I followed the instructions for setting up reverse proxies in JIRA and Confluence and then redirected Apache to SSL, as instructed by the Atlassian KB. My servers use CA-issued certs and everything is working perfectly, with exception to my Application Links between JIRA and Confluence. Specifically, I receive the error:
The remote certificate can't be trusted
Confluence may be using a self-signed SSL certificate or a certificate that was issued by a certificate authority that isn't known locally.
I see that there are SSL plugins that are supposed to address this, but it looks like the Confluence SSL plugin is no longer updated for the version I'm using. I've seen a wide array of suggested solutions for this, but no one seems to have the exact problem I'm facing, nor does anyone seem to have a proper solution. Some people are suggesting I add the CA-issued certs to the Tomcat/Java keystore (or even the CA root/intermediate certs); other support pages suggest I modify the entire back-end to run on HTTPS through port 8443. None of these solutions worked. Though this isn't a deal-breaker (I have a workaround), I was curious to know if anyone had any idea how we might resolve this issue so we can keep SSL running with the Apache reverse proxy and still use Application Links between JIRA and Confluence.
This was resolved by Atlassian Support. I have two servers, JIRA and CONFLUENCE, and they both needed each other's SSL certificates imported into their respective Java keystores. The instructions for doing this are here: https://confluence.atlassian.com/jira/connecting-to-ssl-services-117455.html
I followed the command-line instructions, as these are headless servers; the import worked straight away (though you will likely need to restart the JIRA/Confluence services or servers to force the change). The two commands to run in those instructions are as follows, and you must do this on both servers. For example, if I'm on server JIRA and need to connect to server CONFLUENCE, I need to run the following command to obtain the CONFLUENCE SSL cert (you would, of course, replace
confluence.com with the server name representing your Confluence installation):
openssl s_client -connect confluence.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt
Then, run this command to import the certificate (this example implies RedHat/CentOS, and you need to do this as root or with command
sudo /opt/atlassian/jira/jre/bin/keytool -import -alias confluence -keystore /opt/atlassian/jira/jre/lib/security/cacerts -file /home/user/public.crt
You will be prompted for your root password and/or the Java keystore password (the default
changeit will likely work).
You will need to do the same on the Confluence server, reversing the references and commands above. Once complete, restart the servers (or services) and that will allow you to reconnect the application linking using an Apache SSL proxy.
I did, indeed! Atlasssian Support was able to steer me in the right direction. Plugins are not the solution, and as long as you follow the Apache proxy instructions for both JIRA and Confluence, everything will work. The solution was actually to import server SSL certificates into the Java keystore using the command-line instructions near the bottom of the page: https://confluence.atlassian.com/jira/connecting-to-ssl-services-117455.html
The Jira Marketing team is putting together an ebook on migrating to Data Center. We're looking for pro tips on how you staffed your project team and organized your Proof of Concept. Share yo...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs