Not able to run Jira in HTTPS

Hi Team,

We are trying to run our Jira Stage server(Test Server) on HTTPS for the first timeand we are failing in it by getting:

This site can’t be reached

This is what am getting in the Catalina.out log file:

Jan 10, 2017 6:26:51 AM org.apache.coyote.AbstractProtocol start

INFO: Starting ProtocolHandler ["http-bio-8090"]

Jan 10, 2017 6:26:51 AM org.apache.coyote.AbstractProtocol start

INFO: Starting ProtocolHandler ["http-bio-8443"]

Jan 10, 2017 6:26:51 AM org.apache.catalina.startup.Catalina start

INFO: Server startup in 70660 ms

log4j:WARN No appenders could be found for logger (com.amazonaws.jmx.spi.SdkMBeanRegistry).

log4j:WARN Please initialize the log4j system properly.

log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.

2017-01-10 06:27:07,069 atlassian-scheduler-quartz1.clustered_Worker-4 WARN      [service.scheduler.jobs.PurgeHistoryJob] JEMH is configured to NEVER purge auditing data.  This *will* consume all your local disk storage at a rate dependant on the mail volume you receive, consider a value that is appropriate for your volume, use your mailserver to forward archive copies of mail, dont clog JIRA up!

We have configured our server.xml as required with valid key in jks format and set the password as well.

Could you please help us if fixing this issue as we are planning to implement same in the production as well asap.

vhost config:

NameVirtualHost *:80


<VirtualHost *:80>
ServerName jira.stage.deloittecyber.net
ProxyRequests Off
ProxyPreserveHost On

<ProxyMatch http://jira.stage.deloittecyber.net>
Order deny,allow
Allow from all
</ProxyMatch>
ProxyPass / http://blvmts2l07.snetbl.com:8090/
ProxyPassReverse / http://blvmts2l07.snetbl.com:8090/
</VirtualHost>

<VirtualHost *:80>
ServerName jira.mts.stage.deloittecyber.net

ProxyRequests Off
ProxyPreserveHost On
<ProxyMatch http://jira.mts.stage.deloittecyber.net>
Order deny,allow
Allow from all
</ProxyMatch>
ProxyPass / http://blvmts2l08.snetbl.com:8080/
ProxyPassReverse / http://blvmts2l08.snetbl.com:8080/
</VirtualHost>

server.xml config:

<Service name="Catalina">

<Connector port="8090" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="8192" maxThreads="200" minSpareThreads="25" protocol="HTTP/1.1" redirectPort="8443" useBodyEncodingForURI="true"/>


<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxHttpHeaderSize="8192" SSLEnabled="true"
maxThreads="150" minSpareThreads="25"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" useBodyEncodingForURI="true"
keyAlias="jira" keystoreFile="/opt/atlassian/apps/jira/jira.jks" keystorePass="changeit" keystoreType="JKS"/>

Please let me know if i am doing anything wrong. 

Nikhil Kumar

 

3 answers

1 accepted

I would warmly recommend you to terminate the SSL at the apache, and simply only run HTTP on the application server, and forward the SSL/NON-SSL to internal NON-SSL like this:

&lt;VirtualHost *:80&gt;
    ServerName jira.our.fqdn.goes.here
    ServerAlias jira jira.our.external.domain.com
    &lt;Directory /&gt;
    AllowOverride None
    Order allow,deny
    allow from all
    &lt;/Directory&gt;
    RewriteEngine On
    RewriteRule ^/(.*)$ https://jira.our.fqdn.goes.here%{REQUEST_URI} [R,L]
    ProxyPass / http://jira.our.fqdn.goes.here:8081/
    ProxyPassReverse / http://jira.our.fqdn.goes.here:8081/
&lt;/VirtualHost&gt;
&lt;VirtualHost *:443&gt;
    ServerName jira.our.fqdn.goes.here
    ServerAlias jira jira.our.external.domain.com
    SSLProxyEngine on
    RewriteEngine On
    RewriteCond %{HTTP_HOST} !^jira\.our\.fqdn\.goes\.here [NC]
    RewriteRule ^/(.*)$ https://jira.our.fqdn.goes.here%{REQUEST_URI} [R,L]
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyPass / http://jira.our.fqdn.goes.here:8081/
    ProxyPassReverse / http://jira.our.fqdn.goes.here:8081/
    ErrorLog /var/log/httpd/jira_ssl_error_log
    MaxKeepAliveRequests 500
    KeepAlive On
    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile /root/shared.cer
    SSLCertificateKeyFile /root/shared.key
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
&lt;/VirtualHost&gt;

 

Reason you see a shared key is because we use alt_name configured SSL certs, allowing several tomcats applications to be hosted on the same server.

In server.xml you would only have one http port, 8081 in this case.

Hi,

 

After making the change when i try restarting the Apache server i am getting the below error:

[root@blvmts2l06 conf.d]# service httpd start

Redirecting to /bin/systemctl start httpd.service
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.

This the my configuration, please suggest if there are any mistakes:

NameVirtualHost *:80

<VirtualHost *:80>
ServerName jira.stage.deloittecyber.net
ServerAlias jira blvmts2l07.snetbl.com
<Directory/>
AllowOverride None
Order allow,deny
allow from all
</Directory>
RewriteEngine On
RewriteRule ^/(.*)$ https://jira.stage.deloittecyber.net%{REQUEST_URI} [R,L]
ProxyRequests Off
ProxyPreserveHost On
<ProxyMatch http://jira.stage.deloittecyber.net>
Order deny,allow
Allow from all
</ProxyMatch>
ProxyPass / http://blvmts2l07.snetbl.com:8090/
ProxyPassReverse / http://blvmts2l07.snetbl.com:8090/
</VirtualHost>


<VirtualHost *:443>
ServerName jira.stage.deloittecyber.net
ServerAlias jira blvmts2l07.snetbl.com
SSLProxyEngine On
RewriteEngine On
RewriteCond %{HTTP_HOST} !^jira.stage.deloittecyber.net [NC]
RewriteRule ^/(.*)$ https://jira.stage.deloittecyber.net%{REQUEST_URI} [R,L]
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://blvmts2l07.snetbl.com:8090/
ProxyPassReverse / http://blvmts2l07.snetbl.com:8090/
MaxKeepAliveRequests 500
KeepAlive On
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/ssl/certs/jira_ssl.crt
SSLCertificateKeyFile /etc/ssl/certs/jira_ssl.key
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off

<VirtualHost *:80>
ServerName jira.mts.stage.deloittecyber.net

ProxyRequests Off
ProxyPreserveHost On
<ProxyMatch http://jira.mts.stage.deloittecyber.net>
Order deny,allow
Allow from all
</ProxyMatch>
ProxyPass / http://blvmts2l08.snetbl.com:8080/
ProxyPassReverse / http://blvmts2l08.snetbl.com:8080/
</VirtualHost>

PS: Apache and JIRA are in different servers so i feel like redirection is not happening. I tried with 8090 port as per our configuration. Is there any changes i have to make in server.xml?

Regards,

Nikhil

Hello Jonas,

Kindly help us in setting up  HTTPS over a Webex or a call as it very critical now. We are planning for Upgrade next month and we are running out of tinme.

Nikhil

Hi,

I am getting this error in error_log:

[Wed Jan 25 06:49:40.735436 2017] [suexec:notice] [pid 11229] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Jan 25 06:49:40.736348 2017] [ssl:warn] [pid 11229] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Wed Jan 25 06:49:40.749484 2017] [so:warn] [pid 11229] AH01574: module ssl_module is already loaded, skipping
[Wed Jan 25 06:49:40.750297 2017] [so:warn] [pid 11229] AH01574: module proxy_module is already loaded, skipping
[Wed Jan 25 06:49:40.750372 2017] [so:warn] [pid 11229] AH01574: module proxy_connect_module is already loaded, skipping
[Wed Jan 25 06:49:40.750388 2017] [so:warn] [pid 11229] AH01574: module proxy_http_module is already loaded, skipping
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:443
[Wed Jan 25 06:49:40.752510 2017] [mpm_prefork:alert] [pid 11229] no listening sockets available, shutting down
[Wed Jan 25 06:49:40.752515 2017] [:emerg] [pid 11229] AH00019: Unable to open logs, exiting

 

When i did netstat, there is nothing running on 443 port. Can you please tell me if anything else is reason?

 

Nikhil

Suggest an answer

Log in or Sign up to answer
Atlassian Community Anniversary

Happy Anniversary, Atlassian Community!

This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.

Read more
Community showcase
Bridget Sauer
Published Thursday in Marketplace Apps

Calling all developers––You're invited to Atlas Camp 2018

 Atlas Camp   is our developer event which will take place in Barcelona, Spain  from the 6th -7th of   September . This is a great opportunity to meet other developers and get n...

74 views 0 5
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you