Dear Jira Gurus,
I successfully replaced SSL Certificates in many of our Atlassian application environments (Bitbucket, Bamboo, and Jira). All of our Atlassian products run on Linux (CentOS 7) and we use a corporate certificate authority to create our certificates.
We are transitioning to a new internal CA server, so I need to replace the SSL Certificate in our Jira Development environment. This development uses CentOS 7 and Jira version 7.13.0. I followed all the usual steps:
- Found existing keystore file /home/jira/.keystore
- Confirmed that " keystoreFile="/home/jira/.keystore" " is configured in our server.xml file
- Stopped Jira
- Renamed "/home/jira/.keystore" as "/home/jira/.keystore.OLD"
- Used "keytool" to create a new keystore
$ /jira-data/atlassian/jira/jre/bin/keytool -genkeypair -keysize 2048 -alias tomcat -keyalg RSA -sigalg SHA256withRSA -keystore /home/jira/.keystore
- Converted the keystore file as suggested by the warning
sudo /jira-data/atlassian/jira/jre/bin/keytool -importkeystore -srckeystore /home/jira/.keystore -destkeystore /home/jira/.keystore -deststoretype pkcs12
- Used "keytool" to create a certificate request
sudo /jira-data/atlassian/jira/jre/bin/keytool -certreq -keyalg RSA -alias tomcat -file myhost.csr -keystore /home/jira/.keystore -ext san=dns:myhost.corp.mycompany.com,ip:10.xx.yy.zz
- Used our corporate Certificate Authority to generate a certificate file, plus additional certificates for the certificate authority host and internal root certificate authority
$ sudo ls -latr /home/jira
. . . <SNIP> . . .
-rw------- 1 jeinhorn jeinhorn 970 Apr 30 16:01 mycahost.cer
-rw------- 1 jeinhorn jeinhorn 963 Apr 30 16:01 mycompanyRootCA.cer
-rw------- 1 jeinhorn jeinhorn 2090 Apr 30 16:01 myhost.cer
- Imported each certificate into the new keystore
sudo /jira-data/atlassian/jira/jre/bin/keytool -import -alias MycompanyRootCA -trustcacerts -file /home/jira/mycompanyRootCA.cer -keystore /home/jira/.keystore
sudo /jira-data/atlassian/jira/jre/bin/keytool -import -alias LocalCA -trustcacerts -file /home/jira/mycahost.cer -keystore /home/jira/.keystore
sudo /jira-data/atlassian/jira/jre/bin/keytool -import -alias tomcat -file /home/jira/myhost.cer -keystore /home/jira/.keystore
- Used "keytool list -v" to confirm that the new .keystore file reflects the identify of our new certificate authority server
- Restarted Jira
When I connect to Jira and inspect the certificate that is being used, it shows the OLD certificate signed by the OLD certificate server.
I have perused uncountable blogs, articles, and guides on this topic. And as I said, I have successfully replaced many SSL Certificates in many of our other Atlassian environments. This environment is a baffling exception.
To investigate, I tried using "strace -f" with my startup command:
sudo strace -f -o /tmp/strace_start_jira.out /jira-data/atlassian/jira/bin/start-jira.sh
I searched through all the "open" statements of the trace log and found only two files that relate to certificates:
/home/jira/.keystore and /jira-data/atlassian/jira/jre/lib/security/cacerts
I meticulously used "keytool list -v" on both these files to confirm that our OLD CA server is NOT referenced in either file, and our NEW CA server IS referenced in /home/jira/.keystore
Still, after I restart Jira, our Jira login page is using the old SSL certificate. I have spent 3 days hunting for other certificate files on this server, and found none. Could Jira be caching the old certificate somewhere? I tried removing all log files in folders /jira-data/atlassian/jira/logs and /jira-data/var/atlassian/application-data/jira/log and then reviewing these logs after startup. I don't see any error that could relate to our SSL Certificate.
This has been baffling and painful, considering that I have accomplished the equivalent task in so many other environments. I would be grateful for any suggestions.
Thanks,
Janet
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.