Can not link jira and stash behind apache proxy

Benedikt Wiesnet November 15, 2013

HI *,

I have a seriuos problem with my jira and stash installation (on the same server) behind a ssl apache proxy. Both systems have HTTPS as Base URL configured.

I can access the systems with the following urls:

https://foo.bar.com/jira

https://foo.bar.com/stash

But if I try adding the systems in application links it says, that the url is not responding, which is not correct.

So why?

4 answers

1 accepted

0 votes
Answer accepted
Benedikt Wiesnet November 16, 2013

Found the solution by myself... atlassian seems to have an own jre folder inside /opt/atlassian/jira/jre (don't know why) and uses an own cacerts file which was not updated with the new trusted ca

1 vote
Sebastian Bach March 17, 2014

I don't know if this is a bug in the Atlassian products. I've had big problems to establish a link between Atlassian products on my local network with a reverse proxy (nginx) and SSL. Without SSL it worked out of the box. With SSL there was always a warning/error 'unable to find valid certification path to requested target' in the log. But the root CA was in the default java keystore (cacerts) for sure. I've verified this by SSLPoke (https://confluence.atlassian.com/pages/viewpage.action?pageId=186712330).

After all I've found the problem: My reverse proxy was hosting multiple (virtual) domains (f.e. *.mysite.com, *.mysite.local) with different wildcard SSL-certs. And JIRA (Confluence, Stash, ...) is connecting to the reverse proxy without the domain name, just by the IP. The reverse proxy returned in this case the certificate for the default (com) site. And this was not the expected (local) certificate by JIRA. My workaround is now to listen with the reverse proxy on a dedicated IP address for the local services and return the local certificate as default. Okey, it's now also a more secure solution. But on the other hand it is not uncommon to host different domains, each with its own SSL certificate, on the same IP address. So maybe it's a bug?

0 votes
Benedikt Wiesnet November 16, 2013

Okey obviously I forgot the things with the cacerts. Stash is now able to connect to Jira, but it is not working vici versa and there is no message in the log file. My Proxy settings of Stash are the following:

<Connector port="7990" protocol="HTTP/1.1"
            connectionTimeout="20000"
            useBodyEncodingForURI="true"
            redirectPort="8443"
            compression="on"
            compressableMimeType="text/html,text/xml,text/plain,text/css,application/json,application/javascript,application/x-javascript"
            scheme="https"
            proxyName="foo.bar.com"
            proxyPort="443" />

0 votes
Jobin Kuruvilla [Adaptavist]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 15, 2013

There are atleast couple of reasons why this can happen. Your logs should tell the exact error.

1.Due to certificate errors. See https://confluence.atlassian.com/display/JIRA/Connecting+to+SSL+services on how to fix that.

2.Missing proxy settings. See

https://confluence.atlassian.com/display/JIRAKB/Application+Link+authentication+fails+due+to+bad+URL+signature

Suggest an answer

Log in or Sign up to answer