SSL mismatch on jira

FW EAS September 27, 2017

Hi - Anyone has been able to configure HTTPS on jira and offloading the SSL encryption and decryption at the load balancer level? Im having some 80 & 433 mismatch errors when using HTTPS on jira. 

Error from the catalina.out log:

"com.atlassian.gadgets.dashboard.internal.diagnostics.UrlPortMismatchException: Detected URL port, '80', does not match expected port, '443'" 

 

Config on the server.xml file:

 

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxHttpHeaderSize="8192" SSLEnabled="true"
maxThreads="150" minSpareThreads="25"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="false"
clientAuth="false" sslProtocol="TLS" useBodyEncodingForURI="true"/>

<Service name="Catalina">

<Connector port="8080"

maxThreads="150"
minSpareThreads="25"
connectionTimeout="20000"

enableLookups="false"
maxHttpHeaderSize="8192"
protocol="HTTP/1.1"
useBodyEncodingForURI="true"
redirectPort="8443"
acceptCount="100"
disableUploadTimeout="true"

scheme="https"
proxyName="jira-test.fwmrm.net"
proxyport="443" />

 

 

2 answers

0 votes
Daniel Eads _unmonitored account_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
September 27, 2017

Hi Alex!

Thank you for including the details from your server.xml file - definitely necessary for troubleshooting SSL errors.

I think part of your problem might be having the internal SSL connector added - that's the 8443 connector, the first block in your paste. Deleting everything above <Service name="Catalina"> might actually clear things up for you. (reminder that you need to restart JIRA after making changes to server.xml)

Also double-check that you have the right URL (with an https in the front) in the base URL field in the General Configuration screen in JIRA itself. Gadgets especially will tend to fail noisily if this isn't set correctly.

As an aside, I maintain a reference implementation for nginx that might be useful if you need a "working" configuration to look at.

Cheers,
Daniel

P.S. If you feel like this answer helped, please hit the checkmark to the left to mark it as answered. This helps us focus our efforts on unsolved questions. Thanks!

FW EAS September 27, 2017

Thanks Daniel - I removed as per your suggestions but it still fails. Is there any special header that i need to add to my configuration?

This is the error:

2017-09-27 20:38:37,899 http-nio-8080-exec-22 ERROR jsoto 1238x50x5 fjyfu7 172.16.192.253,127.0.0.1 /plugins/servlet/gadgets/dashboard-diagnostics [c.a.g.d.internal.diagnostics.DiagnosticsServlet] DIAGNOSTICS: FAILED
com.atlassian.gadgets.dashboard.internal.diagnostics.UrlPortMismatchException: Detected URL port, '80', does not match expected port, '443'
at com.atlassian.gadgets.dashboard.internal.diagnostics.Diagnostics.checkExpectedPort(Diagnostics.java:71)
at com.atlassian.gadgets.dashboard.internal.diagnostics.Diagnostics.check(Diagnostics.java:33)
at com.atlassian.gadgets.dashboard.internal.diagnostics.DiagnosticsServlet.executeDiagnostics(DiagnosticsServlet.java:82)
at com.atlassian.gadgets.dashboard.internal.diagnostics.DiagnosticsServlet.doPost(DiagnosticsServlet.java:58)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:644)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)
at com.atlassian.plugin.servlet.DelegatingPluginServlet.service(DelegatingPluginServlet.java:37)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)
at com.atlassian.plugin.servlet.ServletModuleContainerServlet.service(ServletModuleContainerServlet.java:45)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)
... 17 filtered
at com.develocenter.jira.extschemes.web.filter.DisableNewEntitiesFilter.doFilter(DisableNewEntitiesFilter.java:55)
... 3 filtered
at com.develocenter.jira.linkscheme.labs.JIRALinkFilter.doFilter(JIRALinkFilter.java:76)
... 91 filtered
at com.atlassian.jira.security.JiraSecurityFilter.doFilter(JiraSecurityFilter.java:70)
... 86 filtered
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
2017-09-27 20:38:37,990 http-nio-8080-exec-3 WARN jsoto 1238x51x1 fjyfu7 172.16.192.253,127.0.0.1 /rest/webResources/1.0/resources [c.a.p.r.c.security.jersey.XsrfResourceFilter] Additional XSRF checks failed for request: https://jira-test.fwmrm.net:80/rest/webResources/1.0/resources , origin: https://jira-test.fwmrm.net , referrer: https://jira-test.fwmrm.net/secure/Dashboard.jspa , credentials in request: true , allowed via CORS: false

Daniel Eads _unmonitored account_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
October 2, 2017

Hm - maybe check your load balancer now to see if port 80 traffic is being rewritten/redirected up to port 443.

0 votes
Peter DeWitt
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
September 27, 2017

Alex, I run my Atlassian apps in this configuration.  Check out these articles by Atlassian:

https://confluence.atlassian.com/kb/proxying-atlassian-server-applications-with-apache-http-server-mod_proxy_http-806032611.html

https://confluence.atlassian.com/adminjiraserver071/integrating-jira-with-apache-using-ssl-802593043.html

These are what I have used to get things up and running.

 

-pd

Suggest an answer

Log in or Sign up to answer