Application Links Using SSL with Apache Reverse Proxy

I followed the instructions for setting up reverse proxies in JIRA and Confluence and then redirected Apache to SSL, as instructed by the Atlassian KB. My servers use CA-issued certs and everything is working perfectly, with exception to my Application Links between JIRA and Confluence. Specifically, I receive the error:

The remote certificate can't be trusted
Confluence may be using a self-signed SSL certificate or a certificate that was issued by a certificate authority that isn't known locally.

I see that there are SSL plugins that are supposed to address this, but it looks like the Confluence SSL plugin is no longer updated for the version I'm using. I've seen a wide array of suggested solutions for this, but no one seems to have the exact problem I'm facing, nor does anyone seem to have a proper solution. Some people are suggesting I add the CA-issued certs to the Tomcat/Java keystore (or even the CA root/intermediate certs); other support pages suggest I modify the entire back-end to run on HTTPS through port 8443. None of these solutions worked. Though this isn't a deal-breaker (I have a workaround), I was curious to know if anyone had any idea how we might resolve this issue so we can keep SSL running with the Apache reverse proxy and still use Application Links between JIRA and Confluence.


2 answers

1 accepted

0 votes
Accepted answer

This was resolved by Atlassian Support. I have two servers, JIRA and CONFLUENCE, and they both needed each other's SSL certificates imported into their respective Java keystores. The instructions for doing this are here:

I followed the command-line instructions, as these are headless servers; the import worked straight away (though you will likely need to restart the JIRA/Confluence services or servers to force the change). The two commands to run in those instructions are as follows, and you must do this on both servers. For example, if I'm on server JIRA and need to connect to server CONFLUENCE, I need to run the following command to obtain the CONFLUENCE SSL cert (you would, of course, replace with the server name representing your Confluence installation):

openssl s_client -connect < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt

Then, run this command to import the certificate (this example implies RedHat/CentOS, and you need to do this as root or with command sudo):

sudo /opt/atlassian/jira/jre/bin/keytool -import -alias confluence -keystore /opt/atlassian/jira/jre/lib/security/cacerts -file /home/user/public.crt

You will be prompted for your root password and/or the Java keystore password (the default changeit will likely work).

You will need to do the same on the Confluence server, reversing the references and commands above. Once complete, restart the servers (or services) and that will allow you to reconnect the application linking using an Apache SSL proxy.

Hi Dan, did you find a solution to this? What was your workaround?

I did, indeed! Atlasssian Support was able to steer me in the right direction. Plugins are not the solution, and as long as you follow the Apache proxy instructions for both JIRA and Confluence, everything will work. The solution was actually to import server SSL certificates into the Java keystore using the command-line instructions near the bottom of the page:

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Jan 08, 2019 in Jira

How to Jira for designers

I’m a designer on the Jira team. For a long time, I’ve fielded questions from other designers about how they should be using Jira Software with their design team. I’ve also heard feedback from other ...

1,298 views 5 10
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you