How can I resolve a ManifestNotFoundException trying to setup Application Links

I am currently getting a ManifestNotFoundException when I attempt to create an Application Link between JIRA and Confluence:

 

2015-10-12 14:58:30,011 http-bio-8080-exec-22 ERROR jiralocaladmin 898x343x1 zcyxmz 10.212.134.1,0:0:0:0:0:0:0:1 /rest/applinks/2.0/applicationlinkForm/manifest.json [core.rest.ui.CreateApplica
tionLinkUIResource] ManifestNotFoundException thrown while retrieving manifest
com.atlassian.applinks.spi.manifest.ManifestNotFoundException: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

 

I have tried suggestions on the following linked pages with no luck:

The first link suggests that I can circumvent the inner SSLHandshakeException by adding "-Dhttps.protocols=TLSv1.1,TLSv1.2" to my java arguments.  I accomplished this by adding the arguments to my "JVM_SUPPORT_RECOMMENDED_ARGS" variable in the JIRA_INSTALLATION/bin/setenv.sh script.  

After I do this, the inner exception changes from an SSLHandshakeException to a ValidatorException:

 

2015-10-12 14:36:34,622 http-bio-8080-exec-20 ERROR jiralocaladmin 876x97x1 1fxu6if 10.212.134.1,0:0:0:0:0:0:0:1 /rest/applinks/2.0/applicationlinkForm/manifest.json [core.rest.ui.CreateApplica
tionLinkUIResource] ManifestNotFoundException thrown while retrieving manifest
com.atlassian.applinks.spi.manifest.ManifestNotFoundException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.c
ertpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 

I have tried almost everything under the sun to fix this, but am having no luck!  The SSLPoke class suggested in the second link comes back with the following message:

Successfully connected

NOTE:  I am running Confluence (5.6.1) and JIRA (6.3.6) with Java 1.8.0_u60 on the same server under Apache / SSL on RHEL 6.

Any thoughts or suggestions would be GREATLY appreciated!  Lost 5+ hours to this today.

2 answers

0 vote
David Currie Atlassian Team Oct 12, 2015

The "No appropriate protocol (protocol is disabled or cipher suites are inappropriate)" error means that the version of Java you're trying to connect with to the target endpoint is not supported by the protocol / cipher's that are available. 

When you edited the protocols, this went from a ManifestNotFoundException to SunCertPathBuilderException, as the protocols were then supported, however the certificate then sounds like it wasn't in the trust store of the Java version being used. For Java to connect to something encrypted it needs to know it's running a trusted certificate.

Are you using self-signed or publicly signed CA certs? You can get a CA signed cert for $5 a year from certain sites and this is much more secure than a self-signed certificate, and is also means you don't need to go messing around with the trust store to get things working (specifically importing certificates into cacerts).

If SSLPoke is working but Java is not, it's likely that you may be using a different version of Java to test SSLPoke that is used to run JIRA - you can verify this by checking the java.home in the System Properties in JIRA, and compare that to the path of Java running SSLPoke.

I'd suggest checking that the certificate exists in the Java trust store of JIRA, and that you're using the same version to test SSLPoke as JIRA is running. Also after importing a cert you need to restart JIRA as the trust store is cached in memory.

Thanks for your response David!

I am using Cert that has been signed by a Corporate CA.  This will not be a publicly accessible site, so no Publicly Signed Cert, sorry.

I verified that SSLPoke is being executed by the same java as what was listed in JIRA's System Information -> java.home property:

JDK_HOME/jre/

I verified that the cert is installed in the same Java keystore:

JDK_HOME/jre/bin/keytool -list -v -alias jira -keystore ../lib/security/cacerts

I restarted JIRA after importing.  Any other thoughts?

David Currie Atlassian Team Oct 12, 2015

Have you got an outbound HTTPS proxy that's being used in JIRA? It could potentially be doing something with certificates that's causing problems - you could bypass it with the nonProxyHosts. Or better yet, created an unproxied applink (ie bypass SSL completely, this is OK for internal networks) as per https://confluence.atlassian.com/display/KB/How+to+create+an+unproxied+Application+Link

Suggest an answer

Log in or Join to answer
Community showcase
Emilee Spencer
Published yesterday in Marketplace Apps

Marketplace Spotlight: DeepAffects

Hello Atlassian Community! My name is Emilee, and I’m a Product Marketing Manager for the Marketplace team. Starting with this post, I'm kicking off a monthly series of Spotlights to highlight Ma...

30 views 0 3
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot