Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Reversed proxy with HTTPS, Jira and Confluence

Adrian_Munther
Adrian_Munther October 5, 2018

Hi!

We'll be start using Jira and Confluence in our organization. After testing different platforms, we've decided to run it on a Ubuntu system and it works really great. Both of the applications run on the same machine with an Apache Reversed Proxy with HTTPS.

I've tried the Application Link between the applications in HTTP, which works like a charm. When I'm enabling SSL on both virtual hosts in Apache, Jira won't find Confluence on the same hyperlink as before (except the https). "No response was received from the URL you entered - it may not be valid. Please fix the URL below, if needed, and click Continue."

I've tried to add the confluence domain to the nonProxy-addresses in the JVM configuration, but still no change. The server.xml's are both in HTTPS proxy mode. After hours spent on Google, I'm completely stuck.

Anyone got any suggestions?

Thanks in advance!

Answer
Watch
Like Be the first to like this
12525 views

3 answers

1 accepted

0 votes
Answer accepted
Adrian_Munther
Adrian_Munther October 7, 2018

Finally, I found the missing link why it wasn't working. I forgot to include SSLCACertificateFile in the VirtualHost config for both Confluence and Jira. Now it's working like magic! Thanks @Timothy@Timothy (Goldfinger Holdings) and @JP _AC Bielefeld Leader_ for the SSLPoke tip - that made a lot of sense! :)

Reply
0 votes
JP _AC Bielefeld Leader_
JP _AC Bielefeld Leader_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 6, 2018

Hi Adrian,

I have a similar setup like you except that Jira is running on a dedicated server. Confluence & Apache HTTPD 2.4.x on the other machine. SSL terminating at the Apache HTTPD. Are you using the proxy-http module or are you going with mod_ajp? 

You must use the Base URL configured in the Confluence / Jira general admin page to get this running.

I would delete all application links between the two servers & do a restart afterwards, to get a clean start.

Do you setup the application link by starting with Jira or Confluence? The setup process will always bring you to the other server by calling the entered (Base) url of the other server. 

Are both servers using the same user base?

You might want to crosscheck some settings with my working config related to the port & ssl settings (Please adapt the path, server & other individual settings):

ssl.conf / vhost.conf depending on your config:

<VirtualHost IP_OF-YOUR_SERVER:443>
 # Protocols h2 http/1.1
 DocumentRoot "YOUR DOC ROOT"
 ServerName yourserver.yourdomain.org
 ServerAdmin admin@.yourdomain.org
 ErrorLog /var/log/apache/ssl_error.log
 TransferLog /var/log/apache/ssl_access.log
 LogLevel warn
 SSLEngine On
 SSLHonorCipherOrder On
 SSLProtocol all -SSLv2 -SSLv3
 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK 
 
 SSLCertificateFile /etc/apache2/conf/ssl/yourserver.yourdomain.org.crt
 SSLCertificateKeyFile /etc/apache2/conf/ssl/yourserver.yourdomain.org.key
 # Depends on your certificate
 SSLCACertificateFile /etc/apache2/conf/ssl/wildcard.intermediate.crt
 
 Header set Strict-Transport-Security "max-age=16070400; includeSubDomains"
 
 <FilesMatch "\.(cgi|shtml|phtml|php)$">
 SSLOptions +StdEnvVars
 </FilesMatch>

 BrowserMatch "MSIE [1-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
 BrowserMatch "MSIE [6-9]" ssl-unclean-shutdown
 
 RewriteEngine On
 #LogLevel notice rewrite:trace8
 RewriteCond %{REQUEST_URI} !^/confluence [NC]
 RewriteCond %{REQUEST_URI} !^/confluence/.* [NC]
 RewriteCond %{REQUEST_URI} !^/synchrony [NC]
 RewriteCond %{REQUEST_URI} !^/synchrony/.* [NC] 
 RewriteCond %{REQUEST_URI} !^/jira [NC]
 RewriteCond %{REQUEST_URI} !^/jira/.* [NC]
 RewriteRule ^(.*)$ https://yourserver.yourdomain.org/confluence [R=301,L]
 
 # Atlassian Proxy Configuration:
 ProxyRequests Off
 ProxyPreserveHost On
 #SSLProxyEngine Off
 
 <Proxy *>
 Require all granted
 </Proxy>
 
 ProxyPass /synchrony http://yourserver.yourdomain.org:8091/synchrony
 <Location /synchrony> 
 Require all granted
 RewriteEngine on
 RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
 RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
 RewriteRule .* ws://yourserver.yourdomain.org:8091%{REQUEST_URI} [P]
 </Location> 
 
 RemoteIPHeader X-Forwarded-For
 
</VirtualHost>


mod_jk.conf:

# Worker config
JkWorkersFile conf/workers.properties
# Logging
JkLogFile /var/log/apache/mod_jk.log
JkLogLevel warn
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
# JkOptions indicates to send SSL KEY SIZE
JkOptions +ForwardKeySize +ForwardURICompatUnparsed -ForwardDirectories +RejectUnsafeURI
JkEnvVar httpd YOURSERVER
# Mount on all vhost and ssl
JkMountCopy All
# node0
# redirect tomcat errors to apache httpd
JkMount /confluence confluence;use_server_errors=500
JkMount /confluence/* confluence;use_server_errors=500

JkMount /jira jira;use_server_errors=500
JkMount /jira/* jira;use_server_errors=500

# Modul (Admin)
JkMount /jk-manage/* jk-manage
JkMount /jk-manage jk-manage

# Enable the JK manager access from localhost/net only
<Location /jk-manage >
 JkMount jk-manage
 Require ip 192.168
 Require ip 127
</Location>


workers.properties:

# Global Settings
worker.maintain=30

# Default Settings

worker.basic.type=ajp13
worker.basic.socket_keepalive=true
worker.basic.ping_mode=A
worker.basic.ping_timeout=10000
worker.basic.connection_pool_size=250
worker.basic.connection_pool_timeout=120
worker.basic.recovery_options=7
worker.basic.lbfactor=1
worker.basic.max_packet_size=65536

worker.list=confluence
worker.confluence.host=YOUR_SERVER_IP
# Confluence AJP PORT
worker.confluence.port=8009
worker.confluence.socket_timeout=300
worker.confluence.socket_connect_timeout=300000
worker.confluence.reference=worker.basic

worker.list=jira
worker.jira.host=YOUR_SERVER_IP
# Jira AJP PORT
worker.jira.port=8010
worker.jira.socket_timeout=300
worker.jira.socket_connect_timeout=300000
worker.jira.reference=worker.basic

# JK Manage Application

worker.list=jk-manage
worker.jk-manage.type=status


Confluence server.xml

<Server port="8000" shutdown="SHUTDOWN"> 
 <Service name="Tomcat-Standalone">
 <!-- You can use this one for testing direct access to Confluence without SSL -->
 <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8080" 
 address="YOURSERVERIP"
 enableLookups="false"
 redirectPort="8443"
 acceptCount="10"
 minSpareThreads="10"
 maxThreads="150"
 connectionTimeout="20000"
 URIEncoding="UTF-8"
 disableUploadTimeout="true"
 proxyName="yourserver.yourdomain.org"
 proxyPort="443"
 scheme="https"/>
 
 <!-- This is the Tomcat AJP Port --> 
 <Connector port="8009"
 minSpareThreads="10"
 maxThreads="250"
 connectionTimeout="120000"
 address="YOURSERVERIP" 
 protocol="AJP/1.3"
 redirectPort="8444" 
 enableLookups="false"
 URIEncoding="UTF-8"
 maxPostSize="-1"
 packetSize="65536"/> 

 <Engine name="Standalone" defaultHost="yourserver.yourdomain.org" jvmRoute="node0">

 <Host name="yourserver.yourdomain.org" appBase="webapps" unpackWARs="true" autoDeploy="false" startStopThreads="4">

 <Context path="/confluence" docBase="../confluence" reloadable="false" useHttpOnly="true">
 <Manager pathname="" />
 </Context>
 
 <Context path="${confluence.context.path}/synchrony-proxy" docBase="../synchrony-proxy" debug="0" reloadable="false" useHttpOnly="true"> 
 </Context> 
 </Host>

 </Engine>
 </Service>
</Server>


Jira server.xml

<Server port="8005" shutdown="SHUTDOWN_SBJIRASRV1">
 <Listener className="org.apache.catalina.startup.VersionLoggerListener"/>
 <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on"/>
 <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
 <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
 <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
 <Listener className="org.apache.catalina.mbeans.JmxRemoteLifecycleListener"
 rmiRegistryPortPlatform="16969" rmiServerPortPlatform="6969" />

 <Service name="Catalina">
 <!-- You can use this one for testing direct access to Jira without SSL -->
 <Connector port="8082"
 maxThreads="150"
 minSpareThreads="25"
 connectionTimeout="20000"
 enableLookups="false"
 maxHttpHeaderSize="8192"
 protocol="HTTP/1.1"
 useBodyEncodingForURI="true"
 redirectPort="8443"
 acceptCount="100"
 disableUploadTimeout="true"
 bindOnInit="false"/>
 
 <Connector port="8010"
 minSpareThreads="10"
 maxThreads="200"
 address="YOURSERVERIP" 
 protocol="AJP/1.3"
 redirectPort="8444" 
 enableLookups="false"
 URIEncoding="UTF-8"
 maxPostSize="-1"
 packetSize="65536"/> 

 <Engine name="Catalina" defaultHost="yourserver.yourdomain.org" jvmRoute="jira">
 
 <Host name="yourserver.yourdomain.org" appBase="webapps" unpackWARs="true" autoDeploy="true">

 <Context path="/jira" docBase="${catalina.home}/atlassian-jira" reloadable="false" useHttpOnly="true">
 <Resource name="UserTransaction" auth="Container" type="javax.transaction.UserTransaction"
 factory="org.objectweb.jotm.UserTransactionFactory" jotm.timeout="60"/>
 <Manager pathname=""/>
 <JarScanner scanManifest="false"/>
 </Context>

 </Host>
 <Valve className="org.apache.catalina.valves.AccessLogValve"
 pattern="%a %{jira.request.id}r %{jira.request.username}r %t &quot;%m %U%q %H&quot; %s %b %D &quot;%{Referer}i&quot; &quot;%{User-Agent}i&quot; &quot;%{jira.request.assession.id}r&quot;"/>
 </Engine>
 </Service>
</Server>

Confluence Base URL:

https://yourserver.yourdomain.org/confluence

Jira Base URL:

https://yourserver.yourdomain.org/jira

Hope this helps or leads you in the right direction...

Best

JP

Reply
0 votes
Timothy
Timothy
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 6, 2018

What you can try first is to use SSLPoke and try to access the FQDN of the other application from the machine that is hosting the application.

If you're willing to share both your server.xml and your ssl config, we can try to spot any mistakes.

View More Comments
Adrian_Munther
Adrian_Munther October 6, 2018

I used SSLPoke, but got a bunch of errors. I'm feeling a bit confused about the proxying - I've configured that both Confluence and Jira uses the standard HTTP ports between them and Apache, and Apache itself encrypts the communication between the clients and the server. Maybe that's wrong and that it should be encrypted already in Jira/Confluence?

The config files are shown below. I included both the Jira and Confluence config files and the Apache VirtualHost configurations.

Jira server.xml

<?xml version="1.0" encoding="utf-8"?>
<!--
 Licensed to the Apache Software Foundation (ASF) under one or more
 contributor license agreements. See the NOTICE file distributed with
 this work for additional information regarding copyright ownership.
 The ASF licenses this file to You under the Apache License, Version 2.0
 (the "License"); you may not use this file except in compliance with
 the License. You may obtain a copy of the License at

 http://www.apache.org/licenses/LICENSE-2.0

 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
-->
<Server port="8005" shutdown="SHUTDOWN">
 <Listener className="org.apache.catalina.startup.VersionLoggerListener"/>
 <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on"/>
 <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
 <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
 <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>

 <Service name="Catalina">
 <!--
 ==============================================================================================================
 DEFAULT - Direct connector with no proxy for unproxied access to Jira.

 If using a http/https proxy, comment out this connector.
 ==============================================================================================================
 

 <Connector port="8080" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false"
 maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443"
 acceptCount="100" disableUploadTimeout="true" bindOnInit="false"/>

 -->
 <!--
 ==============================================================================================================
 HTTP - Proxying Jira via Apache or Nginx over HTTP

 If you're proxying traffic to Jira over HTTP, uncomment the below connector and comment out the others.
 Ensure the proxyName and proxyPort are updated with the appropriate information if necessary as per the docs.

 See the following for more information:

 Apache - https://confluence.atlassian.com/x/4xQLM
 nginx - https://confluence.atlassian.com/x/DAFmGQ
 ==============================================================================================================
 -->

 <!--
 <Connector port="8080" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false"
 maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443"
 acceptCount="100" disableUploadTimeout="true" bindOnInit="false" scheme="http"
 proxyName="jira.rum.se" proxyPort="80"/>
 -->

 <!--
 ==============================================================================================================
 HTTPS - Proxying Jira via Apache or Nginx over HTTPS

 If you're proxying traffic to Jira over HTTPS, uncomment the below connector and comment out the others.
 Ensure the proxyName and proxyPort are updated with the appropriate information if necessary as per the docs.

 See the following for more information:

 Apache - https://confluence.atlassian.com/x/PTT3MQ
 nginx - https://confluence.atlassian.com/x/DAFmGQ
 ==============================================================================================================
 -->

 
 <Connector port="8080" maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false"
 maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443"
 acceptCount="100" disableUploadTimeout="true" bindOnInit="false" secure="true" scheme="https"
 proxyName="jira.rum.se" proxyPort="443"/>
 
 
 <!--
 ==============================================================================================================
 AJP - Proxying Jira via Apache over HTTP or HTTPS
 
 If you're proxying traffic to Jira using the AJP protocol, uncomment the following connector line
 See the following for more information:

 Apache - https://confluence.atlassian.com/x/QiJ9MQ
 ==============================================================================================================
 -->

 <!--
 <Connector port="8009" URIEncoding="UTF-8" enableLookups="false" protocol="AJP/1.3" />
 --> 

 <Engine name="Catalina" defaultHost="localhost">
 <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true">

 <Context path="" docBase="${catalina.home}/atlassian-jira" reloadable="false" useHttpOnly="true">
 <Resource name="UserTransaction" auth="Container" type="javax.transaction.UserTransaction"
 factory="org.objectweb.jotm.UserTransactionFactory" jotm.timeout="60"/>
 <Manager pathname=""/>
 <JarScanner scanManifest="false"/>
 </Context>

 </Host>
 <Valve className="org.apache.catalina.valves.AccessLogValve"
 pattern="%a %{jira.request.id}r %{jira.request.username}r %t &quot;%m %U%q %H&quot; %s %b %D &quot;%{Referer}i&quot; &quot;%{User-Agent}i&quot; &quot;%{jira.request.assession.id}r&quot;"/>
 </Engine>
 </Service>
</Server>

Confluence server.xml

<Server port="8000" shutdown="SHUTDOWN" debug="0">
 <Service name="Tomcat-Standalone">
 <!--
 ==============================================================================================================
 DEFAULT - Direct connector with no proxy, for unproxied HTTP access to Confluence.

 If using a http/https proxy, comment out this connector.
 ==============================================================================================================
 -->
 <!--
 <Connector port="8090" connectionTimeout="20000" redirectPort="8443"
 maxThreads="48" minSpareThreads="10"
 enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
 protocol="org.apache.coyote.http11.Http11NioProtocol"/>
 -->
 <!--
 ==============================================================================================================
 HTTP - Proxying Confluence via Apache or Nginx over HTTP

 If you're proxying traffic to Confluence over HTTP, uncomment the connector below and comment out the others.
 Make sure you provide the right information for proxyName and proxyPort.

 For more information see:
 Apache - https://confluence.atlassian.com/x/4xQLM
 nginx - https://confluence.atlassian.com/x/TgSvEg

 ==============================================================================================================
 -->

 <!--
 <Connector port="8090" connectionTimeout="20000" redirectPort="8443"
 maxThreads="48" minSpareThreads="10"
 enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
 protocol="org.apache.coyote.http11.Http11NioProtocol"
 scheme="http" proxyName="confluence.rum.se" proxyPort="80"/>
 
 -->
 <!--
 ==============================================================================================================
 HTTPS - Direct connector with no proxy, for unproxied HTTPS access to Confluence.

 For more info see https://confluence.atlassian.com/x/s3UC
 ==============================================================================================================
 -->

 <!--
 <Connector port="8443" maxHttpHeaderSize="8192"
 maxThreads="150" minSpareThreads="25"
 protocol="org.apache.coyote.http11.Http11NioProtocol"
 enableLookups="false" disableUploadTimeout="true"
 acceptCount="100" scheme="https" secure="true"
 clientAuth="false" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2" SSLEnabled="true"
 URIEncoding="UTF-8" keystorePass="<MY_CERTIFICATE_PASSWORD>"/>
 -->

 <!--
 ==============================================================================================================
 HTTPS - Proxying Confluence via Apache or Nginx over HTTPS

 If you're proxying traffic to Confluence over HTTPS, uncomment the connector below and comment out the others.
 Make sure you provide the right information for proxyName and proxyPort.

 For more information see:
 Apache - https://confluence.atlassian.com/x/PTT3MQ
 nginx - https://confluence.atlassian.com/x/cNIvMw
 ==============================================================================================================
 -->

 
 <Connector port="8090" connectionTimeout="20000" redirectPort="8443"
 maxThreads="48" minSpareThreads="10"
 enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
 protocol="org.apache.coyote.http11.Http11NioProtocol"
 scheme="https" secure="true" proxyName="confluence.rum.se" proxyPort="443"/>
 

 <Engine name="Standalone" defaultHost="localhost" debug="0">
 <Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false" startStopThreads="4">
 <Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true">
 <!-- Logging configuration for Confluence is specified in confluence/WEB-INF/classes/log4j.properties -->
 <Manager pathname=""/>
 <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60"/>
 </Context>

 <Context path="${confluence.context.path}/synchrony-proxy" docBase="../synchrony-proxy" debug="0"
 reloadable="false" useHttpOnly="true">
 <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60"/>
 </Context>
 </Host>
 </Engine>
 </Service>
</Server>

Jira Apache VirtualHost config

<VirtualHost *:443>
 ServerName jira.rum.se

 SSLEngine on
 SSLCertificateFile /etc/apache2/sslcerts/rum.se.crt
 SSLCertificateKeyFile /etc/apache2/sslcerts/rum.se.key 
 ProxyRequests Off
 ProxyVia Off
 
 <Proxy *>
 Require all granted
 </Proxy>
 
 ProxyPass / http://localhost:8080/ connectiontimeout=300 timeout=300
 ProxyPassReverse / http://localhost:8080/
</VirtualHost>


<VirtualHost *:80> 
ServerName jira.rum.se
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>

 

Confluence Apache VirtualHost config

<VirtualHost *:443>
 ServerName confluence.rum.se

 SSLEngine on
 SSLCertificateFile /etc/apache2/sslcerts/rum.se.crt
 SSLCertificateKeyFile /etc/apache2/sslcerts/rum.se.key 
 ProxyRequests Off
 ProxyVia Off
 
 <Proxy *>
 Require all granted
 </Proxy>
 
 ProxyPass / http://localhost:8090/ connectiontimeout=300 timeout=300
 ProxyPassReverse / http://localhost:8090/
</VirtualHost>

<VirtualHost *:80> 
ServerName confluence.rum.se
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>
Like
JP _AC Bielefeld Leader_
JP _AC Bielefeld Leader_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 6, 2018

Hi Adrian,

your certificate seems to be a wildcard certificate. Is this correct?

Is the certificate accepted, when you access each of your servers alone be browse, or do you get any type of error. Are you sure you don't need an intermediate certificate? If you don't have a wildcard certificate, your setup will not work as certificates are bound to a host name (either confluence.rum.se or jira.rum.se). You cannot use the same certificate on both hostnames unless it's a wildcard cert.

Could you post screenshots of the certifcate path of both servers?

Best

JP

Like
JP _AC Bielefeld Leader_
JP _AC Bielefeld Leader_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 6, 2018

Hi again,

Confluence connects to Jira over the Base URL you have configured and the other way around. Configure the both independent of each other, like have them running on different servers. Then configure one of them with Apache HTTPD terminating the SSL & check if this works with this server. Then go on with the other one.

Best

JP

Like
Adrian_Munther
Adrian_Munther October 6, 2018

Hi!

We,re using a wildcard certificate and we aren't using it on this server alone. The certificate setup in Apache works great without errors in multiple web browsers.

Which certificate paths do you want to see? The Apache paths are shown in the previous post. The certificates aren't loaded in Jira or Confluence.

Thanks for the commitment JP! :)

Like
Adrian_Munther
Adrian_Munther October 6, 2018

Both installations are running independently on separate ports, but within the same server today. Both are also using their separate URL:s without problem and I can login to both of them without any problem. The problem occurs when I'm trying to make the Application Link between them and Jira can't find Confluence on the URL written (which works in the web browser). In addition, the Gadget feed URL doesn't work correctly either because it can't reach the installation itself. It feels like something goes wrong in the SSL proxying...

Like
JP _AC Bielefeld Leader_
JP _AC Bielefeld Leader_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 6, 2018

Hi

can both of the server be accessed by https via the Apache proxies on their own?

https://jira.rum.se and https://confluence.rum.se

both work?

Best

JP

Like
Adrian_Munther
Adrian_Munther October 6, 2018

Yes, both of them works.

Like
JP _AC Bielefeld Leader_
JP _AC Bielefeld Leader_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 6, 2018

Sorry,

our posts crossed ;-)

Do you get the same result, if you set up the app link starting with Jira as when you start from Confluence?

As SSL is working when you access the server on their own, it could be the proxy configuration in Apache.

Could you try:

 ProxyRequests Off
 ProxyPreserveHost On

and leave away ProxyVia Off?

Best

JP

Like
Adrian_Munther
Adrian_Munther October 6, 2018

The settings above are now running, but unfortunately no change - both Jira and Confluence are accessible, but not between each other.

Like
Adrian_Munther
Adrian_Munther October 6, 2018

Regarding which application I launch the Application Link wizard, the result is always the same, no matter which application.

Like
JP _AC Bielefeld Leader_
JP _AC Bielefeld Leader_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 6, 2018

But the error only happens on the JIra server?

Like
Timothy (Goldfinger Holdings)
Timothy (Goldfinger Holdings) October 6, 2018

What's the errors from SSLPoke?

Like
Adrian_Munther
Adrian_Munther October 6, 2018

SSLPoke log:

 

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)

 at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)

 at sun.security.validator.Validator.validate(Validator.java:262)

 at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)

 at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)

 at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)

 at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)

 at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)

 at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)

 at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)

 at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)

 at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)

 at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:757)

 at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)

 at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:138)

 at SSLPoke.main(SSLPoke.java:31)

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)

 at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)

 at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)

 at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
Like
JP _AC Bielefeld Leader_
JP _AC Bielefeld Leader_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 6, 2018

Is DNS setup correctly on the server? jira.rum.se & confluence.rum.se are resolved to the server external IP? On what * IPs is Apache listening?

Like
Timothy
Timothy
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 6, 2018

I would suggest that you resolve the error shown by SSLPoke. That error means that the JVM (hopefully the same JVM that Jira and Confluence uses) cannot accept the cert produced by the domain. For the intercommunication between Jira and Confluence (i.e. application links), it is the JVMs that talk to one another.

The fix would be to add the server certificates into your key/truststore of the JVM. 

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events