Jira running under SSL; page will not load

Norma Seddon November 1, 2019

Hello, I have configured our Jira test server to use SSL by following the instrucitons on this site, https://confluence.atlassian.com/display/JIRA044/Running+JIRA+over+SSL+or+HTTPS?_ga=2.114822919.1420190195.1571617781-1064801266.1516068131#RunningJIRAoverSSLorHTTPS-ImportCertificateIntoTheTruststore. the service starts and I can load JIRA under http but not HTTPS.  i get the error "The site can't be reached"  In the catalina log i see the errors below. We are not using ARP as far as i can tell.

01-Nov-2019 12:44:36.368 SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-8443]]

org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]]

I thought it was something with the certificates but it wasn't working when i added the certificate parameters from the troubleshooting section of the above link.

I thought it was because of the web.config file so i added in the parameters below but then http would not load either. the service started fine, other than the https error mentioned above.

<security-constraint><web-resource-collection><web-resource-name>all-except-attachments</web-resource-name><url-pattern>*.jsp</url-pattern><url-pattern>*.jspa</url-pattern><url-pattern>/browse/*</url-pattern></web-resource-collection><user-data-constraint><transport-guarantee>CONFIDENTIAL</transport-guarantee></user-data-constraint></security-constraint>

 

Has anyone else ran into the issue where the service start but the page will not load and it fails to initialize port 8443?

2 answers

1 accepted

0 votes
Answer accepted
Norma Seddon November 4, 2019

Hello,

 

the slashes didn't seem to make a difference although it did give me different error messsages which led me to believe i could not use the jave default keystore cacerts and i don't think i was using the correct Certificate.

 

I went back and read the instructions again from here, https://confluence.atlassian.com/display/JIRA044/Running+JIRA+over+SSL+or+HTTPS?_ga=2.114822919.1420190195.1571617781-1064801266.1516068131#RunningJIRAoverSSLorHTTPS-RedirectingCertainPagesToHTTPS.  I have it working and below are the steps i followed.

I generated a key using the command below

C:\Program Files\Atlassian\JIRA\jre\bin>keytool -genkey -alias tomcat -keyalg RSA
Enter keystore password:
What is your first and last name?
[Unknown]: enter server [FQDN]
What is the name of your organizational unit?
[Unknown]: [this is not an AD OU, you can enter anything]
What is the name of your organization?
[Unknown]: [enter your company name]
What is the name of your City or Locality?
[Unknown]: [city]
What is the name of your State or Province?
[Unknown]: [province/state]
What is the two-letter country code for this unit?
[Unknown]: [country code]
Is CN=[FQDN hostname], OU=[OU from above], O=[company], L=[city], ST=[province/state], C=[country] correct?
[no]: y

Enter key password for <tomcat>
(RETURN if same as keystore password):

converted the key to pkcs12 using the command below

C:\Program Files\Atlassian\JIRA\jre\bin>keytool -importkeystore -srckeystore C:\Users\[username]\.keystore -destkeystore C:\Users\[username]\.keystore -deststoretype pkcs12"

copied that keystore to [JAVA_HOME]/lib\security

updated the server.xml file for the https connector.  I had to the bolded items.

<Connector port="8443" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;" maxHttpHeaderSize="8192" SSLEnabled="true"
maxThreads="150" minSpareThreads="25"
enableLookups="false" disableUploadTimeout="true" useBodyEncodingForURI="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreFile="C:\PROGRA~1\ATLASS~1\JIRA\jre\lib\security\.keystore" />

 

started the service and it worked.

next steps are to get the addins working under ssl and setup sldap.

0 votes
Jimmy Seddon
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
November 1, 2019

Hi @Norma Seddon,

Welcome to the Community!

Is there anymore to the error message you are getting?  Are you seeing something along the lines of: 

Caused by: java.io.FileNotFoundException: /var/root/.keystore (No such file or directory)

We ran into the above error while trying to get SSL configured correctly on our BitBucket server.  While this article is for Confluence, I think the suggestion is still valid for Jira and worth taking a look at:

https://confluence.atlassian.com/confkb/ssl-connector-fails-to-initialize-during-tomcat-startup-646251490.html

I hope that helps!

-Jimmy

Norma Seddon November 1, 2019

Hello,  

No i don't.  below is a portion of the log file where the 8443 is mentioned.  this is from the catalina log file.

01-Nov-2019 12:44:35.415 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: [C:\Program Files\Atlassian\JIRA\bin;C:\Windows\Sun\Java\bin;C:\Windows\system32;C:\Windows;C:\oracle64\product\12.1.0\client_1\bin;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\WindowsApps;.]
01-Nov-2019 12:44:35.821 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8080"]
01-Nov-2019 12:44:35.821 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-jsse-nio-8443"]
01-Nov-2019 12:44:36.368 SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:552)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.load(Catalina.java:661)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:995)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
... 12 more
Caused by: java.lang.IllegalArgumentException: SSLHostConfig attribute certificateFile must be defined when using an SSL connector
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:115)

 

I don't see any errors in the atlassian-jira log file.

Norma Seddon November 1, 2019

I did try the keystore parameters as well but it is possible they were incorrect.  I have them commented out for now but the values i had are below. i changed the files names just for the post.

 

<!-- KeyAlias="tomcat" SSLCertificateFile="C:\Program Files\Atlassian\JIRA\jre\lib\security\Generatedcertfile.cer"  keystorefile="C:\Program Files\Atlassian\JIRA\jre\lib\security\cacerts" keystorepass="password" --> <!-- keystoreType="cer"-->

Jimmy Seddon
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
November 1, 2019

Hey Norma,

Ok cool!  So your actual error is: "SSLHostConfig attribute certificateFile must be defined when using an SSL connector"

I feel like you need to use forward "/" slashes instead of back "\" slashes.  Any chance you can give that a try and see if that helps.

-Jimmy

Norma Seddon November 4, 2019

see answer

Suggest an answer

Log in or Sign up to answer