Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Trouble with Jira and SSL (Alias name jira does not identify a key entry)

stratus-ss
stratus-ss June 20, 2014

Hi All,

I am hoping that someone can help me out. I am trying to follow this guide

https://confluence.atlassian.com/display/JIRA060/Running+JIRA+over+SSL+or+HTTPS#RunningJIRAoverSSLorHTTPS-commandline

To get Jira working over SSL, I have already received my cert (and tried re-keying it after the first failure.

Following this guide at least 6 times, I fail every time I get to this step:

Verify the certificate exists within the keystore.

<JAVA_HOME>/keytool-list -aliasjira -keystore <JIRA_HOME>/jira.jks

This must be a PrivateKeyEntry, if it is not the certificate setup has not successfully completed.


No matter what I try, I always receive this output

jira, Jun 21, 2014, trustedCertEntry,
Certificate fingerprint (SHA1): E3:97:CC:BE:ED:88:F7:C5:E4:EE:B0:AF:5F:DD:D4:0D:F8:96:FC:36

Can anyone point me in the right direction?

I appreciate any help that can be provided

Answer
Watch
Like Ramil Teregulov likes this
1687 views

1 answer

1 accepted

0 votes
Answer accepted
stratus-ss
stratus-ss June 21, 2014

I found that Atlassian's documentation was wrong/confusing. Instead I followed a combination of GoDaddy, Jira and Confluence docuementation to get this working.

I cant guarentee this is 100% the best way to achieve the results, but for anyone struggling with this in the future here is what I did

In order to get Jira, or confluence working over SSL with a GoDaddy SSL cert there are a few things to note

  1. The Atlassian instructions are wrong
  2. GoDaddy currently has a problem between Java and SHA2, so use SHA1
  3. Create the cert request with Apache and not keytool!
  4. Download the tomcat bundle
  5. The default password for keystore is 'changeit'

To begin, generate your CSR:

openssl req -new -newkey rsa:2048 -nodes -keyout subdomain.example.com.key -out subdomain.example.com.csr

Move your key to /etc/pki/tls/private

mv subdomain.example.com.key /etc/pki/tls/private/

After you receive the certs from GoDaddy they will look something like this

Its best to rename the public cert to match your website (i.e. subdomain.example.com)

After you have put the files in place (for example /etc/pki/tls/certs), use keytool to create a self signed cert for tomcat (because in this case Apache is going to be serving the comercial ssl cert):

mv 2b128c4eff80ed.crt /etc/pki/tls/certs/subdomain.example.com
mv gd_bundle.crt /etc/pki/tls/certs/jira.crt
mv gd_intermediate.crt /etc/pki/tls/certs/jira_intermediate.crt
 

keytool -genkeypair -alias tomcat -keyalg RSA 
mv ~/.keystore /etc/pki/tls/private

The last few steps involve editing Jira/Confluence's server.xml and setting up Apache's ssl.conf. Comment out the default connector, and uncomment the connector which has "8443" as the port:

 <Service name="Catalina">
<!--
        <Connector port="8080"
                   maxThreads="150"
                   minSpareThreads="25"
                   connectionTimeout="20000"
                   enableLookups="false"
                   maxHttpHeaderSize="8192"
                   protocol="HTTP/1.1"
                   useBodyEncodingForURI="true"
                   redirectPort="8443"
                   acceptCount="100"
                   disableUploadTimeout="true"/>
-->
            <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
              maxHttpHeaderSize="8192" SSLEnabled="true"
              maxThreads="150" minSpareThreads="25"
              enableLookups="false" disableUploadTimeout="true"
              acceptCount="100" scheme="https" secure="true"
              clientAuth="false" sslProtocol="TLS" useBodyEncodingForURI="true"
              keystorePass="xxxx"
              keystoreFile="/etc/pki/tls/private/.keystore" 
              proxyName="subdomain.example.com"/>

Finally, adjust the ssl.conf to look something like this:

LoadModule ssl_module modules/mod_ssl.so

Listen 443
NameVirtualHost *:443

SSLPassPhraseDialog  builtin

SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300

SSLMutex default

SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin

SSLCryptoDevice builtin

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_html_module modules/mod_proxy_html.so

SSLProxyEngine On
<VirtualHost *:443>
    ServerName confluence.example.com
    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
    SSLCertificateFile /etc/pki/tls/certs/localhost.crt
    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
    
    ProxyRequests Off
    ProxyPreserveHost On
 
    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>
     
    ProxyPass / https://localhost:9443/
    ProxyPassReverse / https://localhost:9443/
     
     
    <Location />
        Order allow,deny
        Allow from all
    </Location>
</VirtualHost>                                  

<VirtualHost *:443>
    ServerName subdomain.example.com
    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
    SSLCertificateFile /etc/pki/tls/certs/subdomain.example.com.crt
    SSLCertificateKeyFile /etc/pki/tls/private/subdomain.example.com.key
    
    ProxyRequests Off
    ProxyPreserveHost On
 
    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>
     
    ProxyPass / https://localhost:8443/
    ProxyPassReverse / https://localhost:8443/
     
     
    <Location />
        Order allow,deny
        Allow from all
    </Location>
</VirtualHost>                                  

<VirtualHost *:443>
    ServerName oc.example.com
    SSLEngine on
    SSLProtocol all -SSLv2

    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

    SSLCertificateFile /etc/pki/tls/certs/localhost.crt

    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

    DocumentRoot /var/www/html/owncloud/
 
    <Directory /var/www/html/owncloud>
        AllowOverride All
        order allow,deny
        Allow from all
    </Directory>
</VirtualHost>

You should now be able to visit your site via https://subdomain.example.com

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events