Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Problem with SSL and Reverse Proxy on Ubuntu Edited

Hello. I've migrated my Jira Core from Windows Server to Ubuntu 16.04 LTS envoirment. In general, I have a problem with SSL configuration. The gadgets captions are broken and in Instance Health tool there is a typical error:

JIRA is not able to access itself through the configured Base URL. This is necessary so that dashboard gadgets can be generated successfully. Please verify the current Base URL and if necessary, review your network configurations to resolve the problem

According to Confluence support article Health Check: JIRA Base URL and checking the logs, here is a problem:

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

But something is wrong. In my server.xml file there is a valid keystoreFile property with password and keyAlias. The SSLPoke test confirms that the jks keystore is ok (using -Djavax.net.ssl.trustStore and -Djavax.net.ssl.trustStorePassword options).

/opt/atlassian/jira/jre/bin/java -Djavax.net.ssl.trustStore=/home/mati/certs/klucz.jks -Djavax.net.ssl.trustStorePassword=somepassword SSLPoke my.address.com 443

Successfully connected

So what can be wrong? Maybe jkm file permissions? I am using Ubuntu 16.04 LTS with Nginx and Reverse Proxy.

Here is a Nginx virtualhost config:

server {

    listen 443 ssl;
    listen [::]:443 ssl;

    server_name my.address.com;

    ssl_certificate /home/mati/certs/key.crt;
    ssl_certificate_key /home/mati/certs/key.rsa;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers   on;

    location / {

        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
        proxy_pass https://localhost:8443/;
        client_max_body_size 10M;
    }
}

And here, connector in server.xml:

<Connector proxyName="my.address.com" proxyPort="443" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;" SSLEnabled="true" sslEnabledProtocols="TLSv1.2,TLSv1.3" acceptCount="100" clientAuth="false" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" keyAlias="my.address.com" keystoreFile="/home/mati/certs/klucz.jks" keystorePass="somepassword" keystoreType="JKS" maxHttpHeaderSize="8192" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslProtocol="TLS" useBodyEncodingForURI="false"/>

 

1 answer

0 votes
Daniel Eads Atlassian Team Aug 23, 2019

Hey there, thanks for including all this helpful information!

Our spam filter tagged your message because of the code blocks unfortunately, and it wound up in quarantine for a bit. Were you able to solve the issue already?

If not, I notice from your configuration that you're serving HTTPS at Confluence directly (via the Tomcat application server) in addition to serving HTTPS from nginx. If nginx and Confluence are on the same VM, you might consider serving the requests between nginx <-> Confluence over HTTP. This will cut out some of the additional complication (and likely the error you're seeing) as well as marginally speeding up requests.

In addition, it's worth checking your configured base URL in Confluence itself (instructions here if you're not sure where that's at) to ensure the base URL starts with https instead of just http. That's a common cause of the healthcheck failing!

Cheers,
Daniel

Problem is solved. I don't kno why but even with added Java Key Store with my SSL keys in server.xml file, JIRA and Confluence apps uses a default key store cacerts. When I've added my certs to this default JKS, everything works fine.

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Posted in Jira Core

How to manage many similar workflows?

I have multiple projects that use variations of the same base workflow. The variations depend on the requirements of the project or issue type. The variations mostly come in the form of new statuses ...

3,894 views 11 5
Join discussion

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you