We are trying to fix it for more than a week:
We have Jira Server (tomcat) on Linux (Debian 10) that runs behind nginx reverse proxy (SSL) on the same host.
Previously it was running on a Letsenrypt certificate with no issues. When the certificate expired, I got a new one and just replaced cert/key .pem files contents with newly received certificate details. So no paths or other conditions changed. Jira and Nginx should just continue using same files but with different contents.
But unfortunately after changin certt/key files content Jira service fails to start. However, nginx starts properly and uses the certificate as expected, so I can visit Jira homepage with no SSL errors, but get Bad Gateway as Jira doesn't work.
Checked Jira and systemd logs - nothing useful. attlassian-jira-log ends up 4 days ago and never includes any messages after that date, but in fact I was trying to start it dozens of time after that date, but can't see any log.
Systemd just tels that Jira is exited with the error code 1=failed.
I don't have an option to revert cert contents or the whole Jira server, so have to fix it.
1. Found that after getting a 3rd party cert, adding it to Tomcat is needed. Done, but no result:
https://confluence.atlassian.com/kb/how-to-import-an-existing-ssl-certificate-for-use-in-tomcat-838412853.html
2. So I thought to do the thing from scratch and generated a new Java keystore, then csr for it and then it's corresponding p.23 + specifying the keystore path in Tomcat's server.xml. Everything according to this: https://confluence.atlassian.com/adminjiraserver/running-jira-applications-over-ssl-or-https-938847764.html
The cert was signed and added to nginx properly, but Jira still doesn't start.
I've tried both to add and to remove the keystore path from server.xml. Previously the path wasnt specified and everything was working properly.
It's a big stress for us and we need to somehow fix it.
Questions:
1. Where is the default java keystore (that Jira uses when no keystore is explicitly specified in server.xml) is located? I found Java home and it's keytool, but don't see any default JKS
2. Where else can Jira put it's error logs regarding problems that blocks the service from starting up? attlassian-jira-log, diganotics-log are not informative since the time Jira started to fail.
3. If chaging letsencrypt certs contents has broken Jira, How can I repeat the process from the beginnnng proprely?
4. Is it possible that SSL certs has broken Jira (nothing else was chaged: permissions, paths or whatever, it just started ot fail after the reboot) or I should investigate for a root cause further?
5. Is there a way to create and restore a backup of Jira Server (SeviceDesk, Software) Tomcat DB when Jira itseld is failed?
Thanks in advance
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.