Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Running JIRA & Stash over Apache SSL with GoDaddy certificate

dvrn12417
dvrn12417 September 15, 2014

We're running CentOS 7 with the latest versions of JIRA and Stash behind an Apache (2.4) SSL Proxy.

We can access both the sites with no problem.

The applications work fine on their own, but when trying to link the two applications together it thinks the other application is offline. They are hosted on the same machine.

From what I've read - it could be due to the GoDaddy SSL certificate, however we have changed it from a SHA2 encryption to SHA1 but with no luck.

The error I get when trying to import the SSL certificate using the JIRA plugin is:

class javax.net.ssl.SSLException during connection to stash.ourwebsite.com:port...

Could not obtain server certificate chain

The GoDaddy entries are in the "existing certificates" section:

SERIALNUMBER=XXXXXXX, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US

OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US

OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US (no idea why this is in there twice)


Any ideas? We've been trying to figure this out for what feels like forever. We want to add Confluence to our system but there's no point if we can't get these two working together.

Could it be non-SSL related as they are hosted on the same server and they are having issues connecting to each other?

Update:

We tried using a different certificate from a different issuer and still no luck. So this must be something else causing the issue?

Answer
Watch
Like Dave C likes this
1286 views

3 answers

1 accepted

0 votes
Answer accepted
dvrn12417
dvrn12417 September 15, 2014

It turned out to be an issue when connecting internally, we had the domain name as a host entry for 127.0.0.1, but we also have internal IPs (plus the external IP). Apache was listening on the internal IP for the HTTPS connection and for some reason when connecting (even via telnet, which we thought was working) to the domain from the server itself, it was returning HTTP and not HTTPS.

We fixed this by a host entry to /etc/hosts for the domain on the internal IP.

Reply
0 votes
Davet1
Davet September 15, 2014

"Could not obtain server certificate chain"

This looks a bit like the problem with Firefox which bjorks at godaddy certs because the bundle or chain is not included by default. The snippet of the godaddy entries you included above does not show the chain.

Get the "bundle" from godaddy, add it to the cert and then add the cert into the correct cacerts file. Your keytool command should look something like this:

/opt/jdk1.7.0_13/jre/bin/keytool -import -alias wiki.example.com -keystore /opt/jdk1.7.0_13/jre/lib/security/cacerts -file /root/wiki.pem

Good luck

View More Comments
dvrn12417
dvrn12417 September 15, 2014

When accessing the sites through any browser or telnet or openssl etc, there's no problem with obtaining the information (we're using Apache as a Proxy SSL). We've already attempted to add the bundle to the necessary files in JIRA and those that I mentioned in my question match the names of the certificates in the chain for our certificate.

Like
Reply
0 votes
Tiago Comasseto
Tiago Comasseto
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 15, 2014

Hi David, have you imported your certificate into the cacerts file of each application? In case not, you may want to follow the step of this doc.

I hope it helps.

Cheers

View More Comments
dvrn12417
dvrn12417 September 15, 2014

Yes we have tried this and it does not help. This is also what the SSL import tool attempts to do, which works for other SSL certificates (we tried google and godaddy sites) but just not ours...

Like
Larry Shatzer
Larry Shatzer
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 15, 2014

We had a similar issue due to GoDaddy, and adding the cacerts file to the embedded JRE helped us. Another place to look is https://marketplace.atlassian.com/plugins/com.atlassian.jira.plugin.jirasslplugin but that is for JIRA, they don't have a Stash version, just JIRA and Confluence (https://marketplace.atlassian.com/plugins/com.atlassian.confluence.plugins.ssl)

Like
dvrn12417
dvrn12417 September 15, 2014

Hi Larry, We're currently already using the JIRA SSL Plugin which isn't helping. it's what is saying it can't find the server certificate chain

Like
Larry Shatzer
Larry Shatzer
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 15, 2014

Our problem is GoDaddy signed our cert with a newer root cert than is found in most chains... And remembering that JIRA had an embedded JRE to put the certs file in the JRE's lib/security folder.

Like
dvrn12417
dvrn12417 September 15, 2014

We have tried using a SHA1 chain / certificate as this is included in the Java keystore but that didn't work either (this was a suggestion from the internets). The chain files do appear to be in the existing certificates, but it just doesn't seem to be able to do anything with it.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events