Troubleshooting jira over ssl certificate chain

I'm trying to get JIRA working over ssl, the website comes up but the certificate doesn't show up as trusted. I exported the certificates from my workstation and imported them into the java keystore. How would I go about troubleshooting this issue?

4 answers

How was your certificate created? A self signed certificate is rarely trusted by default.

The certificate was signed by my company Windows CA.

Is your environment Linux or Windows?

Its a linux host running Jira, windows is the CA

So you need run the keytool and update the apache tomcat setup file.   Please see the keytool commands in the following previous answer and the information about the slight differences in the apache setup for Linux.   I assume you are already following the setup directions already mentioned in the documentation.  Do not forget to setup the keyalias parameter.

https://answers.atlassian.com/questions/20947

https://confluence.atlassian.com/display/JIRA/Running+JIRA+over+SSL+or+HTTPS

https://confluence.atlassian.com/display/JIRA/Integrating+JIRA+with+Apache+using+SSL

 

Maybe I'm confused about the alias parameter, I had to add two extra certs for my cert chain, when I added them I called them whatever I wanted, for example I called them RootCA and IntermediateCA because I didn't care what they were listed as in my keystore, is that wrong, do they need to be called something specific? I checked tonight, the issue most certainly is the chain is broken but I added the extra certs by exporting the certificates I wanted from windows and importing them into java keystore using the keytool -import -alias RootCA -keystore /home/svccltprdqdsgit/atlassian/application-data/jira.jks -trustcacerts -file RootCA.crt This is what was listed in the jira ssl document.

The keystore alias doesn't matter. It can be anything that you want it to be. Make sure that you add the RootCA and IntermediateCA to cacerts keystore or whatever store you are using to keep your CA certs. You typically don't have to do this since its coming from a known CA, but I have seen that it does fix problems. You can use the cacerts in the JDK that you are using or copy it and add the two certs.

In Tomcat, you would have something like this in your SSL connector section, where the keystore-ident has the key and signed cert for your site

keystoreFile="/jira/.keystore-ident"
keystorePass="changeit"
keyAlias="jira"
trustsoreFile="/jira/cacerts"
truststorePass="changeit"

I don't have the trust store information it should be the same file should I just add that and the alias's?

If you have everything in one file you don't need the truststoreFile and trustorePass. You still need the keyAlias since this tells Tomcat what key to use for encryption. But you should still add the root and intermediate certs for your CA. It is also better if you add the certs in the order of root CA -> intermediate cert -> site cert.

Suggest an answer

Log in or Join to answer
Community showcase
Sarah Schuster
Posted Jan 29, 2018 in Jira

What are common themes you've seen across successful & failed Jira Software implementations?

Hey everyone! My name is Sarah Schuster, and I'm a Customer Success Manager in Atlassian specializing in Jira Software Cloud. Over the next few weeks I will be posting discussion topics (8 total) to ...

3,313 views 14 20
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot