Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Next challenges

Recent achievements

  • Global
  • Personal

Recognition

  • Give kudos
  • Received
  • Given

Leaderboard

  • Global

Trophy case

Kudos (beta program)

Kudos logo

You've been invited into the Kudos (beta program) private group. Chat with others in the program, or give feedback to Atlassian.

View group

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Jira Server SSL issue

Hi All,

I am hosting JIRA in my private server on Azure. I need to run my JIRA site on HTTPS. I have installed SSL certificate in my server.

Also, followed steps which are required for HTTPS SSL connection to work. However, I am unable to fix the issue. My server is still showing as UNSECURED.
I checked out many blogs, atlassian community questions and posts, created java key store, imported certificate into those key stores and h**l lot of things, still unable to secure my server.
Can anyone help me. I need urgent help.

Thanks in Advance :)

1 answer

Hi there,

If not already done, can you try on all the browsers(Edge, Firefox, Chrome, etc..)?

Hi Reneesh,
I tried it but unfortunately not working. I am still facing same issue.

Please let me know @Reneesh Kottakkalathil  if you can help me out. I need to secure my Jira server on an urgent basis.

  1. Do you have the certs configured in the front end web server(Apache, ngix,..) or inside Jira?
  2. Do you see any error in the logs? If so, can you please share the error.
  3. Do you have any SAN name in the certs?

1. Certs are configured in Windows 2016 Azure Virtual machine, and JIRA is installed in that Azure virtual machine.

2. Logs which might be helpful to you:

2020-11-16 11:46:32,791+0000 HealthCheck:thread-7 ERROR      [c.a.t.j.healthcheck.support.GadgetFeedUrlHealthCheck] An error occurred when performing the Gadget feed URL healthcheckjavax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targetCaused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)        at sun.security.validator.Validator.validate(Validator.java:262)        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)        ... 26 moreCaused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target



2020-11-18 14:37:55,056+0000 HealthCheck:thread-3 ERROR      [c.a.t.j.healthcheck.support.GadgetFeedUrlHealthCheck] An error occurred when performing the Gadget feed URL healthcheckjavax.net.ssl.SSLPeerUnverifiedException: Certificate for <northview-jira.nvwonaz.com> doesn't match any of the subject alternative names: [*.nvwonaz.org, nvwonaz.org]        at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:507)        at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:437)        at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)        at

3. I tried fetching SAN name using below command. 
openssl s_client -connect website.com:443 </dev/null 2>/dev/null | openssl x509 -noout -text | grep DNS:
But I am not getting the results.

Installing the root or chain certificate in the JDK certificate store may fix your issue

Yes Reneesh I imported the certificate in cacerts store file. 
Let me know if I need to do anything else. I am new to these things.

I think cacert is the default java store. And I imported the certificate into this cacert file using Portcle app.

Yes cacert is the default java store. Restart jira and test again. 

Yes I did couple of times. But no luck. Anything else that you suspect that might be causing this issue.

Are you sure you're using the same JDK that is used by Jira to import the root cert?

That Might be the issue. I am not sure.
How can we verify that.
Can u please help.

You can find the JDK path in the jira startup logs.

Hi @Reneesh Kottakkalathil 
I can find attlassian-jira.log file in my Jira directory.
Below are the details:- (there are lot of details actually, I'm sending some imp. details)

Application Server : Apache Tomcat/8.5.57 - Servlet API 3.1
Java Version : 1.8.0_202 - AdoptOpenJdk
Current Working Directory : C:\Program Files\Atlassian\Jira\bin
JVM version is 1.8
Java Version = 1.8.0_202

Please let me know if anything else is required.

What is your jira version? You dont see the JDK path in the logs? Can you send me the JDK path to which you imported the root cert?

Yes @Reneesh Kottakkalathil I will check and update you.

Also, today I got a reply from Atlassian support and they are suspecting some issue with certificate.

What they are saying is that my Jira base URL is ending with ".com" while certificate is issued for ".org".

For example: my Jira server URL is xxx.COM

However, JIRA certificate is issue for: xxx.ORG

Can this be the cause. What do you think. Can you suggest something.

Thanks

Lakshay Arora

Yes. That could be possible as well.

Like Lakshay Arora likes this

Yes @Reneesh Kottakkalathil  I am also thinking that. So, is it possible that if we change our Jira base URL to xxx.ORG

 

What do you say. Will it work. I think we need to made some DNS changes.

Hi @Reneesh Kottakkalathil 

I have updated the record set in my private DNS zone.
I have deleted the record set from the old DNS zone which was .COM and created the same record set in other DNS zone with .ORG.

 

Is that fine or do I need to configure some more details.

Your Jira URL must match what is in the Base URL.

Could you please elaborate.
I actually changed .com to .org. Is that fine.

Suggest an answer

Log in or Sign up to answer
TAGS

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you