JIRA - SSL problem

Hello, i use currently JIRA in version 6.3.6 and i use it with SSL via an Apache-Proxy.

Here is what happens if i try to connect with another application like confluence:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I imported the certificates of every domain and the root ca certificate:

srv1:/opt/atlassian# keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts | grep domain.net
Enter keystore password:  changeit
confluence.domain.net, Sep 28, 2014, trustedCertEntry, 
stash.domain.net, Sep 28, 2014, trustedCertEntry, 
bamboo.domain.net, Sep 28, 2014, trustedCertEntry, 
jira.domain.net, Sep 28, 2014, trustedCertEntry,
 
srv1:/opt/atlassian# keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts | grep startcom
Enter keystore password:  changeit
debian:startcom_certification_authority_g2.pem, Aug 6, 2014, trustedCertEntry, 
startcom.ca.sub.class4, Sep 28, 2014, trustedCertEntry, 
startcom.ca.sub.class3, Sep 28, 2014, trustedCertEntry, 
startcom.ca.sub.class2, Sep 28, 2014, trustedCertEntry, 
startcom.ca.sub.class1, Sep 28, 2014, trustedCertEntry, 
startcom.ca, Sep 28, 2014, trustedCertEntry, 
debian:startcom_certification_authority.pem, Aug 6, 2014, trustedCertEntry,

I googled this problem but everyone say only: Import the certificates to the keystore, but i already did it and the problem still exists.

 

What can be the problem?

2 answers

1 accepted

1 vote

Check in your Administration > System Info and make sure JIRA is using the correct Java.

You're right, JIRA, Confluence, Stash and Bamboo(I checked only JIRA and Confluence) uses them own Java? I think this is the problem. I should import the certificates to JIRA's cacerts-keystore located under JIRA/jre/lib/security/cacerts, right?

Yes, some times they uses their own Java. Depends on configuration. To make sure, you can find the details under Administration > System Info.

Yes, thank you very much for your help. That's why Stash and Bamboo can connect with each other without problems but Confluence and JIRA don't, Stash and Bamboo uses the system-wide Java.

1 vote
Pedro Souza Atlassian Team Sep 28, 2014

Hi Kenneth,

Have you imported the certificates to the Apache Cacerts as well?

In my understanding, you're using Apache to handle SSL connections, so I believe that you need to import the certificates to Apache trust store, and according to the attached information, you have imported to JIRA default cacert (JAVA).

 

Also, you can test the connection using the SSLPoke, as per of this article below:

https://confluence.atlassian.com/display/JIRAKB/Unable+to+Connect+to+SSL+Services+due+to+PKIX+Path+Building+Failed+sun.security.provider.certpath.SunCertPathBuilderException

 

EG:

java SSLPoke mail.atlassian.com 443

 

Cheers,

Pedro Souza.

Hi,

yes, it works like expected with SSLPoke:

srv1:/tmp$ java SSLPoke jira.domain.net 443
Successfully connected

But the problem still exists.

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Published Monday in Jira Software

How large do you think Jira Software can grow?

Hi Atlassian Community! My name is Shana, and I’m on the Jira Software team. One of the many reasons this Community exists is to connect you to others on similar product journeys or with comparabl...

708 views 6 13
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you