Sorry, didn't see @Nic Brough [Adaptavist]'s answer before posting. But I think we are saying the same thing.

12.png

Sorry Viktar, I don't know if that error is because you still need to copy the certs (as per next steps) and restart. Did you try that?

Beyond that all I can suggest is either:

• Have a look at the issue tracker for the plugin: https://bitbucket.org/jlargman/jira-ssl-plugin/issues and maybe raise an issue there.
• Raise a new question to the community here on Altassian Answers to see if anyone has seen this error before. I'd say you are more likely to get an answer to a new, clear, question about that specific handshake error issue rather than just attaching a screen shot in this thread.
• You could try the 'diagnosis' and 'resolution' steps mentioned here.
• Look in your log files and see if there is more detailed error message there, and search Atlassian's JIRA knowledge base for help: https://confluence.atlassian.com/jirakb

That's all I know. Hope it helps a bit.

@@Nic Brough [Adaptavist] : would you be kind enough to suggest anything else or point out if I missed anything obvious. Any guidance/tips much appreciated. Thanks, Sam

Ok, my thoughts are wrapped up in limited SSL knowledge, but I'll give it a shot. 

When you try to reach an SSL secured website, there's an exchange of security data between the client and the server to enable them to encrypt the connection and secure it from others. Part of this is a list of "trusted authorities" who can be consulted to check that you trust the certificates being used.

When a client (browser, or JIRA process for example) hits a web-site with SSL, it asks for authority information and checks it against its built-in list of authorities.  When a browser hits a web-site, it checks certificates and authorities and can add trusted certificates into the built-in list automatically, after prompting the user.  JIRA however, does not do that, it just fails because it can't ask a user for permission.

The SSL add-on for JIRA is a simple way to update the certificate list.  It visits the site, pulls the certificate/authority stuff it needs and adds it into a new version of the certificate file.  You then replace the old cert file with it and restart.

In this case though, it looks like the website being hit by Viktar has different security, and a simple certificate exchange is not enough.  I suspect it's further protected by other certificates (probably personal ones).  So when the SSL addon asks it for the certs it needs, it's not even getting that far - the site is saying "I won't talk to you at all without the initial certificate".  If it is what I think it is, you'd need to get that initial certificate and add it to the java keystore first.

I think the next steps are:

1. Look at the log file to see what the full error behind the red box is
2. Go to the site in a browser and see what happens - does it ask for certificates, or throw errors?
3. If it lets you straight in, then click on the padlock in the browser to see what certificates and authorities it is using

@Sam Hall

# keytool -import -file 20170117_jira5.pfx -alias mydomen.net -keystore /opt/atlassian/jira/jre/lib/security

keytool error: java.lang.Exception: Input not an X.509 certificate

# keytool -import -trustcacerts -alias mydomen.net -file 20170117_jira5.pfx -keystore /opt/atlassian/jira/jre/lib/security

keytool error: java.lang.Exception: Input not an X.509 certificate

What s wrong?

The pfx you are giving it is not in a valid format, or isn't a certificate

How convert *.pfx in cacerts (JAVA Trust Store)

To what?  They don't go in that import field

12.png