Jira over SSL icon issue

Hi,

We are small team and using Jira to manage some projects. and i am not expert in server administration and i have no able to get some.
My setup is Ubuntu 16.04 LTS + Webmin + Virtualmin + Apache
Jira is running on custom port 9090
Jira is accessed by sub-domain https://jira.domain.com
SSL is enabled and running well. Signed by Let's Encrypt
I use Proxying from jira.domain.com to http://domain.com:9090
BaseURL in Jira config is updated to https://jira.domain.com

It works. It redirects and SSL is fully (green bar) applied on login page.

But problem is that after login all icons are not loaded and SSL also is not fully applied (gray SSL icon). It runs over SSL, but icons are loaded under http and NOT rendered on screen.

Exactly the same setup for Confluence is working perfect without any problems.
I tried many instructions from Atlassian homepage, but no luck.
https://confluence.atlassian.com/adminjiraserver073/integrating-jira-with-apache-using-ssl-861253896.html

In this one i am not sure i need some KeyStore or... i dont know what the heck is that... as i already has SSL certificates applied in my sub-domains directory. And this works for Confluence.
BTW - by following this instruction i f***d up my Webmin SSL certificates and currently are forced to use non-ssl access to Webmin. I will fix this later.

In result, i just want to fix those icons to be loaded under SSL.

2 answers

1 accepted

So, at the end i fixed Atlassian issue on my own.

This and this links helped me at most.

The first of those links parrots the "use apache in front of Atlassian doc".

I would confirm that you properly set your proxy settings in the server.xml file, and updated the base URL in Jira.

I created .pfx file from my existing certificate and included those two connectors in /opt/atlassian/jira/conf/server.xml file. I used single quotes because my keystore pass contain doubleqoutes.

No any changes at all. Jira Startup page and login page is loading fine under SSL (green bar). After i log in - all icons are lost and SSL is "downgraded" to gray ssl mode.

 <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxHttpHeaderSize="8192" SSLEnabled="true"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
keystoreFile="/opt/atlassian/jira/jira.pfx" keystorePass='<my_keystorepass>' keyAlias="1" keystoreType="PKCS12"
clientAuth="false" connectionTimeout="20000" sslProtocol="TLS" useBodyEncodingForURI="true"/>

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxHttpHeaderSize="8192" SSLEnabled="true"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
keystoreFile="/opt/atlassian/jira/jira.pfx" keystorePass='<my_keystorepass>' keyAlias="1" keystoreType="PKCS12"
clientAuth="false" connectionTimeout="20000" sslProtocol="TLS" useBodyEncodingForURI="true"/>

And currently when i log out from Jira i get funny warning message:
JIRA's base URL is set to https://jira.domain.com but you are accessing JIRA from https://jira.domain.com.
Update JIRA's base URL

Crazy... i spend whole day today without any luck. In my opinion this should be done by 1-2-3 clicks from admin panel in 21st century.

And when i go to board settings or All projects or Issues settings pages... i see those icons for every project, issue type and so on.

Mby i need somehow to update existing projects?

I did re-indexing and so on.

User avatars are lost. I cant set user avatars. I see only placeholders.

useravatar; story.svg and projectavatar files are not loaded under https. They still are loaded as http:// but my base_url is fine. I can see it in console.

/var/atlassian/application-data/jira/log/atlassian-jira.log:2017-11-22 21:24:31,206 http-nio-9090-exec-8 WARN dzintars 1284x76x2 wztaq3 192.168.1.1,0:0:0:0:0:0:0:1 /rest/webResources/1.0/resources [c.a.p.r.c.security.jersey.XsrfResourceFilter] Additional XSRF checks failed for request: http://localhost:9090/rest/webResources/1.0/resources , origin: null , referrer: https://jira.domain.com/secure/admin/ViewApplicationProperties.jspa , credentials in request: true , allowed via CORS: false

As I said, you missed all the proxy parms in the server.xml file. Re-read the Tomcat portion of https://confluence.atlassian.com/adminjiraserver073/integrating-jira-with-apache-using-ssl-861253896.html and set the proxyPort, proxyName, and scheme parameters.

I already did that. No results. Dont think there is problem in my config because only some part of Jira resources are not served under SSL. Majority of files and also some icons/images are served under SSL.

Can you share your updated connectors and proxy config?

Connectors in /opt/tomcat/conf/server.xml (custom 9090 and 9091 used)

<Connector acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" port="9090" protocol="HTTP/1.1" redirectPort="8443" useBodyEncodingForURI="true" 
scheme="https" proxyName="jira.my_domain.com" proxyPort="443"/>

<!-- Standard HTTP Connector -->
<Connector acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" port="9091" protocol="HTTP/1.1" redirectPort="8443" useBodyEncodingForURI="true"/>
 Connectors in /opt/atlassian/jira/conf/server.xml

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxHttpHeaderSize="8192" SSLEnabled="true"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
keystoreFile="/opt/atlassian/jira/jira.pfx" keystorePass='24"redLine"04' keyAlias="1" keystoreType="PKCS12"
clientAuth="false" connectionTimeout="20000" sslProtocol="TLS" useBodyEncodingForURI="true"/>

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxHttpHeaderSize="8192" SSLEnabled="true"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
keystoreFile="/opt/atlassian/jira/jira.pfx" keystorePass='24"redLine"04' keyAlias="1" keystoreType="PKCS12"
clientAuth="false" connectionTimeout="20000" sslProtocol="TLS" useBodyEncodingForURI="true"/>

 Proxy config

 RewriteEngine on
RedirectMatch ^/(?!.well-known)(.*)$ https://jira.my-domain.com/$1

ProxyPassMatch ^/(.*.php(/.*)?)$ unix:/var/php-fpm/151069358620892.sock|fcgi://localhost/home/my_domain/domains/jira.my_domain.com/public_html/$1

# JIRA is running on port 9090/8443 local on xxname, so we could just proxy it here in Apach$

SSLProxyEngine on

ProxyPass / http://localhost:9090/
ProxyPassReverse / http://localhost:9090/

<Proxy *>
allow from all
</Proxy>

SSLEngine on
SSLCertificateFile /home/my_domain/domains/jira.my_domain.com/ssl.cert
SSLCertificateKeyFile /home/my_domain/domains/jira.my_domain.com/ssl.key
SSLProtocol +TLSv1.2

Suggest an answer

Log in or Join to answer
Community showcase
Sarah Schuster
Posted Jan 29, 2018 in Jira

What are common themes you've seen across successful & failed Jira Software implementations?

Hey everyone! My name is Sarah Schuster, and I'm a Customer Success Manager in Atlassian specializing in Jira Software Cloud. Over the next few weeks I will be posting discussion topics (8 total) to ...

2,968 views 12 18
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot