What exactly needed in SSL for JIRA

What it is necessary to write to the field SSL for JIRA?



All information in openssl pkcs12 -info -in <name>.pfx ? 


2 answers

2 votes
Sam Hall Community Champion Jan 17, 2017

Hi Viktar,

Just to check: you're using the SSL for JIRA add-on, to get JIRA to connect to an external server over SSL, right?

If so, I think you must enter the URL for the host/server you want JIRA to connect to, as mentioned in the wiki here: https://bitbucket.org/jlargman/jira-ssl-plugin/wiki/Home


Sam Hall Community Champion Jan 17, 2017

Sorry, didn't see @Nic Brough [Adaptavist]'s answer before posting. But I think we are saying the same thing.

Sam Hall Community Champion Jan 18, 2017

Sorry Viktar, I don't know if that error is because you still need to copy the certs (as per next steps) and restart. Did you try that?

Beyond that all I can suggest is either:

  • Have a look at the issue tracker for the plugin: https://bitbucket.org/jlargman/jira-ssl-plugin/issues and maybe raise an issue there.
  • Raise a new question to the community here on Altassian Answers to see if anyone has seen this error before. I'd say you are more likely to get an answer to a new, clear, question about that specific handshake error issue rather than just attaching a screen shot in this thread.
  • You could try the 'diagnosis' and 'resolution' steps mentioned here.
  • Look in your log files and see if there is more detailed error message there, and search Atlassian's JIRA knowledge base for help: https://confluence.atlassian.com/jirakb

That's all I know. Hope it helps a bit.

@@Nic Brough [Adaptavist] : would you be kind enough to suggest anything else or point out if I missed anything obvious. Any guidance/tips much appreciated. Thanks, Sam

Ok, my thoughts are wrapped up in limited SSL knowledge, but I'll give it a shot. 

When you try to reach an SSL secured website, there's an exchange of security data between the client and the server to enable them to encrypt the connection and secure it from others. Part of this is a list of "trusted authorities" who can be consulted to check that you trust the certificates being used.

When a client (browser, or JIRA process for example) hits a web-site with SSL, it asks for authority information and checks it against its built-in list of authorities.  When a browser hits a web-site, it checks certificates and authorities and can add trusted certificates into the built-in list automatically, after prompting the user.  JIRA however, does not do that, it just fails because it can't ask a user for permission.

The SSL add-on for JIRA is a simple way to update the certificate list.  It visits the site, pulls the certificate/authority stuff it needs and adds it into a new version of the certificate file.  You then replace the old cert file with it and restart.

In this case though, it looks like the website being hit by Viktar has different security, and a simple certificate exchange is not enough.  I suspect it's further protected by other certificates (probably personal ones).  So when the SSL addon asks it for the certs it needs, it's not even getting that far - the site is saying "I won't talk to you at all without the initial certificate".  If it is what I think it is, you'd need to get that initial certificate and add it to the java keystore first.

I think the next steps are:

  1. Look at the log file to see what the full error behind the red box is
  2. Go to the site in a browser and see what happens - does it ask for certificates, or throw errors?
  3. If it lets you straight in, then click on the padlock in the browser to see what certificates and authorities it is using

@Sam Hall

# keytool -import -file 20170117_jira5.pfx -alias mydomen.net -keystore /opt/atlassian/jira/jre/lib/security

keytool error: java.lang.Exception: Input not an X.509 certificate

# keytool -import -trustcacerts -alias mydomen.net -file 20170117_jira5.pfx -keystore /opt/atlassian/jira/jre/lib/security

keytool error: java.lang.Exception: Input not an X.509 certificate


What s wrong?

The pfx you are giving it is not in a valid format, or isn't a certificate

0 votes

As the help says, you enter the ssl-protected site(s) you want to connect to.

Not sure why you've quoted a LDAP string at us or are looking at the content of user certificates

How convert *.pfx in cacerts (JAVA Trust Store)

To what?  They don't go in that import field

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted 9 hours ago in Statuspage

How do your teams prepare for really high (planned) traffic days like Cyber Monday?

Hi there! Shannon from Statuspage here.  👋  With Cyber Monday quickly approaching, we're looking to hear from Atlassian customers – specifically from teams who touch incident response li...

31 views 0 4
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you