Jira 7.1 SSL Application Links

I have the following setup:

Nginx

-> Confluence (latest version): https://confluence.example.com

-> JIRA (latest version): https://jira.example.com

I added letsencrypt.org certificates to keystores on Confluence and JIRA and both Instances use latest Oracle 8 JRE Java.

Tests with SSLPoke:

Initiating Application Link:

  • Confluence -> JIRA -> Server responding
  • JIRA -> Confluence -> 

    sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I am a little bit off here because both instances have same Java version and SSLPoke is evaluating with successfull result.... Any ideas? Is there something new with ssl handling in JIRA 7.1?

Does JIRA handle certificates differently from Confluence?

4 answers

1 accepted

0 votes
Accepted answer

Looks like JIRA 7 install its own JRE under its install directory. The truststore is therefore under:

$JIRA_INSTALL/jre/lib/security/cacerts and not under $JAVA_HOME/jre/lib/security/cacerts.

After adding the letsencrypt ca it to the correct truststore it works!

Glad to hear you got this resolved. The link to the document I mentioned in my answer below states.

  • The 'Windows Installer' installs its own Java Runtime Environment (JRE) Java platform, which is used to run Tomcat. When updating SSL certificates, please do so in this JRE installation.
0 votes

Hey Steffen,

You need to import your certs into the Trusted Keystore. Refer to the documentation available at https://confluence.atlassian.com/jira/running-jira-over-ssl-or-https-124008.html

That is the documentation on how to run JIRA on https but I am using nginx https and JIRA is accessible. So that hurdle is already taken and has nothing to do with my question.

You can also read here: SSL Services , that I have checked the truststore and domain with SSLPoke. The truststore and added certificate ca works fine from console and Confluence! But does not work inside JIRA 7!

I added a Bitbucket server to my configuration and installed the letsencrypt ca on all three instances the same way (jira, confluence, bitbucket). 

The result:

I can add application links freely between confluence and Bitbucket and back.

Both confluence and Bitbucket can discover jira.

JIRA itself answers both to Bitbucket and confluence with the error:

  • sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

This seems to be the sole issue of JIRA 7.1!

Make sure SSL poke works on both short names and FQDN's. Had a similar issue where FQDN SSL worked fine, but shortnames didn't and my application links were created using short names.. Just a thing to check and in no way a magic bullet.

 

Hello Jonas,

What is a SSL shortname in my configuration context? I have only a DNS entry jira.example.com and confluence.example.com. Both point to the same Nginx instance.

If "jira" and "confluence" are the shortnames then I would have to setup my whole network configuration that my nginx is available as https://jira.example.com and https://jira? Is this what you mean?

And why does this work for Confluence and not for Jira?

Additional information:

 

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Nov 27, 2018 in Portfolio for Jira

Introducing a new planning experience in Portfolio for Jira (Server/DC)

In the past, Portfolio for Jira required a high degree of detail–foresight that was unrealistic for many businesses to   have–in   order to produce a reliable long-term roadmap. We're tur...

2,447 views 15 19
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you