Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

When applying a third-party certificate to Jira server, the services do not start

Hello community, pleasure to greet you.

I have come to ask for your help, a couple of weeks ago we found that we had to renew the external certificate that we have in JIRA under window server, when applying the new third-party certificate it generates a conflict since the service does not lift with this new certificate , but when leaving the one that was previously, it does raise but shows it as a local certificate, the server is behind a reverse proxy, the curious thing is that before discovering this problem, we found that when entering from the internet it does show the third-party certificate, but When entering through the internal network or VPN, it shows a local certificate and we would like to leave the third-party certificate definitive in order to establish a connection with other applications, but due to this problem we cannot because among the applications it shows distrust when detecting a local certificate.

we would appreciate your support with a light to this problem

1 answer

0 votes

Welcome to the Atlassian Community!

There is a whole load of complexity that using SSL adds to running web services, but it absolutely should be done for most sites (and far too many sites don't use it when they really should).

Anyway, you've got a new certificate that needs to go into your service and you've tried to install it, but it is not working.  There are several parts of your systems that might go wrong with a new certificate, and it can be hard to find out which one it is.

You have not told us a lot about your setup though, so we are a bit stuck.  There is mention of a proxy, but you've not said how it is used or where you terminate your SSL.

I know.  "Terminate your SSL" is jargon.  What I mean there is "what part of your server is handling your SSL certificates for incoming connections?".  There are a lot of ways of doing it, but Atlassian only document (not necessarily recommend, just document), two.  SSL in Tomcat, or SSL in a proxy.

I prefer to do SSL in the proxy.  Imagine my (oversimplified) home setup.  I've got a machine running Jira, on my local network, which only accepts connections from my proxy server (another machine on my network).  Those connections are http (insecure), but also done over ethernet, not wireless.  The proxy server then talks to my router, which doesn't do much other than relay connections from the proxy to the outside world.  My proxy does all the SSL work, not my Jira's Tomcat.  To use the jargon again "my SSL terminates at the proxy"

On top of that, there's also the question of "client".  What I've said above is about running a service over SSL.  Sometimes, your Jira is going to want to connect to other systems over SSL, and they're going to ask it for a certificate.  (This is the same as when you visit a https site in a browser - it also wants a cert, but your browser and the server know how to exchange certs.  Jira can't do that, you need to feed it a cert valid for that site.  It has a huge pile built-in, but it can't have all of them)

So, to debug this, there are a few things we need to see:

A description of where your SSL terminates (not like the essay I just gave, just "we do it in Tomcat / Proxy / Network or firewall / external Router / Other"

  • What are the errors you get on startup from Jira?
  • Is the problem people connecting to Jira, or Jira connecting to remote sites?
  • You mention differences in local or remote access, could you look at the differences in errors?

Hello friend, thanks for your attention

What are the errors you get when launching from Jira?
The errors that we are presented with is that when trying to enter through the internal network of the organization and VPN it shows us a certificate self-signed by the organization.

and when entering through the external network through a bridge where we have JIRA hosted, which is ONElogin, if it shows us the desired certificate, which is the one signed by Digicert

Is the problem people connecting to Jira or Jira connecting to remote sites?

both situations, when people connect from the internal vpn network, it shows them a local certificate

And when Jira wants to connect with other remote tools, it is not possible because an unreliability is detected, so the certificate is self-signed by the organization.

Note: we have the Digicert certificate installed at the reverse proxy level and when this certificate is applied to the local server, the service stops working.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published in Jira Software

Upcoming changes to epic fields in company-managed projects

👋 Hi there Jira Community! A few months ago we shared with you plans around renaming epics in your company-managed projects. As part of these changes, we highlighted upcoming changes to epics on...

14,770 views 37 47
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you