I have both Jira and Confluence running on the same server, both over SSL. Prior to implementing SSL on both sites, Confluence was capable of synchronizing its user directory with Jira. Now that SSL is in place on both services, Confluence cannot connect. When I try to create a new connector, I get this error if I specify https:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Over http I get this:
The following URL does not specify a valid Crowd User Management REST service: http://server.domain.com/rest/usermanagement/1/search?entity-type=user&start-index=0&max-results=1&expand=user
They are using the same Java keystore, which is in
/usr/local/java/jre1.8.0_151, so they should be able to locate each others certs, unless there is a bug where they need to have their own, separate keystores with a copy of cert in the keystore. Has anyone else experienced this issue?
What type of x509 certs? If they are from a commercial CA, you need to be sure to include the intermediate (chain) cert along with the public and private keys in whatever method you are using to terminate SSL.
If they are self-signed certs or from your internal or otherwise non-commercial CA, you will need to import them in to the Java key store for the version you are running. If both apps are running the same Java, this can be done once, as both will use the same keystore. I would expect your keystore to be located at /usr/local/java/jre1.8.0_151/lib/security/cacerts It would also be worth verifying you are actually running the Java located in /usr/local/java/jre1.8.0_151 via `ps -ef`
Worst case, set up a plain text connector on each app and use that for your Application Links and to hook Confluence up to JIRA. I'd bind it to localhost to ensure that unencrypted auth traffic stays internal to the box, as well.
All of my certs are issued from our internal CA's, and I also forgot to mention that I'm using Apache as a reverse proxy to our Jira sites. This allows our users to go to jira.domain.com without needing to type in a port number, as well as automatically direct them to the SSL page.
I was able to get around this by using the port number in the connection URL.
I ran ps -ef and it looks like the only references to Java are within the Confluence and Jira installation directories. Does that mean they are referencing the keystore within <installation_dir>/jre/lib/security/ as opposed to the one I've configured within $JAVA_HOME?
Yep. You need to import the cert in to the respective keystore for the Java each app is using. You could also change the scripts to use the Java that you installed, since you already imported the certs there and probably would rather manage the certs in one place rather than two.
That I would, and it's weird that I went through all that trouble to install the correct version of Java, setup SSL, and only for it to use it's own keystore for cert validation.
Which script are you referring to? Is it this one?
Sorry for the late reply. I was referring to the start script. Depending on how you start the apps, there are a number of places that you can declare the JAVA_HOME or JRE_HOME. It's always a good idea to verify the version of Java actually running via `ps.`
Atlassian Summit is an excellent opportunity for in-person support, training, and networking.Learn more
Hello! I'm Rayen, a product manager at Atlassian. My team and I are working hard to improve the trial experience for Jira Software Cloud. We are interested in talking to 20 people planning t...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs