Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Next challenges

Recent achievements

  • Global
  • Personal

Recognition

  • Give kudos
  • Received
  • Given

Leaderboard

  • Global

Trophy case

Kudos (beta program)

Kudos logo

You've been invited into the Kudos (beta program) private group. Chat with others in the program, or give feedback to Atlassian.

View group

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

How can I configure OAuth 2.0 in order to be able to create issues based on received mail in JSD?

When I tried to set OAuth 2.0 as the authentication method in Incoming Mail settings I realized that it's not on the list:

AuthenticationMethod.png

Then I checked the OAuth 2.0 settings:
OAuth20_not_available.png

I'm not using HTTPS at the moment. Here Running Jira applications over SSL or HTTPS

in the documentation it is said:  If you need help with configuring SSL, create a question on the Atlassian community. So, I'd like to know how can I configure HTTPS in order to be able to enable the OAuth 2.0 authentication method?

1 answer

1 vote
Daniel Eads Atlassian Team Sep 30, 2020

Hi @JConstantine ,

Based on some of your other recent posts, I believe you're running Jira on Windows. This means you've got a few options available to you in order to run Jira over HTTPS:

In any case, it's expected that you've got a valid certificate signed by a public certificate authority in order to get HTTPS configured and OAuth working for email. If you don't have one already, you can get one free from Let'sEncrypt.

If you have specific troubles after selecting which reverse proxy you're going to use, I'm happy to help!

Cheers,
Daniel

@Daniel EadsWill nginx work for me I'm using Windows Storage Server 2012R2 or should I use IIS if I have a server OS? Is there an Atlassian guide on configuring Jira Tomcat Server to use Let's Encrypt certificate on Windows? On the official Let's Encrypt documentation page (Let's Encrypt documentation ) the following is written:

To figure out what method will work best for you, you will need to know whether you have shell access (also known as SSH access) to your web host. If you manage your website entirely through a control panel like cPanel, Plesk, or WordPress, there’s a good chance you don’t have shell access. You can ask your hosting provider to be sure.

I installed Jira Software using the Installer. How do I know if I have SSH access to Tomcat server that Jira's working on?

From Let's Encrypt documentation:

To kick off the process, the agent asks the Let’s Encrypt CA what it needs to do in order to prove that it controls example.com. The Let’s Encrypt CA will look at the domain name being requested and issue one or more sets of challenges. These are different ways that the agent can prove control of the domain. For example, the CA might give the agent a choice of either:

  • Provisioning a DNS record under example.com, or
  • Provisioning an HTTP resource under a well-known URI on http://example.com/

I don't really understand how can I complete these challenges, because I've never worked with certificates before. What should I do first get the certificate or set up the reverse proxy and where's the connection between those processes? And what about this article: Running Jira applications over SSL or HTTPS ?

I'm quite confused, because I'm new to this topic and don't really understand where should I start and what is the sequence of required actions from A to Z - the consistency.

 

 

As I'm not proxying JIRA at the moment the following connector is set up in server.xml file:

FromServerXML.pngThere are connectors for proxying Jira via Apache and Nginx and they are commented at the moment. But there's no connector for IIS. According to the documentation I have to put this connector:

ConfigureIISConnector.pnginstead of the one that's currently set up in server.xml, right?

What do the following lines from the current configuration mean and do I need to put them into the new connector for IIS?

Relaxing chars because of JRASERVER-67974
relaxedPathChars="[]|" relaxedQueryChars="[]|{}^\`"<>"

use proxyPort="443" and scheme="https" in case the SSL is being terminate at IIS.

What does in case the SLL is being terminate at IIS mean?

Daniel Eads Atlassian Team Oct 02, 2020

The choice between IIS and nginx is whichever you're most comfortable with - both will run on Windows Server 2012.

We don't have official documentation on using LetsEncrypt - our documentation starts with the assumption that you've been able to procure a certificate already and are going to use that with your proxy. I would not recommend using LetsEncrypt with serving HTTPS directly from Jira. LetsEncrypt gives you a certificate with a relatively short expiration period - you'll want to have certbot renew this certificate for you. And that's difficult to do when trying to serve HTTPS directly from Tomcat/Jira, because the certificate has to be imported into the Java keystore rather than just sitting as a file on disk.

I'd suggest these actions in this order for you:

  1. Get a web server set up - either IIS or nginx, and serve a simple "Hello world" page over HTTP / port 80 so you know the web server is running. The default web page either of those serve up is fine. While it's not many steps to download and run nginx, it doesn't install itself as a Windows Service so you need to take some additional action to make sure it runs when you reboot. Here's an article for getting that set up after nginx is installed
  2. Procure a certificate - if you're using Let's Encrypt, set it up so that the certificate automatically renews itself. Don't insert the certificate into Jira - insert it at the proxy. Here's some instructions for doing this on Windows with nginx 
  3. Only after you've completed the above steps, configure Jira to be proxied over HTTPS. Here's the one document to do the https proxy with nginx and Jira .

 

As far as the other questions - I think the above path will bypass a lot of the questions that you have. But I'll try and answer some if that helps give you a better picture:

  • If you're going to use IIS, then yes - you'll need to copy in a new connector as the IIS article mentions. The connectors for Apache / nginx that are already in the file can be uncommented if you're using one of those - which the setup guides for those will have you do
  • The relaxedPathChars prevents some characters that might be in a URL, like "&" from potentially breaking the proxy setup. Whichever guide you follow should specify if you need to do this for whichever proxy you're using.
  • Terminating SSL at IIS (or nginx) means that the proxy is where the certificate is installed, and that's where user's browsers would get the HTTPS connection from. In a simple diagram, you'd have:
    (user's computer)  <--HTTPS-->  (IIS)  <--HTTP-->  (Jira)
    When users interact via https://yourjira.whatever.com - it's IIS or nginx that is serving the site over HTTPS - or "terminating the SSL connection". The traffic between IIS and Jira doesn't use SSL/TLS in this scenario - it's regular unencrypted HTTP.

@Daniel EadsThat article that you mentioned on step 3 is about running Confluence behind nginx and SSL. Don't I need this one instead: Configure Jira server to run behind a NGINX reverse proxy ?

Daniel Eads Atlassian Team Oct 07, 2020

Yes - apologies @JConstantine and good catch! The process is the same, but the context paths (if you use one) and port numbers will be different between Jira and Confluence. You've found the correct article for Jira that won't require changing the port numbers :)

@Daniel Eads I've stumbled upon this:

2020-10-15_12-53-04.pngAnd there's this:

2020-10-15_14-40-35.png

For me it's:

http://<JIRA Server Machine's IP address>.<JIRA Server Machine's domain name>:8080/

But whenever I try to procure a certificate from Let's Encrypt I end up with this error:

2020-10-15_14-49-06.png

A and CNAME records for my domain name has been created. Port 80 for http and 443 for https are opened. Firewall has been temporarily disabled. Looks like I can't get the certificate from Let's Encrypt :( 

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
SERVER
TAGS
Community showcase
Published in Jira Service Management

Why upgrade to Jira Service Management Premium?

We often have questions from folks using Jira Service Management about the benefits to using Premium. Check out this video to learn how you can unlock even more value in our Premium plan.  &nb...

157 views 0 4
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you