Jira Configurator can't find or access keystore

Hi, 

I already passed this problem. Now i have a different one.
I'm using a wildcard ssl certificate that was already issued. 

When i try to use it, in browser everything is ok, but in the health check it gives a warning of "Base URL for gadgets".

I followed the standard procedures:

1. Convert x509 Cert and Key to a pkcs12 file
2. Convert the pkcs12 file to a java keystore

When checking i found the error above: 

"Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty"

After tests:

openssl s_client -connect jira.domain.com:8443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt

depth=0 CN = *.domain.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = *.domain.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = *.domain.com
verify error:num=21:unable to verify the first certificate
verify return:1
DONE

The server ca, key and crt are correctly and in use in other servers / platforms

I'm not used to work with java keystore so any suggestion where i'm getting this wrong? 

The error you are getting of

"Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty"

Is a clear indicator that the JVM Jira is using cannot find the path to your trust store.  Java is expecting this to be by default in a subpath of the JAVA_HOME path.   It looks like you are using a different path for the location of that trust store instead.   The KB Unable to Access SSL Services due to java.security.InvalidAlgorithmParameterException also explains this.

The good news is that there is a work-around for this.  You could either relocate that certificate to the default trust store and then reimport it, OR if you dig into the Connecting to SSL Services document you can find the section on "Alternative KeyStore Locations"

Java will normally use a system-wide keystore in $JAVA_HOME/jre/lib/security/cacerts, but it is possible to use a different keystore by specifying a parameter, -Djavax.net.ssl.trustStore=/path/to/keystore, where '/path/to/keystore' is the absolute file path of the alternative keystore.

However, setting this is not recommended because if Java is told to use a custom keystore (eg. containing a self-signed certificate), then Java will not have access to the root certificates of signing authorities found in $JAVA_HOME/jre/lib/security/cacerts, and accessing most CA-signed SSL sites will fail. It is better to add new certificates (eg. self-signed) to the system-wide keystore (as above).

So you could use that '-Djavax.net.ssl.trustStore=/path/to/keystore' parameter to the Jira Startup Options as a means to make this work, but the SSL documentation would prefer to have you use the system Java Home path to store that.