Troubleshooting jira over ssl certificate chain

I'm trying to get JIRA working over ssl, the website comes up but the certificate doesn't show up as trusted. I exported the certificates from my workstation and imported them into the java keystore. How would I go about troubleshooting this issue?

4 answers

This widget could not be displayed.

How was your certificate created? A self signed certificate is rarely trusted by default.

This widget could not be displayed.

The certificate was signed by my company Windows CA.

Is your environment Linux or Windows?

Its a linux host running Jira, windows is the CA

This widget could not be displayed.

So you need run the keytool and update the apache tomcat setup file.   Please see the keytool commands in the following previous answer and the information about the slight differences in the apache setup for Linux.   I assume you are already following the setup directions already mentioned in the documentation.  Do not forget to setup the keyalias parameter.

https://answers.atlassian.com/questions/20947

https://confluence.atlassian.com/display/JIRA/Running+JIRA+over+SSL+or+HTTPS

https://confluence.atlassian.com/display/JIRA/Integrating+JIRA+with+Apache+using+SSL

 

Maybe I'm confused about the alias parameter, I had to add two extra certs for my cert chain, when I added them I called them whatever I wanted, for example I called them RootCA and IntermediateCA because I didn't care what they were listed as in my keystore, is that wrong, do they need to be called something specific? I checked tonight, the issue most certainly is the chain is broken but I added the extra certs by exporting the certificates I wanted from windows and importing them into java keystore using the keytool -import -alias RootCA -keystore /home/svccltprdqdsgit/atlassian/application-data/jira.jks -trustcacerts -file RootCA.crt This is what was listed in the jira ssl document.

This widget could not be displayed.

The keystore alias doesn't matter. It can be anything that you want it to be. Make sure that you add the RootCA and IntermediateCA to cacerts keystore or whatever store you are using to keep your CA certs. You typically don't have to do this since its coming from a known CA, but I have seen that it does fix problems. You can use the cacerts in the JDK that you are using or copy it and add the two certs.

In Tomcat, you would have something like this in your SSL connector section, where the keystore-ident has the key and signed cert for your site

keystoreFile="/jira/.keystore-ident"
keystorePass="changeit"
keyAlias="jira"
trustsoreFile="/jira/cacerts"
truststorePass="changeit"

I don't have the trust store information it should be the same file should I just add that and the alias's?

If you have everything in one file you don't need the truststoreFile and trustorePass. You still need the keyAlias since this tells Tomcat what key to use for encryption. But you should still add the root and intermediate certs for your CA. It is also better if you add the certs in the order of root CA -> intermediate cert -> site cert.

Suggest an answer

Log in or Sign up to answer
Atlassian Summit 2018

Meet the community IRL

Atlassian Summit is an excellent opportunity for in-person support, training, and networking.

Learn more
Community showcase
Posted Wednesday in New to Jira

Are you planning to trial, or are currently trialling Jira Software? - We want to talk to you!

Hello! I'm Rayen, a product manager at Atlassian. My team and I are working hard to improve the trial experience for Jira Software Cloud. We are interested in   talking to 20 people planning t...

112 views 2 0
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you