Hi, I seem to be having problems setting up SSL for my jira site. I've followed articles but it doesn't appear to start up my jira instance
```
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxHttpHeaderSize="8192" SSLEnabled="true"
maxThreads="150" minSpareThreads="25"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" useBodyEncodingForURI="true"
keyAlias="root" keystoreFile="/home/jira/jira.jks" keystorePass="mypasswordhere" keystoreType="JKS"/>
```
Articles I followed:
https://community.atlassian.com/t5/Jira-questions/HTTPs-for-JIRA-with-Letsencrypt/qaq-p/818083
https://community.atlassian.com/t5/Jira-questions/HTTPs-for-JIRA-with-Letsencrypt/qaq-p/818083
What is the error what you start your Jira instance?
29-Jun-2018 16:39:58.517 SEVERE [main] org.apache.catalina.core.StandardService.destroyInternal Failed to destroy connector [Connector[org.apache.coyote.http11.Http11Protocol-8443]]
org.apache.catalina.LifecycleException: Failed to destroy component [Connector[org.apache.coyote.http11.Http11Protocol-8443]]
at org.apache.catalina.util.LifecycleBase.destroy(LifecycleBase.java:302)
at org.apache.catalina.core.StandardService.destroyInternal(StandardService.java:571)
at org.apache.catalina.util.LifecycleBase.destroy(LifecycleBase.java:297)
at org.apache.catalina.core.StandardServer.destroyInternal(StandardServer.java:881)
at org.apache.catalina.util.LifecycleBase.destroy(LifecycleBase.java:297)
at org.apache.catalina.startup.Catalina.start(Catalina.java:659)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:355)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:495)
Caused by: org.apache.catalina.LifecycleException: Protocol handler destroy failed
at org.apache.catalina.connector.Connector.destroyInternal(Connector.java:1008)
at org.apache.catalina.util.LifecycleBase.destroy(LifecycleBase.java:297)
... 11 more
Caused by: java.lang.NullPointerException
at org.apache.catalina.connector.Connector.destroyInternal(Connector.java:1006)
... 12 more
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
That's not the error message. That's the Tomcat shutting down.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
So I've not really seen anything by way of error in the logs. Everything appears to start properly, the port is Listening, but it will not let me connect on https 8443. Oddly enough http 8443 works despite the SSL directives.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I've made some changes to my config that I saw in an article related to an issue on the SSLProtocols variable
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true" useBodyEncodingForURI="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslEnabledProtocols="TLSv1.2,TLSv1.3"
keystoreFile="/home/jira/.keystore"
keystorePass="MYPASSWORD"
keyAlias="root"/>
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You can post your whole server.xml here which will help.
You can also try SSLPoke to test the connection:
Though, I personally prefer:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I just saw this error with my latest start up
...I will try the SSL poke and post the full server.xml next. Thanks for the help.
2018-06-30 22:49:00,244 http-nio-8443-exec-4 ERROR anonymous 1369x4x1 - x.x.x.x /plugins/servlet/gadgets/dashboard-diagnostics [c.a.g.d.internal.diagnostics.DiagnosticsServlet] DIAGNOSTICS: FAILED
com.atlassian.gadgets.dashboard.internal.diagnostics.UrlSchemeMismatchException: Detected URL scheme, 'https', does not match expected scheme 'http'
at com.atlassian.gadgets.dashboard.internal.diagnostics.Diagnostics.checkExpectedScheme(Diagnostics.java:52)
at com.atlassian.gadgets.dashboard.internal.diagnostics.Diagnostics.check(Diagnostics.java:31)
at com.atlassian.gadgets.dashboard.internal.diagnostics.DiagnosticsServlet.executeDiagnostics(DiagnosticsServlet.java:82)
at com.atlassian.gadgets.dashboard.internal.diagnostics.DiagnosticsServlet.doPost(DiagnosticsServlet.java:58)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
at com.atlassian.plugin.servlet.DelegatingPluginServlet.service(DelegatingPluginServlet.java:37)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
at com.atlassian.plugin.servlet.ServletModuleContainerServlet.service(ServletModuleContainerServlet.java:45)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
... 53 filtered
at com.atlassian.web.servlet.plugin.request.RedirectInterceptingFilter.doFilter(RedirectInterceptingFilter.java:21)
... 58 filtered
at com.atlassian.jira.security.JiraSecurityFilter.lambda$doFilter$0(JiraSecurityFilter.java:66)
... 1 filtered
at com.atlassian.jira.security.JiraSecurityFilter.doFilter(JiraSecurityFilter.java:64)
... 36 filtered
at com.atlassian.jira.servermetrics.CorrelationIdPopulatorFilter.doFilter(CorrelationIdPopulatorFilter.java:30)
... 10 filtered
at com.atlassian.web.servlet.plugin.request.RedirectInterceptingFilter.doFilter(RedirectInterceptingFilter.java:21)
... 4 filtered
at com.atlassian.web.servlet.plugin.LocationCleanerFilter.doFilter(LocationCleanerFilter.java:36)
... 26 filtered
at com.atlassian.jira.servermetrics.MetricsCollectorFilter.doFilter(MetricsCollectorFilter.java:25)
... 23 filtered
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
30-Jun-2018 22:49:06.039 INFO [http-nio-8443-exec-6] org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header
Note: further occurrences of HTTP header parsing errors will be logged at DEBUG level.
java.lang.IllegalArgumentException: Invalid character found in method name. HTTP method names must be tokens
at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:462)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:667)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:802)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1410)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Full server.xml..
<?xml version="1.0" encoding="utf-8"?>
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener"/>
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on"/>
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
<Service name="Catalina">
<Connector port="8080" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false"
maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443"
acceptCount="100" disableUploadTimeout="true" bindOnInit="false"/>
<Connector port="8443" maxHttpHeaderSize="8192" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true" useBodyEncodingForURI="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslEnabledProtocols="TLSv1.2,TLSv1.3"
keystoreFile="/home/jira/.keystore"
keystorePass="MYPASSWORD"
keyAlias="root"/>
<Engine name="Catalina" defaultHost="localhost">
<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true">
<Context path="" docBase="${catalina.home}/atlassian-jira" reloadable="false" useHttpOnly="true">
<Resource name="UserTransaction" auth="Container" type="javax.transaction.UserTransaction"
factory="org.objectweb.jotm.UserTransactionFactory" jotm.timeout="60"/>
<Manager pathname=""/>
<JarScanner scanManifest="false"/>
</Context>
</Host>
<Valve className="org.apache.catalina.valves.AccessLogValve"
pattern="%a %{jira.request.id}r %{jira.request.username}r %t "%m %U%q %H" %s %b %D "%{Referer}i" "%{User-Agent}i" "%{jira.request.assession.id}r""/>
</Engine>
</Service>
</Server>
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Well that is definitely not good.
CONNECTED(00000005)
140735891502024:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.2/libressl/ssl/s23_clnt.c:565:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 318 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
---
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
sslEnabledProtocols? That's for Tomcat 5/6. You should take a look at the Connector tag again against your Jira and Tomcat version.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I'm running Jira 7.10.1, and it says Tomcat 8.5.6
I put SSLEnabled according to this article. Should I just be using SSLProtocol="TLS"?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
.....figured it out. A couple things I did wrong (and/or forgot). I removed the SSLEnabled=True for some reason along the way. The second was I had the key alias set to root, which after looking at my confluence set up, I never defined. I saw a key exception error which lead me down that path.. At any rate, SSL is working and I can now go have a beer. Thanks for your help sir!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
No beer for me too? :D
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.