Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

When applying a third-party certificate to Jira server, the services do not start

Oscar Armando Del Cid Rueda
Oscar Armando Del Cid Rueda June 23, 2022

Hello community, pleasure to greet you.

I have come to ask for your help, a couple of weeks ago we found that we had to renew the external certificate that we have in JIRA under window server, when applying the new third-party certificate it generates a conflict since the service does not lift with this new certificate , but when leaving the one that was previously, it does raise but shows it as a local certificate, the server is behind a reverse proxy, the curious thing is that before discovering this problem, we found that when entering from the internet it does show the third-party certificate, but When entering through the internal network or VPN, it shows a local certificate and we would like to leave the third-party certificate definitive in order to establish a connection with other applications, but due to this problem we cannot because among the applications it shows distrust when detecting a local certificate.

we would appreciate your support with a light to this problem

Answer
Watch
Like Be the first to like this
321 views

1 answer

0 votes
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
June 24, 2022

Welcome to the Atlassian Community!

There is a whole load of complexity that using SSL adds to running web services, but it absolutely should be done for most sites (and far too many sites don't use it when they really should).

Anyway, you've got a new certificate that needs to go into your service and you've tried to install it, but it is not working.  There are several parts of your systems that might go wrong with a new certificate, and it can be hard to find out which one it is.

You have not told us a lot about your setup though, so we are a bit stuck.  There is mention of a proxy, but you've not said how it is used or where you terminate your SSL.

I know.  "Terminate your SSL" is jargon.  What I mean there is "what part of your server is handling your SSL certificates for incoming connections?".  There are a lot of ways of doing it, but Atlassian only document (not necessarily recommend, just document), two.  SSL in Tomcat, or SSL in a proxy.

I prefer to do SSL in the proxy.  Imagine my (oversimplified) home setup.  I've got a machine running Jira, on my local network, which only accepts connections from my proxy server (another machine on my network).  Those connections are http (insecure), but also done over ethernet, not wireless.  The proxy server then talks to my router, which doesn't do much other than relay connections from the proxy to the outside world.  My proxy does all the SSL work, not my Jira's Tomcat.  To use the jargon again "my SSL terminates at the proxy"

On top of that, there's also the question of "client".  What I've said above is about running a service over SSL.  Sometimes, your Jira is going to want to connect to other systems over SSL, and they're going to ask it for a certificate.  (This is the same as when you visit a https site in a browser - it also wants a cert, but your browser and the server know how to exchange certs.  Jira can't do that, you need to feed it a cert valid for that site.  It has a huge pile built-in, but it can't have all of them)

So, to debug this, there are a few things we need to see:

A description of where your SSL terminates (not like the essay I just gave, just "we do it in Tomcat / Proxy / Network or firewall / external Router / Other"

  • What are the errors you get on startup from Jira?
  • Is the problem people connecting to Jira, or Jira connecting to remote sites?
  • You mention differences in local or remote access, could you look at the differences in errors?
View More Comments
Oscar Armando Del Cid Rueda
Oscar Armando Del Cid Rueda June 28, 2022

Hello friend, thanks for your attention

What are the errors you get when launching from Jira?
The errors that we are presented with is that when trying to enter through the internal network of the organization and VPN it shows us a certificate self-signed by the organization.

and when entering through the external network through a bridge where we have JIRA hosted, which is ONElogin, if it shows us the desired certificate, which is the one signed by Digicert

Is the problem people connecting to Jira or Jira connecting to remote sites?

both situations, when people connect from the internal vpn network, it shows them a local certificate

And when Jira wants to connect with other remote tools, it is not possible because an unreliability is detected, so the certificate is self-signed by the organization.


Note: we have the Digicert certificate installed at the reverse proxy level and when this certificate is applied to the local server, the service stops working.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events