Running JIRA & Stash over Apache SSL with GoDaddy certificate

We're running CentOS 7 with the latest versions of JIRA and Stash behind an Apache (2.4) SSL Proxy.

We can access both the sites with no problem.

The applications work fine on their own, but when trying to link the two applications together it thinks the other application is offline. They are hosted on the same machine.

From what I've read - it could be due to the GoDaddy SSL certificate, however we have changed it from a SHA2 encryption to SHA1 but with no luck.

The error I get when trying to import the SSL certificate using the JIRA plugin is:

class javax.net.ssl.SSLException during connection to stash.ourwebsite.com:port...

Could not obtain server certificate chain

The GoDaddy entries are in the "existing certificates" section:

SERIALNUMBER=XXXXXXX, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US

OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US

OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US (no idea why this is in there twice)


Any ideas? We've been trying to figure this out for what feels like forever. We want to add Confluence to our system but there's no point if we can't get these two working together.

Could it be non-SSL related as they are hosted on the same server and they are having issues connecting to each other?

Update:

We tried using a different certificate from a different issuer and still no luck. So this must be something else causing the issue?

3 answers

1 accepted

This widget could not be displayed.

It turned out to be an issue when connecting internally, we had the domain name as a host entry for 127.0.0.1, but we also have internal IPs (plus the external IP). Apache was listening on the internal IP for the HTTPS connection and for some reason when connecting (even via telnet, which we thought was working) to the domain from the server itself, it was returning HTTP and not HTTPS.

We fixed this by a host entry to /etc/hosts for the domain on the internal IP.

This widget could not be displayed.

Hi David, have you imported your certificate into the cacerts file of each application? In case not, you may want to follow the step of this doc.

I hope it helps.

Cheers

Yes we have tried this and it does not help. This is also what the SSL import tool attempts to do, which works for other SSL certificates (we tried google and godaddy sites) but just not ours...

We had a similar issue due to GoDaddy, and adding the cacerts file to the embedded JRE helped us. Another place to look is https://marketplace.atlassian.com/plugins/com.atlassian.jira.plugin.jirasslplugin but that is for JIRA, they don't have a Stash version, just JIRA and Confluence (https://marketplace.atlassian.com/plugins/com.atlassian.confluence.plugins.ssl)

Hi Larry, We're currently already using the JIRA SSL Plugin which isn't helping. it's what is saying it can't find the server certificate chain

Our problem is GoDaddy signed our cert with a newer root cert than is found in most chains... And remembering that JIRA had an embedded JRE to put the certs file in the JRE's lib/security folder.

We have tried using a SHA1 chain / certificate as this is included in the Java keystore but that didn't work either (this was a suggestion from the internets). The chain files do appear to be in the existing certificates, but it just doesn't seem to be able to do anything with it.

This widget could not be displayed.

"Could not obtain server certificate chain"

This looks a bit like the problem with Firefox which bjorks at godaddy certs because the bundle or chain is not included by default. The snippet of the godaddy entries you included above does not show the chain.

Get the "bundle" from godaddy, add it to the cert and then add the cert into the correct cacerts file. Your keytool command should look something like this:

/opt/jdk1.7.0_13/jre/bin/keytool -import -alias wiki.example.com -keystore /opt/jdk1.7.0_13/jre/lib/security/cacerts -file /root/wiki.pem

Good luck

When accessing the sites through any browser or telnet or openssl etc, there's no problem with obtaining the information (we're using Apache as a Proxy SSL). We've already attempted to add the bundle to the necessary files in JIRA and those that I mentioned in my question match the names of the certificates in the chain for our certificate.

Suggest an answer

Log in or Sign up to answer
Atlassian Summit 2018

Meet the community IRL

Atlassian Summit is an excellent opportunity for in-person support, training, and networking.

Learn more
Community showcase
Posted Wednesday in New to Jira

Are you planning to trial, or are currently trialling Jira Software? - We want to talk to you!

Hello! I'm Rayen, a product manager at Atlassian. My team and I are working hard to improve the trial experience for Jira Software Cloud. We are interested in   talking to 20 people planning t...

232 views 3 0
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you