Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

JIRA - SSL problem

Kenneth Veipert1
Kenneth Veipert September 27, 2014

Hello, i use currently JIRA in version 6.3.6 and i use it with SSL via an Apache-Proxy.

Here is what happens if i try to connect with another application like confluence:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I imported the certificates of every domain and the root ca certificate:

srv1:/opt/atlassian# keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts | grep domain.net
Enter keystore password:  changeit
confluence.domain.net, Sep 28, 2014, trustedCertEntry, 
stash.domain.net, Sep 28, 2014, trustedCertEntry, 
bamboo.domain.net, Sep 28, 2014, trustedCertEntry, 
jira.domain.net, Sep 28, 2014, trustedCertEntry,
 
srv1:/opt/atlassian# keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts | grep startcom
Enter keystore password:  changeit
debian:startcom_certification_authority_g2.pem, Aug 6, 2014, trustedCertEntry, 
startcom.ca.sub.class4, Sep 28, 2014, trustedCertEntry, 
startcom.ca.sub.class3, Sep 28, 2014, trustedCertEntry, 
startcom.ca.sub.class2, Sep 28, 2014, trustedCertEntry, 
startcom.ca.sub.class1, Sep 28, 2014, trustedCertEntry, 
startcom.ca, Sep 28, 2014, trustedCertEntry, 
debian:startcom_certification_authority.pem, Aug 6, 2014, trustedCertEntry,

I googled this problem but everyone say only: Import the certificates to the keystore, but i already did it and the problem still exists.

 

What can be the problem?

Answer
Watch
Like Be the first to like this
4097 views

2 answers

1 accepted

1 vote
Answer accepted
Jobin Kuruvilla [Adaptavist]
Jobin Kuruvilla [Adaptavist]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 28, 2014

Check in your Administration > System Info and make sure JIRA is using the correct Java.

View More Comments
Kenneth Veipert1
Kenneth Veipert September 28, 2014

You're right, JIRA, Confluence, Stash and Bamboo(I checked only JIRA and Confluence) uses them own Java? I think this is the problem. I should import the certificates to JIRA's cacerts-keystore located under JIRA/jre/lib/security/cacerts, right?

Like
Jobin Kuruvilla [Adaptavist]
Jobin Kuruvilla [Adaptavist]
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 28, 2014

Yes, some times they uses their own Java. Depends on configuration. To make sure, you can find the details under Administration > System Info.

Like
Kenneth Veipert1
Kenneth Veipert September 28, 2014

Yes, thank you very much for your help. That's why Stash and Bamboo can connect with each other without problems but Confluence and JIRA don't, Stash and Bamboo uses the system-wide Java.

Like
Reply
1 vote
Pedro Souza
Pedro Souza
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 28, 2014

Hi Kenneth,

Have you imported the certificates to the Apache Cacerts as well?

In my understanding, you're using Apache to handle SSL connections, so I believe that you need to import the certificates to Apache trust store, and according to the attached information, you have imported to JIRA default cacert (JAVA).

 

Also, you can test the connection using the SSLPoke, as per of this article below:

https://confluence.atlassian.com/display/JIRAKB/Unable+to+Connect+to+SSL+Services+due+to+PKIX+Path+Building+Failed+sun.security.provider.certpath.SunCertPathBuilderException

 

EG:

java SSLPoke mail.atlassian.com 443

 

Cheers,

Pedro Souza.

View More Comments
Kenneth Veipert1
Kenneth Veipert September 28, 2014

Hi,

yes, it works like expected with SSLPoke:

srv1:/tmp$ java SSLPoke jira.domain.net 443
Successfully connected

But the problem still exists.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events