Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Problem with SSL and Reverse Proxy on Ubuntu

mkilinski
mkilinski August 22, 2019

Hello. I've migrated my Jira Core from Windows Server to Ubuntu 16.04 LTS envoirment. In general, I have a problem with SSL configuration. The gadgets captions are broken and in Instance Health tool there is a typical error:

JIRA is not able to access itself through the configured Base URL. This is necessary so that dashboard gadgets can be generated successfully. Please verify the current Base URL and if necessary, review your network configurations to resolve the problem

According to Confluence support article Health Check: JIRA Base URL and checking the logs, here is a problem:

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

But something is wrong. In my server.xml file there is a valid keystoreFile property with password and keyAlias. The SSLPoke test confirms that the jks keystore is ok (using -Djavax.net.ssl.trustStore and -Djavax.net.ssl.trustStorePassword options).

/opt/atlassian/jira/jre/bin/java -Djavax.net.ssl.trustStore=/home/mati/certs/klucz.jks -Djavax.net.ssl.trustStorePassword=somepassword SSLPoke my.address.com 443

Successfully connected

So what can be wrong? Maybe jkm file permissions? I am using Ubuntu 16.04 LTS with Nginx and Reverse Proxy.

Here is a Nginx virtualhost config:

server {

    listen 443 ssl;
    listen [::]:443 ssl;

    server_name my.address.com;

    ssl_certificate /home/mati/certs/key.crt;
    ssl_certificate_key /home/mati/certs/key.rsa;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers   on;

    location / {

        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
        proxy_pass https://localhost:8443/;
        client_max_body_size 10M;
    }
}

And here, connector in server.xml:

<Connector proxyName="my.address.com" proxyPort="443" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;" SSLEnabled="true" sslEnabledProtocols="TLSv1.2,TLSv1.3" acceptCount="100" clientAuth="false" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" keyAlias="my.address.com" keystoreFile="/home/mati/certs/klucz.jks" keystorePass="somepassword" keystoreType="JKS" maxHttpHeaderSize="8192" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslProtocol="TLS" useBodyEncodingForURI="false"/>

 

Answer
Watch
Like Be the first to like this
779 views

1 answer

0 votes
Daniel Eads
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 23, 2019

Hey there, thanks for including all this helpful information!

Our spam filter tagged your message because of the code blocks unfortunately, and it wound up in quarantine for a bit. Were you able to solve the issue already?

If not, I notice from your configuration that you're serving HTTPS at Confluence directly (via the Tomcat application server) in addition to serving HTTPS from nginx. If nginx and Confluence are on the same VM, you might consider serving the requests between nginx <-> Confluence over HTTP. This will cut out some of the additional complication (and likely the error you're seeing) as well as marginally speeding up requests.

In addition, it's worth checking your configured base URL in Confluence itself (instructions here if you're not sure where that's at) to ensure the base URL starts with https instead of just http. That's a common cause of the healthcheck failing!

Cheers,
Daniel

View More Comments
mkilinski
mkilinski August 28, 2019

Problem is solved. I don't kno why but even with added Java Key Store with my SSL keys in server.xml file, JIRA and Confluence apps uses a default key store cacerts. When I've added my certs to this default JKS, everything works fine.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events