Application links ssl proxy (Jira|Confluence|Bitbucket|Fisheye)

Hello,

on my Ubuntu Server I installed these Atlassian servers.

  • JIRA
  • Confluence
  • Fisheye
  • Bitbucket

All applications are at the latest version. On the same host is an apache 2.4 configured as a proxy with mod_proxy. I created a valid certificate (no self-signed) to secure the connection between the client and my Apache Server. The apache is configurated with virtualhosts for every service which points at localhost:<application-port> and a wildcard ssl certificate.

I modified the server.xml files of the applications to add SSL compatibility. The applications themselfs are operating correctly and there are no problems.

Now I want to create application links between this four applications. Unfortunaly that is not possible, because I got the error message, that JIRA dont answer at the configured url https://jira.domain.tld - The same problem is when I connect JIRA to Confluence. The User directory feature works also fine. 

Now im really angry, why that wont work?

 

Any suggestionns? Please help

 

1 answer

1 accepted

Well since you terminate all your SSL-connections on the apache mod proxy, you need to make sure all subdomains are included in the certificate. This us done using alt_names in your openssl.cnf as you create the CSR. Make sure to include these alt_names:

jira.domain.tld
jira
confluence.domain.tld
confluence
fisheye.domain.tld
fisheye
bitbucket.domain.tld
bitbucket

The rest of the config file needs some extra fields to make this happen, see documentation:

http://wiki.cacert.org/FAQ/subjectAltName

Once this is done, SSH to the box, download SSLPoke (link in this KB: https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html )

And make sure you can ping both short and FQDN. If not:

The SSL cert presented by the apache mod proxy must be imported into each keystore, for each application. Locate all your cacerts files and make sure the cert is imported as it should.

Here is a one-liner that imports the cert to all cacerts on your filesystem:

for lines in `locate cacerts | grep cacerts$ | sed 's/\/jre\/lib\/security\/cacerts//g'`; do $lines/bin/keytool -import -alias SERVERNAME.GOES.HERE -keystore $lines/jre/lib/security/cacerts -file /PATH/TO/PEM.CERT ; done

The password for the cacerts are "changeit"

If you are using altnames, you only need to import one certificate. The alias doesn't matter as it will look for the certificate fingerprint and nothing else.

Hope this helps

 

 

 

Suggest an answer

Log in or Join to answer
Community showcase
Sarah Schuster
Posted Jan 29, 2018 in Jira

What are common themes you've seen across successful & failed Jira Software implementations?

Hey everyone! My name is Sarah Schuster, and I'm a Customer Success Manager in Atlassian specializing in Jira Software Cloud. Over the next few weeks I will be posting discussion topics (8 total) to ...

3,175 views 13 19
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot