It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

What exactly needed in SSL for JIRA

What it is necessary to write to the field SSL for JIRA?

12.png

 

All information in openssl pkcs12 -info -in <name>.pfx ? 
Or
subject=/C=BY/O=name/OU=dept0/CN=URI/emailAddress=name
issuer=/DC=by/DC=minsk/DC=name/CN=name

WHAT WHAT? 

2 answers

Hi Viktar,

Just to check: you're using the SSL for JIRA add-on, to get JIRA to connect to an external server over SSL, right?

If so, I think you must enter the URL for the host/server you want JIRA to connect to, as mentioned in the wiki here: https://bitbucket.org/jlargman/jira-ssl-plugin/wiki/Home

Sam

Sorry, didn't see @Nic Brough [Adaptavist]'s answer before posting. But I think we are saying the same thing.

Sorry Viktar, I don't know if that error is because you still need to copy the certs (as per next steps) and restart. Did you try that?

Beyond that all I can suggest is either:

  • Have a look at the issue tracker for the plugin: https://bitbucket.org/jlargman/jira-ssl-plugin/issues and maybe raise an issue there.
  • Raise a new question to the community here on Altassian Answers to see if anyone has seen this error before. I'd say you are more likely to get an answer to a new, clear, question about that specific handshake error issue rather than just attaching a screen shot in this thread.
  • You could try the 'diagnosis' and 'resolution' steps mentioned here.
  • Look in your log files and see if there is more detailed error message there, and search Atlassian's JIRA knowledge base for help: https://confluence.atlassian.com/jirakb

That's all I know. Hope it helps a bit.

@@Nic Brough [Adaptavist] : would you be kind enough to suggest anything else or point out if I missed anything obvious. Any guidance/tips much appreciated. Thanks, Sam

Nic Brough Community Leader Jan 18, 2017

Ok, my thoughts are wrapped up in limited SSL knowledge, but I'll give it a shot. 

When you try to reach an SSL secured website, there's an exchange of security data between the client and the server to enable them to encrypt the connection and secure it from others. Part of this is a list of "trusted authorities" who can be consulted to check that you trust the certificates being used.

When a client (browser, or JIRA process for example) hits a web-site with SSL, it asks for authority information and checks it against its built-in list of authorities.  When a browser hits a web-site, it checks certificates and authorities and can add trusted certificates into the built-in list automatically, after prompting the user.  JIRA however, does not do that, it just fails because it can't ask a user for permission.

The SSL add-on for JIRA is a simple way to update the certificate list.  It visits the site, pulls the certificate/authority stuff it needs and adds it into a new version of the certificate file.  You then replace the old cert file with it and restart.

In this case though, it looks like the website being hit by Viktar has different security, and a simple certificate exchange is not enough.  I suspect it's further protected by other certificates (probably personal ones).  So when the SSL addon asks it for the certs it needs, it's not even getting that far - the site is saying "I won't talk to you at all without the initial certificate".  If it is what I think it is, you'd need to get that initial certificate and add it to the java keystore first.

I think the next steps are:

  1. Look at the log file to see what the full error behind the red box is
  2. Go to the site in a browser and see what happens - does it ask for certificates, or throw errors?
  3. If it lets you straight in, then click on the padlock in the browser to see what certificates and authorities it is using

@Sam Hall

# keytool -import -file 20170117_jira5.pfx -alias mydomen.net -keystore /opt/atlassian/jira/jre/lib/security

keytool error: java.lang.Exception: Input not an X.509 certificate

# keytool -import -trustcacerts -alias mydomen.net -file 20170117_jira5.pfx -keystore /opt/atlassian/jira/jre/lib/security

keytool error: java.lang.Exception: Input not an X.509 certificate

 

What s wrong?

Nic Brough Community Leader Jan 18, 2017

The pfx you are giving it is not in a valid format, or isn't a certificate

0 votes
Nic Brough Community Leader Jan 17, 2017

As the help says, you enter the ssl-protected site(s) you want to connect to.

Not sure why you've quoted a LDAP string at us or are looking at the content of user certificates

How convert *.pfx in cacerts (JAVA Trust Store)

Nic Brough Community Leader Jan 17, 2017

To what?  They don't go in that import field

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted in Jira Core

How to manage many similar workflows?

I have multiple projects that use variations of the same base workflow. The variations depend on the requirements of the project or issue type. The variations mostly come in the form of new statuses ...

1,098 views 7 0
Join discussion

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you