Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Next challenges

Recent achievements

  • Global
  • Personal

Recognition

  • Give kudos
  • Received
  • Given

Leaderboard

  • Global

Trophy case

Kudos (beta program)

Kudos logo

You've been invited into the Kudos (beta program) private group. Chat with others in the program, or give feedback to Atlassian.

View group

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

JIRA Server Android Application Edited

Hi,

 

Recently I upgraded my JIRA Server to version 8.0.2. We're using JIRA behind the reverse proxy of nginx with SSL. Unfortunately, we don't have signed certificate, therefore we are using with self-signed certificate. We have no problems while using our JIRA with browser. However, if I try to connect using new JIRA Server Android Application, I got an error says "Can't get a secure connection".

jira_login.jpeg

jira_error.jpeg

 

As stated in the link [https://confluence.atlassian.com/jirakb/can-t-get-a-secure-connection-error-on-jira-server-mobile-app-954244746.html], I added my self-signed certificate to my device's trusted certificates. The first following screenshot taken from Firefox Browser, and the second one is from my Android Phone. As you can see, these are the same certificate.

 

Screenshot from 2019-03-19 10-30-41.png

 

android_cert.jpeg

 

I also export my certificate to JIRA JRE  as described in here [https://confluence.atlassian.com/display/APPLINKS060/SSL+and+application+link+troubleshooting+guide]

 

Also, my self-signed certificate has;

X509v3 extensions:
  X509v3 Basic Constraints:
    CA:TRUE

Which I can see if I execute the following command;

 

openssl x509 -in gohm.crt -text -noout

X509v3 extensions:
X509v3 Subject Key Identifier:
12:96:35:D0:BE:E6:91:70:F3:0F:70:38:E3:93:60:10:3D:41:9C:C4
X509v3 Authority Key Identifier:
keyid:12:96:35:D0:BE:E6:91:70:F3:0F:70:38:E3:93:60:10:3D:41:9C:C4

X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption

 

 

At this point, I would like to ask what might cause the connection problem? We are hosting our JIRA in our private server and it has ufw (uncomplicated firewall). Only required incoming ports enabled. Is there any special port for JIRA Server mobile app to communicate JIRA Server?

 

Best Regards,

Said Ucar.

1 answer

0 votes
Andy Heinzer Atlassian Team Mar 20, 2019

I don't think this is a port issue.  Instead my concern is in regards to the cert.  The guide says your cert should have

X509v3 extensions:
  X509v3 Basic Constraints:
    CA:TRUE

However technically, your cert has the parameter of

X509v3 Basic Constraints: critical

This 'critical' flag appears to be able cause problems in regards to certificate creation from csr.  I found a related post about it over in https://github.com/letsencrypt/boulder/issues/1268

Found more info about that flag from the wiki page on the X.509 spec:

Each extension has its own ID, expressed as object identifier, which is a set of values, together with either a critical or non-critical indication. A certificate-using system must reject the certificate if it encounters a critical extension that it does not recognize, or a critical extension that contains information that it cannot process.

I would try to remove the critical flag and then repeat the steps of trying to import the certificate to see if this helps.

I generated a new certificate, manually add to my andriod, and imported to JIRA JRE. However, still not able to connect it with Android App. Here is the details of my key.

 

openssl x509 -in gohm.crt -text -noout


Certificate:
Data:
Version: 3 (0x2)
Serial Number:
df:f8:fe:91:6e:23:a6:10
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = TR, O = GOHM Electronics and Software Ltd.
Validity
Not Before: Mar 20 18:57:43 2019 GMT
Not After : Mar 17 18:57:43 2029 GMT
Subject: C = TR, O = GOHM Electronics and Software, CN = My Certificate
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:cc:28:08:4f:5f:4b:ef:f5:1f:fc:68:80:38:c8:
...

...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
X509v3 Subject Key Identifier:
29:77:3B:76:10:6E:F9:52:C2:6D:E4:BE:2D:C1:B0:CB:6B:C8:62:FD
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
Signature Algorithm: sha256WithRSAEncryption
5c:58:3b:44:e1:71:f0:17:41:66:4e:2c:24:03:0c:fe:84:91:
...


...

Andy Heinzer Atlassian Team Mar 27, 2019

Hi Mustafa,

Thanks for this information.  From looking at this and discussing with my colleagues, I believe that your clients are Missing the intermediate certificate authority

From that post:

The third case of SSLHandshakeException occurs due to a missing intermediate CA. Most public CAs don't sign server certificates directly. Instead, they use their main CA certificate, referred to as the root CA, to sign intermediate CAs. They do this so the root CA can be stored offline to reduce risk of compromise. However, operating systems like Android typically trust only root CAs directly, which leaves a short gap of trust between the server certificate—signed by the intermediate CA—and the certificate verifier, which knows the root CA. To solve this, the server doesn't send the client only it's certificate during the SSL handshake, but a chain of certificates from the server CA through any intermediates necessary to reach a trusted root CA.

I would recommend trying to walk through that section of the guide here.  It does explain some additional diagnosis steps to follow to make sure this is the case here.  It also offers two different approaches to try to solve this issue.

I hope this helps.

Andy

Hi @Andy Heinzer ,

 

Thank you about your effort. Actually, I'm not good at the openssl or ssl certification details. I used the commands below to create my self signed certificate. If you know what part of it was wrong, i would appreciate.

 

This is my openssl.cnf

 

[req]
default_bits = 2048
encrypt_key  = no # Change to encrypt the private key using des3 or similar
default_md   = sha256
prompt       = no
utf8         = yes
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
C  = TR
O  = GOHM Electronics and Software
CN = *.gohm.com.tr
[v3_req]
basicConstraints     = CA:TRUE
subjectKeyIdentifier = hash
keyUsage             = digitalSignature, keyEncipherment
extendedKeyUsage     = clientAuth, serverAuth

 

This is how I create CA certificate

 

openssl req \
  -new \
  -newkey rsa:2048 \
  -days 3650 \
  -nodes \
  -x509 \
  -subj "/C=TR/O=GOHM Electronics and Software Ltd./CN=*.gohm.com.tr" \
  -keyout "${DIR}/ca.key" \
  -out "${DIR}/ca.crt"

 

This is how I create private key

 

openssl genrsa -out "${DIR}/gohm.key" 2048

 

This is how I generate CSR

 

openssl req \
  -new -key "${DIR}/gohm.key" \
  -out "${DIR}/gohm.csr" \
  -config "${DIR}/openssl.cnf"

 

This is how I signed my pri key

 

openssl x509 \
  -req \
  -days 3650 \
  -in "${DIR}/gohm.csr" \
  -CA "${DIR}/ca.crt" \
  -CAkey "${DIR}/ca.key" \
  -CAcreateserial \
  -extensions v3_req \
  -extfile "${DIR}/openssl.cnf" \
  -out "${DIR}/gohm.crt"

 

 

Which part exactly am I doing wrong here?

 

Andy Heinzer Atlassian Team Mar 29, 2019

It's not necessary that you have done something wrong.  Instead, I think that we're just missing the intermediate certificate to make this work on a mobile client.   If this was a signed cert from a root CA, we wouldn't have to worry about this, but since you're using a self-signed cert, and the mobile clients can't retrieve this intermediate CA cert.

We can see this in the command:

openssl s_client -connect jira.gohm.com.tr:443
CONNECTED(00000005)
depth=0 C = TR, O = GOHM Electronics and Software, CN = *.gohm.com.tr
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = TR, O = GOHM Electronics and Software, CN = *.gohm.com.tr
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = TR, O = GOHM Electronics and Software, CN = *.gohm.com.tr
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=TR/O=GOHM Electronics and Software/CN=*.gohm.com.tr
i:/C=TR/O=GOHM Electronics and Software Ltd./CN=*.gohm.com.tr
---

These two certs look very similar, but technically they are in a chain.  With the latter having the 'Ltd.' at the end.   Your mobile clients aren't able to retrieve the first certificate.  That is the cause of the problem here.

The guide in https://developer.android.com/training/articles/security-ssl#MissingCa explains this further.  Following the steps there could help.  Essentially you would need to make sure that your site/proxy hosting SSL is also serving up this intermediate certificate in addition to main certificate.  Many times that site does not actually have this other root certificate to serve up to end users.

So that is one way to try to troubleshoot this.

However instead of following that path, I am interested to see if perhaps there is another solution possible.   It would be significantly better if you could use a CA signed certificate here instead of a self-signed one.  Have you seen the website https://letsencrypt.org/ ?  It's a website that can offer you the ability to obtain a free certificate from a CA.

I think that this approach could be a better way to make this work for both desktop and mobile clients to Jira. 

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Posted in Jira Software

Presenting the "Best of 2020" Jira Software roundup!

Catch up with Atlassian Product Managers in our 2020 Demo Den round-up! From Advanced Roadmaps to Code in Jira to Next-Gen Workflows, check out the videos below to help up-level your work in the new ...

4,490 views 5 15
Join discussion

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you