Can't start Jira Server (non SQL) after changing SSL-cert

Oleg Ponomarev April 5, 2021

Hello Team.
Recently I updated SSL certs for NGINX (Debian that hosts the reverse proxy and Jira) by replacing the orig cert file contents with a newly generated cert.
Nginx started proreply and even shows me the correct SSL in the browser.

But Jira server doesn't start and it's errors are not informative at all (just Exit Code1). More over. attalassian-jira-log's last line is stuck on days ago state and new errors are never being added from the moment Jira failed. OS service logs etc are not useful too here(

I found the only changing and a possible reason to be SSL cert, so investigated further and found the information about JKS containers. So tried both to add a newly generated cert to a container and to make this container trusted/default. Also tried to re-generate CSR from a newly generated JKS container. Everything ran smoothly but didn't help.

So I asked a question about SSL here and the community offered me to start Jira with no SSL or no proxy. I tried both to change server.xml to work via a default or HTTP proxy connector - the same result, no logs.

A problem is that we don't have backups of Jira due to migration and changing he hypervisor so I need to either make it work ir just somehow export it's db without a webgui. The db is 100% sure should be fine as there was no corruption or any other issues on the machine expecting SSL cert renewal and chaging the contecnt of the old cert file.

Here is how server.xml looks like now It only includes connectors I tried one by one, Before things went wrong, it was TLS proxy, after the issue appeared I tried 2 others.

Please help me do understand how to make it work again or just to export all isues so I can then import them to another Jira Intance, Jira Cloud or just a file)

<?xml version="1.0" encoding="utf-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener"/>
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on"/>
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>

<Service name="Catalina">
<!--
==============================================================================================================
DEFAULT - Direct connector with no proxy for unproxied access to Jira.

If using a http/https proxy, comment out this connector.
==============================================================================================================
-->

<!-- Relaxing chars because of JRASERVER-67974 -->
<
<Connector port="8080" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;"
maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false"
maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443"
acceptCount="100" disableUploadTimeout="true" bindOnInit="false"/>
-->
<!--
==============================================================================================================
HTTP - Proxying Jira via Apache or Nginx over HTTP

If you're proxying traffic to Jira over HTTP, uncomment the below connector and comment out the others.
Ensure the proxyName and proxyPort are updated with the appropriate information if necessary as per the docs.

See the following for more information:

Apache - https://confluence.atlassian.com/x/4xQLM
nginx - https://confluence.atlassian.com/x/DAFmGQ

==============================================================================================================
-->

<!--
<Connector port="8080" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;"
maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false"
maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443"
acceptCount="100" disableUploadTimeout="true" bindOnInit="false" scheme="http"
proxyName="support.example.com" proxyPort="443"/>

-->
<!--
==============================================================================================================
HTTPS - Proxying Jira via Apache or Nginx over HTTPS

If you're proxying traffic to Jira over HTTPS, uncomment the below connector and comment out the others.
Ensure the proxyName and proxyPort are updated with the appropriate information if necessary as per the docs.

See the following for more information:

Apache - https://confluence.atlassian.com/x/PTT3MQ
nginx - https://confluence.atlassian.com/x/DAFmGQ
==============================================================================================================
-->

<!--
<Connector port="8080" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;"
maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false"
maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443"
acceptCount="100" disableUploadTimeout="true" bindOnInit="false" secure="true" scheme="https"
proxyName="support.example.com" proxyPort="443"/>

1 answer

0 votes
Kurt Klinner
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
April 5, 2021

@Oleg Ponomarev 

 

Hi Oleg

 

welcome to the Atlassian community.

The server.xml snippet you shared has some issues (it that is not a copy and paste error)

 

<!-- Relaxing chars because of JRASERVER-67974 -->
<
<Connector port="8080" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^&#x

should be

<!-- Relaxing chars because of JRASERVER-67974 -->
<Connector port="8080" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^&#x

 

I would suggest to do the ssl termination on the nginx and have http traffic between nginx and the jira instance.

 

Did you check the catalina.out file for errors?

cheers

 

Kurt

Oleg Ponomarev April 6, 2021

@Kurt Klinner Thanks for the response.

catalina.out doesnt show latest period logs, its being finished long time ago with no explicit problems

Regarding the config.
Checked it.

SSL termination works in Nginx now, but previously Jira was set to use HTTPS proxy connector. Now I tried both the default and HTTP proxy connectos. The same thing: failing with no normal logs.

Below is the setup for the latest connector I tried. I also tried to replace the orignal config with an new exanple one and to resetup it. The same problem.


Now the question is if it's possible to export Jira (Tomcat) issues when Jira is down.

<!--
==============================================================================================================
HTTP - Proxying Jira via Apache or Nginx over HTTP

If you're proxying traffic to Jira over HTTP, uncomment the below connector and comment out the others.
Ensure the proxyName and proxyPort are updated with the appropriate information if necessary as per the docs.

See the following for more information:

Apache - https://confluence.atlassian.com/x/4xQLM
nginx - https://confluence.atlassian.com/x/DAFmGQ
==============================================================================================================
-->

<
<Connector port="8080" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;"
maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false"
maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443"
acceptCount="100" disableUploadTimeout="true" bindOnInit="false" scheme="http"
proxyName="support.example.com" proxyPort="443"/>

Kurt Klinner
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
April 16, 2021

@Oleg Ponomarev 

 

Hi Oleg

to thinks theme wrong to me in the shared snippet

<
<Connector port="8080" relaxedPathChars="[]|" relaxedQueryChars="[]|

should be only

<Connector port="8080" relaxedPathChars="[]|" relaxedQueryChars="[]|

and the scheme should be set to https

Cheers

Kurt

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
SERVER
TAGS
AUG Leaders

Atlassian Community Events