Trouble with Jira and SSL (Alias name jira does not identify a key entry)

Hi All,

I am hoping that someone can help me out. I am trying to follow this guide

https://confluence.atlassian.com/display/JIRA060/Running+JIRA+over+SSL+or+HTTPS#RunningJIRAoverSSLorHTTPS-commandline

To get Jira working over SSL, I have already received my cert (and tried re-keying it after the first failure.

Following this guide at least 6 times, I fail every time I get to this step:

Verify the certificate exists within the keystore.

<JAVA_HOME>/keytool-list -aliasjira -keystore <JIRA_HOME>/jira.jks

This must be a PrivateKeyEntry, if it is not the certificate setup has not successfully completed.


No matter what I try, I always receive this output

jira, Jun 21, 2014, trustedCertEntry,
Certificate fingerprint (SHA1): E3:97:CC:BE:ED:88:F7:C5:E4:EE:B0:AF:5F:DD:D4:0D:F8:96:FC:36

Can anyone point me in the right direction?

I appreciate any help that can be provided

1 answer

1 accepted

Accepted Answer
0 votes

I found that Atlassian's documentation was wrong/confusing. Instead I followed a combination of GoDaddy, Jira and Confluence docuementation to get this working.

I cant guarentee this is 100% the best way to achieve the results, but for anyone struggling with this in the future here is what I did

In order to get Jira, or confluence working over SSL with a GoDaddy SSL cert there are a few things to note

  1. The Atlassian instructions are wrong
  2. GoDaddy currently has a problem between Java and SHA2, so use SHA1
  3. Create the cert request with Apache and not keytool!
  4. Download the tomcat bundle
  5. The default password for keystore is 'changeit'

To begin, generate your CSR:

openssl req -new -newkey rsa:2048 -nodes -keyout subdomain.example.com.key -out subdomain.example.com.csr

Move your key to /etc/pki/tls/private

mv subdomain.example.com.key /etc/pki/tls/private/

After you receive the certs from GoDaddy they will look something like this

Its best to rename the public cert to match your website (i.e. subdomain.example.com)

After you have put the files in place (for example /etc/pki/tls/certs), use keytool to create a self signed cert for tomcat (because in this case Apache is going to be serving the comercial ssl cert):

mv 2b128c4eff80ed.crt /etc/pki/tls/certs/subdomain.example.com
mv gd_bundle.crt /etc/pki/tls/certs/jira.crt
mv gd_intermediate.crt /etc/pki/tls/certs/jira_intermediate.crt

keytool -genkeypair -alias tomcat -keyalg RSA 
mv ~/.keystore /etc/pki/tls/private

The last few steps involve editing Jira/Confluence's server.xml and setting up Apache's ssl.conf. Comment out the default connector, and uncomment the connector which has "8443" as the port:

 <Service name="Catalina">
<!--
        <Connector port="8080"
                   maxThreads="150"
                   minSpareThreads="25"
                   connectionTimeout="20000"
                   enableLookups="false"
                   maxHttpHeaderSize="8192"
                   protocol="HTTP/1.1"
                   useBodyEncodingForURI="true"
                   redirectPort="8443"
                   acceptCount="100"
                   disableUploadTimeout="true"/>
-->
            <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
              maxHttpHeaderSize="8192" SSLEnabled="true"
              maxThreads="150" minSpareThreads="25"
              enableLookups="false" disableUploadTimeout="true"
              acceptCount="100" scheme="https" secure="true"
              clientAuth="false" sslProtocol="TLS" useBodyEncodingForURI="true"
              keystorePass="xxxx"
              keystoreFile="/etc/pki/tls/private/.keystore" 
              proxyName="subdomain.example.com"/>

Finally, adjust the ssl.conf to look something like this:

LoadModule ssl_module modules/mod_ssl.so

Listen 443
NameVirtualHost *:443

SSLPassPhraseDialog  builtin

SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300

SSLMutex default

SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin

SSLCryptoDevice builtin

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_html_module modules/mod_proxy_html.so

SSLProxyEngine On
<VirtualHost *:443>
    ServerName confluence.example.com
    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
    SSLCertificateFile /etc/pki/tls/certs/localhost.crt
    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
    
    ProxyRequests Off
    ProxyPreserveHost On
 
    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>
     
    ProxyPass / https://localhost:9443/
    ProxyPassReverse / https://localhost:9443/
     
     
    <Location />
        Order allow,deny
        Allow from all
    </Location>
</VirtualHost>                                  

<VirtualHost *:443>
    ServerName subdomain.example.com
    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
    SSLCertificateFile /etc/pki/tls/certs/subdomain.example.com.crt
    SSLCertificateKeyFile /etc/pki/tls/private/subdomain.example.com.key
    
    ProxyRequests Off
    ProxyPreserveHost On
 
    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>
     
    ProxyPass / https://localhost:8443/
    ProxyPassReverse / https://localhost:8443/
     
     
    <Location />
        Order allow,deny
        Allow from all
    </Location>
</VirtualHost>                                  

<VirtualHost *:443>
    ServerName oc.example.com
    SSLEngine on
    SSLProtocol all -SSLv2

    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

    SSLCertificateFile /etc/pki/tls/certs/localhost.crt

    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

    DocumentRoot /var/www/html/owncloud/
 
    <Directory /var/www/html/owncloud>
        AllowOverride All
        order allow,deny
        Allow from all
    </Directory>
</VirtualHost>

You should now be able to visit your site via https://subdomain.example.com

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Sep 18, 2018 in Jira

What modern development practices are at the heart of how your team delivers software?

Hey Community mates! Claire here from the Software Product Marketing team. We all know software development changes rapidly, and it's often tough to keep up. But from our research, we've found the h...

23,956 views 2 7
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you