We're running CentOS 7 with the latest versions of JIRA and Stash behind an Apache (2.4) SSL Proxy.
We can access both the sites with no problem.
The applications work fine on their own, but when trying to link the two applications together it thinks the other application is offline. They are hosted on the same machine.
From what I've read - it could be due to the GoDaddy SSL certificate, however we have changed it from a SHA2 encryption to SHA1 but with no luck.
The error I get when trying to import the SSL certificate using the JIRA plugin is:
class javax.net.ssl.SSLException during connection to stash.ourwebsite.com:port...
Could not obtain server certificate chain
The GoDaddy entries are in the "existing certificates" section:
OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US
OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US (no idea why this is in there twice)
Any ideas? We've been trying to figure this out for what feels like forever. We want to add Confluence to our system but there's no point if we can't get these two working together.
Could it be non-SSL related as they are hosted on the same server and they are having issues connecting to each other?
We tried using a different certificate from a different issuer and still no luck. So this must be something else causing the issue?
It turned out to be an issue when connecting internally, we had the domain name as a host entry for 127.0.0.1, but we also have internal IPs (plus the external IP). Apache was listening on the internal IP for the HTTPS connection and for some reason when connecting (even via telnet, which we thought was working) to the domain from the server itself, it was returning HTTP and not HTTPS.
We fixed this by a host entry to /etc/hosts for the domain on the internal IP.
We had a similar issue due to GoDaddy, and adding the cacerts file to the embedded JRE helped us. Another place to look is https://marketplace.atlassian.com/plugins/com.atlassian.jira.plugin.jirasslplugin but that is for JIRA, they don't have a Stash version, just JIRA and Confluence (https://marketplace.atlassian.com/plugins/com.atlassian.confluence.plugins.ssl)
We have tried using a SHA1 chain / certificate as this is included in the Java keystore but that didn't work either (this was a suggestion from the internets). The chain files do appear to be in the existing certificates, but it just doesn't seem to be able to do anything with it.
"Could not obtain server certificate chain"
This looks a bit like the problem with Firefox which bjorks at godaddy certs because the bundle or chain is not included by default. The snippet of the godaddy entries you included above does not show the chain.
Get the "bundle" from godaddy, add it to the cert and then add the cert into the correct cacerts file. Your keytool command should look something like this:
/opt/jdk1.7.0_13/jre/bin/keytool -import -alias wiki.example.com -keystore /opt/jdk1.7.0_13/jre/lib/security/cacerts -file /root/wiki.pem
When accessing the sites through any browser or telnet or openssl etc, there's no problem with obtaining the information (we're using Apache as a Proxy SSL). We've already attempted to add the bundle to the necessary files in JIRA and those that I mentioned in my question match the names of the certificates in the chain for our certificate.
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
We're bringing product updates and pro tips on teamwork to ten cities around the world.Save your spot