Why I can't import .crt to JIRA?

Daniel Ong September 15, 2012

My site is: www.affinex.net
SSL certificate has been installed

I am getting errors and I couldn't get JIRA to work under SSL. For now, the installation is completed, I am able to run JIRA on port 8080, however I couldn't get it to run on HTTPS.

I have uncommented the SSL section of conf/server.xml (refer to attachment)

I am getting keytool error message from Command Prompt: (refer to attachment)
keytool error: java.io.FileNotFoundException: www_affinex_net.crt <The system cannot find the file specified>

I have checked the directory and path, everything is correct.

3 answers

0 votes
Daniel Ong September 15, 2012

Yes I did. Right click and "run as administrator". Thanks for the reminder though.

0 votes
Norman Abramovitz
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
September 15, 2012

Not sure if this matters or not but did you run the cmd windows under administrator's rights?

0 votes
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
September 15, 2012

Check that the files and directories are read/write enabled for your user on both

1. The current one with the .crt file in it

2. The place where keytool will be keeping the certificate store

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
September 15, 2012

Where is your certificate store?

Can you run the keytool commands with the -v flag for more info?

Daniel Ong September 15, 2012

refer to attachment. the crt file is stored at this directory: C:\Program Files\Atlassian\JIRA\jre\bin\keytool

how do I run keytool cmd with v-flag? Please enlighten. Thanks Nic!

Daniel Ong September 15, 2012

Checked all folders are read/write enabled. Error is still there.

Daniel Ong September 15, 2012

www.affinex.net:8080 works fine.

Just can't get it to run on HTTPS.

Daniel Ong September 15, 2012

Please refer to printscreen for folder permission. Modified enabled.

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
September 15, 2012

I'm not familiar with where windows JVMs might default the keytools to, or what the grey ticks in the permissions mean (is it ok that "read" is greyed out for your user?)

With keytool, add the -v as a parameter - instead of "keytool -import ...", try "keytool -v -import ..."

Daniel Ong September 15, 2012

greyed out means it's enabled by default. Attached picture is the v flag, please advise.

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
September 15, 2012

mmm, ok, that's not a huge amount of help, sorry. Worth a try, but it's a plain "file you're talking about is not there error", rather than something obscure.

Simple fact is, the keytool program is not finding the .crt file (it might not be able to open the keystore, but as you're entering a password and it's accepting it, I doubt that's it). It looks like the file isn't in the current directory. Could you try these two commands, in the current directory that you're running keytool from:

dir *.crt

attrib *.crt

(By the way - screenshots are not needed, the plain text of the command window is much nicer)

Daniel Ong September 15, 2012

Could it be the password?

I entered "changit" for both the password. Keystore password and new password. How to check whether I setup keystore properly and check what is the password?

Daniel Ong September 15, 2012

I meant "changeit" twice. Sorry about the typo

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
September 15, 2012

The whole point of the password is that it can't be extracted! To check it just try "keytool -list", which will ask you for it and if you get it right, it will list your imported certificates.

I suspect this is not the issue though, it's the fact it can't find your .crt file.

Daniel Ong September 16, 2012

Error message as below:

C:\Users\Administrator>"C:\Program Files\Atlassian\JIRA\jre\bin\keytool" -list
keytool error: java.lang.Exception: Keystore file does not exist: C:\Users\Admin
istrator\.keystore

C:\Users\Administrator>

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
September 16, 2012

Well, that answers that then. You haven't created a keystore, so the system can't find it when you're running the command to add the certificate.

Note - you probably don't want to create one for the admin user - you probably want it for the user that Jira will be running as.

Daniel Ong September 16, 2012

I know this might sound very stupid. But how do I create a keystore for user? Can you direct me to a link or something?

Thanks Nic!

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
September 16, 2012

Run the keytool program as that user.

http://docs.oracle.com/javase/6/docs/technotes/tools/ and look under "security tools" section

Daniel Ong September 16, 2012

I tried creating the keystore with the -genkeypair command but more error messages came out:

C:\Program Files\Atlassian\JIRA\jre\bin>-genkeypair
'-genkeypair' is not recognized as an internal or external command,
operable program or batch file.

C:\Program Files\Atlassian\JIRA\jre\bin>-genkeypair {-alias alias} {-keyalg keya
lg} {-keysize keysize} {-sigalg sigalg} [-dname dname] [-keypass keypass] {-vali
dity valdays} {-storetype storetype} {-keystore keystore} [-storepass storepass]
{-providerClass provider_class_name {-providerArg provider_arg}} {-v} {-protect
ed} {-Jjavaoption}
'-genkeypair' is not recognized as an internal or external command,
operable program or batch file.

C:\Program Files\Atlassian\JIRA\jre\bin>-genkey
'-genkey' is not recognized as an internal or external command,
operable program or batch file.

C:\Program Files\Atlassian\JIRA\jre\bin>-genkeypair
'-genkeypair' is not recognized as an internal or external command,
operable program or batch file.

C:\Program Files\Atlassian\JIRA\jre\bin>-keystore
'-keystore' is not recognized as an internal or external command,
operable program or batch file.

C:\Program Files\Atlassian\JIRA\jre\bin>-keystore keystore
'-keystore' is not recognized as an internal or external command,
operable program or batch file.

C:\Program Files\Atlassian\JIRA\jre\bin>

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
September 17, 2012

Don't know. How have you configured it? What do you mean "can't run it with https"?

Daniel Ong September 17, 2012

I have added the keystore as below, but I still can't run JIRA with HTTPS. What's the next step?

C:\Program Files\Atlassian\JIRA\jre\bin>keytool -genkey -alias mydomain -keyalg
RSA -keystore keystore.jks -keysize 2048
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: Daniel Ong
What is the name of your organizational unit?
[Unknown]: Cloud
What is the name of your organization?
[Unknown]: Dossologic
What is the name of your City or Locality?
[Unknown]: Singapore
What is the name of your State or Province?
[Unknown]: Singapore
What is the two-letter country code for this unit?
[Unknown]: SG
Is CN=Daniel Ong, OU=Cloud, O=Dossologic, L=Singapore, ST=Singapore, C=SG correc
t?
[no]: YES

Enter key password for <mydomain>
(RETURN if same as keystore password):

C:\Program Files\Atlassian\JIRA\jre\bin>keytool -v
Usage error: no command provided
Try keytool -help

C:\Program Files\Atlassian\JIRA\jre\bin>keytool -import -trustcacerts -alias roo
t -file www_affinex_net.crt -keystore keystore.jks
Enter keystore password:
Owner: CN=www.affinex.net, OU=EssentialSSL, OU=Hosted by Tucows, OU=Domain Contr
ol Validated
Issuer: CN=EssentialSSL CA, O=COMODO CA Limited, L=Salford, ST=Greater Mancheste
r, C=GB
Serial number: 1a4eea1d8877139b6571378cc308b0e3
Valid from: Tue Aug 28 08:00:00 SGT 2012 until: Thu Aug 29 07:59:59 SGT 2013
Certificate fingerprints:
MD5: B6:DA:FD:A5:58:63:9C:18:30:55:DE:20:BD:82:A9:CB
SHA1: 93:B6:07:E8:3D:62:6F:A3:2D:8C:52:2B:21:12:3D:AA:E8:36:A8:6A
Signature algorithm name: SHA1withRSA
Version: 3



Trust this certificate? [no]: YES
Certificate was added to keystore




Daniel Ong September 17, 2012

printcert check:

C:\Program Files\Atlassian\JIRA\jre\bin>keytool -list -v -keystore keystore.jks
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: root
Creation date: Sep 18, 2012
Entry type: trustedCertEntry

Owner: CN=www.affinex.net, OU=EssentialSSL, OU=Hosted by Tucows, OU=Domain Contr
ol Validated
Issuer: CN=EssentialSSL CA, O=COMODO CA Limited, L=Salford, ST=Greater Mancheste
r, C=GB
Serial number: 1a4eea1d8877139b6571378cc308b0e3
Valid from: Tue Aug 28 08:00:00 SGT 2012 until: Thu Aug 29 07:59:59 SGT 2013
Certificate fingerprints:
MD5: B6:DA:FD:A5:58:63:9C:18:30:55:DE:20:BD:82:A9:CB
SHA1: 93:B6:07:E8:3D:62:6F:A3:2D:8C:52:2B:21:12:3D:AA:E8:36:A8:6A
Signature algorithm name: SHA1withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F9 BE 85 5E 55 CE E8 6E FA EB EB 1A EF 97 FC E5 ...^U..n........
0010: A6 19 0A 4C ...L
]
]

#4: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: 1.3.6.1.5.5.7.48.2
accessLocation: URIName: http://crt.comodoca.com/EssentialSSLCA_2.crt,
accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ocsp.comodoca.com]
]

#5:
ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.comodoca.com/EssentialSSLCA.crl]
]]

#6:
ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [1.3.6.1.4.1.6449.1.2.2.7]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1D 68 74 74 70 73 3A 2F 2F 73 65 63 75 72 65 ..https://
secure
0010: 2E 63 6F 6D 6F 64 6F 2E 63 6F 6D 2F 43 50 53 .comodo.com/CPS

]] ]
]




Daniel Ong September 17, 2012

I want to run JIRA with SSL. For example, right now I am able to run JIRA on port 8080. e.g. www.affinex.net:8080 but I couldn't get it to run on a secure port e.g. HTTPS://www.affinex.net:8443

I am not too sure how to make this configuration.

Thanks Nic.

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
September 17, 2012

Yes, I understand that you want to access it via SSL (which implies https unless you're doing something unusual, but is NOT the same thing as SSL), but I'm afraid I'm not grasping the details. My main client uses certificates to access Jira (bypassing logins) and the system needs a certificate to get to confluence, source control and other places it's integrated with, so I'm probably just getting confused.

If it is just allowing (and requiring) access via https, then please work through https://confluence.atlassian.com/display/JIRA/Running+JIRA+over+SSL+or+HTTPS and tell us where you're getting stuck there.

Daniel Ong September 17, 2012

Okay, now I am stuck at the configuration tool. I have tried running config.bat but to no avail. Any ideas?

I have java running.

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
September 17, 2012

Not really, because I don't know what you're doing. What does "stuck at the configuration tool" mean? Running config.bat - so? What does it do? What's the error.

Have you read and followed the document I referred to? Where are you stuck in that?

Daniel Ong September 17, 2012

I apologize for being vague. What I meant was, I couldn't run the configuration tool. I understand I need it to configure JIRA to run using HTTPS port. But I tried runnning (double-clicking and cmd run) config.bat in the JIRA bin sub-directory but I just couldn't get the configuration tool to run.

Hope I clarified. Thanks.

Daniel Ong September 17, 2012

Stuck = couldn't get it to run = clicked and nothing happen.

Nice one with the penguins though.

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
September 17, 2012

mmm, that doesn't tell us any more - "I couldn't get it to run" is the same as "stuck".

To reuse my standard car analogy - "I couldn't get the car to move" doesn't tell us if it's not starting on ignition, the petrol tank is empty, it's in a ditch or if it's been trampled into bits by rampaging penguins.

You need to tell us what the symptoms are, error messages and so-on. Tell us where you are stuck in the documentation. More importantly, tell us where you've done something *different* from the documentation - that's probably where you're going wrong. Again, please work through https://confluence.atlassian.com/display/JIRA/Running+JIRA+over+SSL+or+HTTPS and tell us where you're getting stuck there.

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
September 17, 2012

I know, it's hard to explain to someone not in front of your screen, but it's just as hard to try to guess your way through without information too.

One of the wonders of running Windows is that it's utterly awful at telling you what's wrong. There IS something happening when you click on whatever you're clicking on, and Windows is failing miserably to tell you anything useful (which means it's not useful as an "operating system" because real ones give you feed back).

Try it on a command line. Take apart the shortcut and work out what it's actually running and run that from a cmd prompt. It should tell you more. Look for the application logs too - they will probably tell you why it's not running, assuming you can find them.

Daniel Ong September 17, 2012

Command prompt gives me this:

C:\Program Files\Atlassian\JIRA\bin>config.bat
The system cannot find the path specified.
C:\Program Files\Atlassian\JIRA\bin>

But the path is valid, the files are valid. This is really mind boggling.

Well, that's the reason why I prefer putting up screenshots but you advised me against it. A picture speaks a thousand words Nic.

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
September 17, 2012

The text is fine, it tells you all we need to know

The path and/or files are definitely not valid, according to the Operating System, and that's the thing that matters (you're now in a situation where you're saying "paint the car yellow" and the Operating system is saying "I have a brush, but there's not actually any car here... um... help")

However, because Windows is not helping a lot, I've got a feeling it might actually be telling you "something inside config.bat is missing". Useless error message, but hey.

Could you try:

  1. "type config.bat" from there? To see what the file contains and what it might be calling that isn't running.
  2. Run it with the full real path - should be something like c:\progra~1\atlass~1\JIRA\bin\config.bat to make sure you're actually running this config.bat and not another one (the ~s are there because Windows "long file names" are a complete bodge and not really long)
  3. Also, "echo %PATH%" - just in case there's more than one thing called "config.bat" that Windows is trying to run.
Daniel Ong September 17, 2012

Tried running all 3 suggestions. Nothing.

Is there any way I can "re-installing" or download the JIRA configuration tool program/files?

Daniel Ong September 17, 2012

Could it be Java?

C:\Program Files\Java\jdk1.6.0_34\bin>java -version
Error occurred during initialization of VM
java/lang/ClassNotFoundException: error in opening JAR file C:\Program Files\Jav
a\jdk1.6.0_34\jre\lib\rt.jar

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
September 17, 2012

All three of those commands would have given you something, albeit the first two might just be the same error message again.

Your next comment is an excellent idea on testing though and, even better, it does tell us something. Two things actually - first rt.jar is missing from your java install. I'm pretty sure this is a simple consequence of the second point - you are running a JRE, and that won't work - you need a JDK to run Atlassian stuff. Java Runtime Environment and Java Development Kit, before you ask ;-)

It's a bit of a misnomer - when they were first built, a JRE was what goes on a users machine if they wanted to run a java application, and developers needed a JDK. For many years though, that's simply not true - most applications need stuff in the JDK to run. Nowadays, a JRE is probably more than enough if my Mom wants to run something, but developers, servers, advanced users and even the cat needs a JDK.

Anyway, end rant, could you install a JDK and try again? Make sure it's JDK 1.6 though - Atlassian stuff doesn't work on 1.7 (yet). If you're worried about breaking other stuff, don't, a JDK contains the JRE and most apps won't care that there are extra bits in it.

Daniel Ong September 19, 2012

Thank Nic for the pointers. I got the configuration tool running, it seems like java is corrupted. Configuration tool is running after I re install Java.

However, on the webserver tab of the configuration tool, there are only 2 text box (HTTP Port and Control port) I can't see profile, keystore, HTTPS and the rest of the textboxes. Refer picture:

Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
September 19, 2012

I don't know if the configuration tool supports those options, it might only handle http setup. I'm not familiar with it - never had a client who doesn't need a WAR build for some reason.

Suggest an answer

Log in or Sign up to answer