Missed Team ’24? Catch up on announcements here.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How do I UPDATE the SSL cert for an LDAP server?

Ian Stuart
Ian Stuart January 3, 2020

The certificate on our Cent-OS Service Desk server expired recently and broke authentication to Active Directory. We ended up turning off the SSL option since we couldn't figure out how to get it updated in a timely manner.

I am taking a look at it now and am having trouble seemingly with the first step of the process per: https://confluence.atlassian.com/adminjiraserver/configuring-an-ssl-connection-to-active-directory-938847053.html

In which it says to navigate to $JAVA_HOME. This does not work in command line and I am not familiar enough with Linux to know where this location is. In addition, these directions are for importing a new certificate, not replacing an existing one. Has anyone done this that has a clear cut way of doing it? I wish the original person who set this up used Windows... far easier to manage certs.

Answer
Watch
Like Cristiano Mariano likes this
2756 views

1 answer

1 accepted

2 votes
Answer accepted
Cristiano Mariano
Cristiano Mariano
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 4, 2020

Hi! How are you doing?

Usually people create an environment variable pointing to the default Java installation in the machine. In case it is not set, you can just enter the directory of the Java installation that Jira is using. To find the Jira process you could exexute:

ps -ef | grep jira

Sometimes you will see the full path of the Java installation being used in the output of this command above. If it is not there, you could use:

readlink -f /proc/<PID OF YOUR JIRA PROCESS>/exe

The PID of your Jira process is the second value that appears in the result line (first one is username or userid).

You do not have to delete the previous certificate in order to import the new one. You just have to use a different alias.

In case you have any doubt, just let us know.

Hope this helps!

View More Comments
Ian Stuart
Ian Stuart January 6, 2020

That helps a lot, thanks Cristiano!

I should be able to figure out how to set the JAVA variable now, it is showing the full directory.

Do I just follow the same steps to import the new certificate as if it was a new one then? How do I set Jira to use the new one? Just run the keytool command with the new alias?

Like Cristiano Mariano likes this
Cristiano Mariano
Cristiano Mariano
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 11, 2020

Hi @Ian Stuart ! How are you doing?

Yes! You should follow the same steps.

You do not have to tell Java what certificate it should use. It will get the certificate from the target address and will check if it was added to the local keystore (usually cacerts file). If Java finds it, it understands that you trust it and will start the exchange of information.

Hope this helps!

Like Ian Stuart likes this
Ian Stuart
Ian Stuart January 13, 2020

Hello @Cristiano Mariano thanks for the response. I was able to import the certificate successfully, and it said "trust this certificate?" etc., but when trying to switch Jira to use SSL over LDAP it still errored out with the same one as before.

I tried downloading the SSLPoke.class and running that to test if it could connect via SSL, but try as I might, the command never worked. Do you have a good example of using SSLPoke to test the SSL connection? All the variations from Jira articles failed for me (as in the syntax must be wrong, kept saying could not find "sslpoke.class".

Is there something else I can try for getting the server to use this updated cert? Thank you!

Like
Ian Stuart
Ian Stuart January 15, 2020

This is the error, if that helps. CDViewer_RpU7KMkpZT.png

Like
Cristiano Mariano
Cristiano Mariano
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 22, 2020

Hi @Ian Stuart !

Sorry for the delay!

I have tried to use SSLPoke class sometime ago but could not make it work and did not investigate futher.

In SSL you have a Root Certificate and certificates below it, composing a chain.

One thing that you should try is to add every certificate in the chain to you Java installation. This link below shows how to get the certificates in Windows and Linux.

https://unix.stackexchange.com/questions/368123/how-to-extract-the-root-ca-and-subordinate-ca-from-a-certificate-chain-in-linux

Get each one of them and add it to the keystore, the same way you did for the others.

Try this and lets see if it works.

Hope this helps!

Like Nirmani Kalakheti likes this
Ian Stuart
Ian Stuart January 24, 2020

Thanks for the help. I don't know what I was doing wrong but I re-added my certificate with the chain again and then also referenced this from stackoverflow.

 

 

copy your certificates inside

/etc/pki/ca-trust/source/anchors/

then run the following command

update-ca-trust

 

We now can use SSL to LDAP now. Thanks!

Like # people like this
Cristiano Mariano
Cristiano Mariano
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 24, 2020

Wonderful! I am glad it worked!

Like Ian Stuart likes this
Reply

Suggest an answer

Log in or Sign up to answer
Jira Service Desk
Jira Service Management
TAGS
AUG Leaders

Atlassian Community Events

    See all events