Running JIRA & Stash over Apache SSL with GoDaddy certificate

We're running CentOS 7 with the latest versions of JIRA and Stash behind an Apache (2.4) SSL Proxy.

We can access both the sites with no problem.

The applications work fine on their own, but when trying to link the two applications together it thinks the other application is offline. They are hosted on the same machine.

From what I've read - it could be due to the GoDaddy SSL certificate, however we have changed it from a SHA2 encryption to SHA1 but with no luck.

The error I get when trying to import the SSL certificate using the JIRA plugin is:

class javax.net.ssl.SSLException during connection to stash.ourwebsite.com:port...

Could not obtain server certificate chain

The GoDaddy entries are in the "existing certificates" section:

SERIALNUMBER=XXXXXXX, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US

OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US

OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US (no idea why this is in there twice)


Any ideas? We've been trying to figure this out for what feels like forever. We want to add Confluence to our system but there's no point if we can't get these two working together.

Could it be non-SSL related as they are hosted on the same server and they are having issues connecting to each other?

Update:

We tried using a different certificate from a different issuer and still no luck. So this must be something else causing the issue?

3 answers

1 accepted

Accepted Answer
0 votes

It turned out to be an issue when connecting internally, we had the domain name as a host entry for 127.0.0.1, but we also have internal IPs (plus the external IP). Apache was listening on the internal IP for the HTTPS connection and for some reason when connecting (even via telnet, which we thought was working) to the domain from the server itself, it was returning HTTP and not HTTPS.

We fixed this by a host entry to /etc/hosts for the domain on the internal IP.

Hi David, have you imported your certificate into the cacerts file of each application? In case not, you may want to follow the step of this doc.

I hope it helps.

Cheers

Yes we have tried this and it does not help. This is also what the SSL import tool attempts to do, which works for other SSL certificates (we tried google and godaddy sites) but just not ours...

We had a similar issue due to GoDaddy, and adding the cacerts file to the embedded JRE helped us. Another place to look is https://marketplace.atlassian.com/plugins/com.atlassian.jira.plugin.jirasslplugin but that is for JIRA, they don't have a Stash version, just JIRA and Confluence (https://marketplace.atlassian.com/plugins/com.atlassian.confluence.plugins.ssl)

Hi Larry, We're currently already using the JIRA SSL Plugin which isn't helping. it's what is saying it can't find the server certificate chain

Our problem is GoDaddy signed our cert with a newer root cert than is found in most chains... And remembering that JIRA had an embedded JRE to put the certs file in the JRE's lib/security folder.

We have tried using a SHA1 chain / certificate as this is included in the Java keystore but that didn't work either (this was a suggestion from the internets). The chain files do appear to be in the existing certificates, but it just doesn't seem to be able to do anything with it.

"Could not obtain server certificate chain"

This looks a bit like the problem with Firefox which bjorks at godaddy certs because the bundle or chain is not included by default. The snippet of the godaddy entries you included above does not show the chain.

Get the "bundle" from godaddy, add it to the cert and then add the cert into the correct cacerts file. Your keytool command should look something like this:

/opt/jdk1.7.0_13/jre/bin/keytool -import -alias wiki.example.com -keystore /opt/jdk1.7.0_13/jre/lib/security/cacerts -file /root/wiki.pem

Good luck

When accessing the sites through any browser or telnet or openssl etc, there's no problem with obtaining the information (we're using Apache as a Proxy SSL). We've already attempted to add the bundle to the necessary files in JIRA and those that I mentioned in my question match the names of the certificates in the chain for our certificate.

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Tuesday in Jira

Looking for anyone who made the switch to Data Center

The Jira Marketing team is putting together an ebook on migrating to Data Center. We're looking for pro tips on how you staffed your project team and organized your Proof of Concept. Share yo...

29 views 0 2
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you