which looks like it's an undocumented feature in 3.x.
Please update your original posts to add the "s," at least for posterity.
And in answer to your question as to how I was able to get the new certificate to stick, I have not come across an instance in which it has been overwritten, so I don't know. What I do know is that I created the certificate using 'keytool' and simply replaced the files. They are owned by 'root' so they cannot be removed by the hipchat user. I have restarted the hipchat service, but have not rebooted the machine, so I don't know if there is something in OS startup that would cause replacing the files.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
For an unsupported workaround please see my answers. We are doing this because we are in try-out PoC mode and don't want to commit too many resources to the trial. It is working for us with a self-signed cert.
We will be moving to a proper load-balanced/r-proxy solution when we go live in production.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.