2 answers
1 accepted
Hi Sanaz,
There are a couple kb's that we've produced that go through the steps to add a cert either via the Portecle app or via Terminal. A basic kb that specifically deals with importing the certificates into the keystore is titled How to import a public SSL certificate into a JVM:
Using Portecle
- Download and install the Portecle app onto the server that runs your application.
This is a third-party application and not supported by Atlassian. -
Ensure the
<JAVA_HOME>variable is pointing to the same version of Java that your application uses. See our Setting JAVA_HOME docs for further information on this.
If running on a Linux/UNIX server, X11 will need to be forwarded when connecting to the server (so you can use the GUI), as below:ssh -X user@server - Select the Examine menu and then click Examine SSL/TLS Connection
- Enter the SSL Host and Port of the target system
- Wait for it to load, then select the public certificate and click on PEM
- Export the certificate and save it.
- Go back to the main screen and select the Open an existing keystore from disk option, select
cacerts(for example$JAVA_HOME/lib/security/cacerts) then enter the password (the default ischangeit). - Select the Import a trusted certificate into the loaded keystore button
- Select the certificate that was saved in step 6 and confirm that you trust it, giving it an appropriate alias (e.g.: confluence).
- Note: You may hit an error stating "Could not establish a trust path for the certificate. The certificate information will now be displayed after which you may confirm whether or not you trust the certificate."
- If so, hit OK, and then accept the certificate as trusted.
- Save the Key Store to disk
- Restart your application.
- Test that you can connect to the host.
Command Line Installation
-
Fetch the certificate, replacing google.com with the FQDN of the server JIRA is attempting to connect to:
Unix:openssl s_client -connect google.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crtWindows:
openssl s_client -connect google.com:443 < NUL | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt The command above will only be executed if you have Sed for Windows as well as OpenSSL installed on your environment. If you don't have Sed or OpenSSL or you don't want to install it, use the instructions below as an alternative. Issue the following command:openssl s_client -connect google.com:443Save the output to a file called
public.cert.Edit the thepublic.certfile so it contains only what is between theBEGIN CERTIFCATEandEND CERTIFICATElines. This is how your file should look like after you edited it:-----BEGIN CERTIFICATE----- < Certificate content as fetched by the command line. Don't change this content, only remove what is before and after the BEGIN CERTIFICATE and END CERTIFICATE. That's what your Sed command is doing for you :-) > -----END CERTIFICATE----- -
Import the certificate:
<JAVA_HOME>/bin/keytool -import -alias <server_name> -keystore <JAVA_HOME>/jre/lib/security/cacerts -file public.crtThen enter the password if prompted (the default is
changeit).
Alternative KeyStore Locations
Java will normally use a system-wide keystore in $JAVA_HOME/jre/lib/security/cacerts, but it is possible to use a different keystore by specifying a parameter, -Djavax.net.ssl.trustStore=/path/to/keystore, where '/path/to/keystore' is the absolute file path of the alternative keystore. Information on how to configure JIRA startup variables can be found here.
However, setting this is not recommended because if Java is told to use a custom keystore (eg. containing a self-signed certificate), then Java will not have access to the root certificates of signing authorities found in $JAVA_HOME/jre/lib/security/cacerts, and accessing most CA-signed SSL sites will fail. It is better to add new certificates (eg. self-signed) to the system-wide keystore (as above).
Hopefully that helps!
Cheers,
Branden
Hi Sanaz,
In most instances where I've seen this it was accompanied by the following in the logs:
2017-12-04 12:45:29,500 http-nio-8080-exec-8 ERROR mcelveen 765x249x2 xqjq7g x.x.x.x,x.x.x.x /rest/applinks/3.0/applicationlinkForm/manifest.json [c.a.a.c.rest.ui.CreateApplicationLinkUIResource] ManifestNotFoundException thrown while retrieving manifest com.atlassian.applinks.spi.manifest.ManifestNotFoundException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
To remedy this:
This means, you're facing the error that I mentioned:
To fix it, you will need to follow the Resolution here to import the SSL cert of JIRA to the application's truststore and vice versa:
Let me know how it goes!
Cheers,
Branden
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.