Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Application links ssl proxy (Jira|Confluence|Bitbucket|Fisheye)

Florian Sturm3
Florian Sturm October 14, 2016

Hello,

on my Ubuntu Server I installed these Atlassian servers.

  • JIRA
  • Confluence
  • Fisheye
  • Bitbucket

All applications are at the latest version. On the same host is an apache 2.4 configured as a proxy with mod_proxy. I created a valid certificate (no self-signed) to secure the connection between the client and my Apache Server. The apache is configurated with virtualhosts for every service which points at localhost:<application-port> and a wildcard ssl certificate.

I modified the server.xml files of the applications to add SSL compatibility. The applications themselfs are operating correctly and there are no problems.

Now I want to create application links between this four applications. Unfortunaly that is not possible, because I got the error message, that JIRA dont answer at the configured url https://jira.domain.tld - The same problem is when I connect JIRA to Confluence. The User directory feature works also fine. 

Now im really angry, why that wont work?

 

Any suggestionns? Please help

 

Answer
Watch
Like Jonas Andersson likes this
301 views

1 answer

1 accepted

0 votes
Answer accepted
Jonas Andersson
Jonas Andersson
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 14, 2016

Well since you terminate all your SSL-connections on the apache mod proxy, you need to make sure all subdomains are included in the certificate. This us done using alt_names in your openssl.cnf as you create the CSR. Make sure to include these alt_names:

jira.domain.tld
jira
confluence.domain.tld
confluence
fisheye.domain.tld
fisheye
bitbucket.domain.tld
bitbucket

The rest of the config file needs some extra fields to make this happen, see documentation:

http://wiki.cacert.org/FAQ/subjectAltName

Once this is done, SSH to the box, download SSLPoke (link in this KB: https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html )

And make sure you can ping both short and FQDN. If not:

The SSL cert presented by the apache mod proxy must be imported into each keystore, for each application. Locate all your cacerts files and make sure the cert is imported as it should.

Here is a one-liner that imports the cert to all cacerts on your filesystem:

for lines in `locate cacerts | grep cacerts$ | sed 's/\/jre\/lib\/security\/cacerts//g'`; do $lines/bin/keytool -import -alias SERVERNAME.GOES.HERE -keystore $lines/jre/lib/security/cacerts -file /PATH/TO/PEM.CERT ; done

The password for the cacerts are "changeit"

If you are using altnames, you only need to import one certificate. The alias doesn't matter as it will look for the certificate fingerprint and nothing else.

Hope this helps

 

 

 

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events