Troubleshooting jira over ssl certificate chain

I'm trying to get JIRA working over ssl, the website comes up but the certificate doesn't show up as trusted. I exported the certificates from my workstation and imported them into the java keystore. How would I go about troubleshooting this issue?

4 answers

How was your certificate created? A self signed certificate is rarely trusted by default.

The certificate was signed by my company Windows CA.

Is your environment Linux or Windows?

Its a linux host running Jira, windows is the CA

So you need run the keytool and update the apache tomcat setup file.   Please see the keytool commands in the following previous answer and the information about the slight differences in the apache setup for Linux.   I assume you are already following the setup directions already mentioned in the documentation.  Do not forget to setup the keyalias parameter.

https://answers.atlassian.com/questions/20947

https://confluence.atlassian.com/display/JIRA/Running+JIRA+over+SSL+or+HTTPS

https://confluence.atlassian.com/display/JIRA/Integrating+JIRA+with+Apache+using+SSL

 

Maybe I'm confused about the alias parameter, I had to add two extra certs for my cert chain, when I added them I called them whatever I wanted, for example I called them RootCA and IntermediateCA because I didn't care what they were listed as in my keystore, is that wrong, do they need to be called something specific? I checked tonight, the issue most certainly is the chain is broken but I added the extra certs by exporting the certificates I wanted from windows and importing them into java keystore using the keytool -import -alias RootCA -keystore /home/svccltprdqdsgit/atlassian/application-data/jira.jks -trustcacerts -file RootCA.crt This is what was listed in the jira ssl document.

The keystore alias doesn't matter. It can be anything that you want it to be. Make sure that you add the RootCA and IntermediateCA to cacerts keystore or whatever store you are using to keep your CA certs. You typically don't have to do this since its coming from a known CA, but I have seen that it does fix problems. You can use the cacerts in the JDK that you are using or copy it and add the two certs.

In Tomcat, you would have something like this in your SSL connector section, where the keystore-ident has the key and signed cert for your site

keystoreFile="/jira/.keystore-ident"
keystorePass="changeit"
keyAlias="jira"
trustsoreFile="/jira/cacerts"
truststorePass="changeit"

I don't have the trust store information it should be the same file should I just add that and the alias's?

If you have everything in one file you don't need the truststoreFile and trustorePass. You still need the keyAlias since this tells Tomcat what key to use for encryption. But you should still add the root and intermediate certs for your CA. It is also better if you add the certs in the order of root CA -> intermediate cert -> site cert.

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Published 3 hours ago in Jira Software

How large do you think Jira Software can grow?

Hi Atlassian Community! My name is Shana, and I’m on the Jira Software team. One of the many reasons this Community exists is to connect you to others on similar product journeys or with comparabl...

58 views 4 4
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you