Unable to configure SSL in JIRA

As per instructions mentioned in https://confluence.atlassian.com/display/JIRA/Running+JIRA+over+SSL+or+HTTPS#RunningJIRAoverSSLorHTTPS-trust

I have created a CSR file and imported to THAWTE for generating a CA file.

Thawte has given me file in X509 format.

As per instrcutions in THAWTE,

  1. Follow Step 1 by downloading an X.509 certificate file format.
  2. Downoad both Primary and Secondary Intermediate certificate as separate files, refer to article.AR1384.
  3. Select the Intermediate CAs link based on your certificate product type. Once you have the SSL certificate, Primary and Secondary Intermediate CA certificate files, begin the import process.
    Note: It is imperative the installation of Primary Intermediate CA, Secondary Intermediate CA and SSL certificate on the keystore is followed below.
  4. Import the Primary Intermediate certificate (e.g., use alias: primary)
    keytool -import -alias primary -trustcacerts -file primary_intermediate_file_name -keystore [keystorename]
  5. Import the Secondary Intermediate certificate (e.g., use alias: secondary)
    keytool -import -alias secondary -trustcacerts -file secondary_intermediate_file_name -keystore [keystorename]
  6. Import the SSL certificate (Use the same alias name based on the created keystore and submitted CSR from Thawte)
    keytool -import -alias [your_alias_name] -trustcacerts -file X.509_file_name -keystore [keystorename]
I have followed and created a keystore file.
 
While trying to configire SSL, I am getting this issue ?
Keystore Path (leave blank to exit)> /home/a.b2cops/.keystore Keystore Password> Key Alias> jira The referenced certificate could not be found or accessed. Do you want to try again? ([Y]/N)? > 
I have verfied the contents in Keystore as well.....
keytool -list -v -keystore .kesytore

Please let me know what went wrong ??
 

6 answers

1 accepted

Thank you , I have fixed it myself....While running the commands here keytool -import -alias [your_alias_name] -trustcacerts -file X.509_file_name -keystore [keystorename]

keystorename should be the JKS which you have provided before submitting to your CA, whereas I pointed that to new keystore.

This thread was very useful to me in getting our JIRA instance's SSL configured, but it still took a lot of fiddling and forum-crawling. I thought I'd give a rundown of what I needed to go to get it configured in a step-by-step manner, in case it would help anyone else (or if I ever needed to do it again!):

  1. Create a new keystore (mine is at /home/jira/.keystore
    1. /opt/atlassian/jira/jre/bin/keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore /home/jira/.keystore
    2. Set a keystore password that you'll be using throughout this process, so don't lose it
  2. Create my CSR
    1. /opt/atlassian/jira/jre/bin/keytool -certreq -keyalg RSA -alias tomcat -file domain_filename.csr -keystore /home/jira/.keystore
  3. Submit my CSR to certificate authority
  4. Store my returned certificate from authority on server
  5. Add returned certificates to keychain
    (Note: If root or intermediate certificates are necessary, they MUST be inserted into the keychain in the order root -> intermediate(s) -> domain)
    1. (optional) /opt/atlassian/jira/jre/bin/keytool -import -trustcacerts -alias rootca -file /home/jira/cert/root_filename.crt -v -keystore /home/jira/.keystore
      1. You may get a message that "Certificate already exists in system-wide CA keystore under alias <alias_name>
      2. Do you still want to add it to your own keystore? [no]: yes
    2. (optional) /opt/atlassian/jira/jre/bin/keytool -import -trustcacerts -alias intermediateca -file /home/jira/cert/intermediate_filename.crt -v -keystore /home/jira/.keystore
    3. /opt/atlassian/jira/jre/bin/keytool -import -trustcacerts -alias tomcat -file /home/jira/cert/domain_filename.crt -v -keystore /home/jira/.keystore
      (Note: The domain certificate MUST have the same alias as the key. Here, I used the alias "tomcat").
      1. Upon issuing this command, you should receive a message that "Certificate reply was installed in keystore", which is different than the previous root and intermediate certificate success messages of "Certificate was added to keystore"
  6. (optional) Set proper user and rights for keystore and certificates
    1. chown jira:users *
    2. chmod 400 *
  7. Configure JIRA to use this keystore
    1. JRE_HOME=/opt/atlassian/jira/jre /opt/atlassian/jira/bin/config.sh
      1. [W] Web Server (incl. HTTP/HTTPs configuration)
      2. [S] Configure SSL Encryption (requires an installed X509 certificate)
      3. [U] User-defined location
        1. Keystore Path (leave blank to exit)> /home/jira/.keystore
        2. Keystore Password> password
        3. Key Alias> tomcat
          (Note: This is the same alias as your key and domain certificate)
      4. If this information is correct, you'll get the response that "The following certificate was found:" with your certificate info
      5. Do you want to use this certificate? ([Y]/N)? > Y
      6. HTTPs Port> port_number
  8. Restart JIRA
    1. /etc/init.d/jira stop
    2. /etc/init.d/jira start

Thank you for the detailed steps. I am self-signing, so I skipped steps 2-5, but this saved me some serious hair pulling. Thanks again!

Hi Sunil,

It seems to me that you've imported the certificate file in a different keystore than the one used by JIRA. I suggest you to repeat all the steps but adding the parameter "-keyfile $JAVA_HOME/jre/lib/security/cacerts" -- please fill the $JAVA_HOME variable according to your system. It will add the certificates on the JAVA-wide keystore.

When you'd finished to add the certificates on the keystore, copy it for $JIRA_INST/conf and set it on the 'Keystore Path' under the JIRA Configuration Tool.

Best regards,
Lucas Timm

I tried to import onto $JAVA_HOME/jre/lib/security/cacerts and tried to point it

Please select the keystore from the options below. It must contain the certificate and the private key to be used.

[S] The system-wide Java keystore (/cust/soe/opt/jdk/1.6.0-19/jre/lib/security/cacerts)

[U] User-defined location

Keystore> S

Keystore Password>

Key Alias> tomcat

The referenced certificate could not be found or accessed. Do you want to try again? ([Y]/N)? > N
but still no luck.......
You asked me to copy it onto $JIRA_INST/conf..... what does it mean here..because we added cert onto cacerts.......

i assume the keystore you're lookin for is inside jiras installataion directory.

i.e. if defaults are used please have a look at

/opt/atlassian/jira/jre/lib/security/cacerts

this is the keystore jira will use unless you change JAVA_HOME in "$INSTALL/jira/bin/permgen.sh"

what you did is creating a keystore for the current user which was placed in your home directory ->

/home/a.b2cops/.keystore

you could tell jira to use this keystore but i wouldn't do that...

in your shell run sth like
echo $JAVA_HOME

if this differs from

grep "export JAVA_HOME" /opt/atlassian/jira/bin/permgen.sh

you can proceed from there


My JAVA_HOME is different from ATlassian inbuilt JRE .....

When I followed the same steps for self signed certificate in QA environment, it worked fine.

It doesn't matter where the JAVA_HOME come from as long as you use the '-keyfile' parameter pointing to the correct keystore file. Try to copy the /cust/soe/opt/jdk/1.6.0-19/jre/lib/security/cacert file to $JIRA_INST/conf. Also try a 'keytool -list -v -keyfile $JIRA_INST/conf/cacert what is the "Entry Type" for the Tomcat aliased certificate whether it's a PrivateKeyEntry or a TrustedCert.

Best regards,
Lucas Timm

Please select the keystore from the options below. It must contain the certificate and the private key to be used.

[S] The system-wide Java keystore (/cust/soe/opt/jdk/1.6.0-19/jre/lib/security/cacerts)

[U] User-defined location

Keystore> U

Keystore Path (leave blank to exit)> /cust/atlassian/jira_app1/conf/cacerts

Keystore Password>

Key Alias> tomcat

The referenced certificate could not be found or accessed. Do you want to try again? ([Y]/N)? > N

Entry type: trustedCertEntry
Alias name: tomcat
Creation date: Mar 13, 2013
Entry type: trustedCertEntry

Thank you , I have fixed it myself....While running the commands here keytool -import -alias [your_alias_name] -trustcacerts -file X.509_file_name -keystore [keystorename]

keystorename should be the JKS which you have provided before submitting to your CA, whereas I pointed that to new keystore.

I don't understand the solution you've found here, and seem to be having a similar problem. I submitted my CSR to a CA, received my signed cert, and imported it into the keystore (now twice, under a separate alias):

root@track:/opt/atlassian/jira/jre/bin# ./keytool -import -alias ssl -file /etc/ssl/certs/server.crt -keystore "/opt/atlassian/jira/jre/lib/security/cacerts" 
Enter keystore password:  
Certificate already exists in keystore under alias &lt;tomcatcacert&gt;
Do you still want to add it? [no]:  yes
Certificate was added to keystore
root@track:/opt/atlassian/jira/jre/bin#

But then when I go back in to config.sh, I get this:

Please select the keystore from the options below. It must contain the certificate and the private key to be used.
  [S] The system-wide Java keystore (/opt/atlassian/jira/jre/lib/security/cacerts)
  [U] User-defined location
  [C] The currently configured (/opt/atlassian/jira/jre/bin/keystore)
Keystore&gt; s
Keystore Password&gt; 
Key Alias&gt; ssl
The referenced certificate could not be found or accessed. Do you want to try again?  ([Y]/N)? &gt; n

Jon,

You should import server.crt onto keystore which you have generated before submitting it to your CA.

In my case I followed https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO832 and generated keytool -genkey -keysize 2048 -keyalg RSA -alias [Alias name] -keystore [Keystore Name]

So you have to use "[Keystore Name]" instead of any other keystore.

Try again it should work.....

Note:

When you run the below command after your last step , you should see Entry type: PrivateKeyEntry,

Certificate chain length: 3 (depending upon CA certs) and Certificate[1] should be 1

$ keytool -list -v -keystore .kesytore

Enter keystore password:

Keystore type: JKS

Keystore provider: SUN

Your keystore contains 1 entry

Alias name: tomcat

Creation date: Mar 15, 2013

Entry type: PrivateKeyEntry

Certificate chain length: 3

Certificate[1]:

>>>You should import server.crt onto keystore which you have generated before submitting it to your CA.

If I have sertificate which was created long time ago and keystore where it was genereted doen't exist anymore? How can I use it?

Can't import it, it show me

The referenced certificate could not be found or accessed.

Thanks! Following all of that worked.

  1. keytool -genkey -keysize 2048 -keyalg RSA -alias newssl -keystore "/opt/atlassian/jira/jre/bin/keystore"
  2. keytool -certreq -alias newssl -keyalg RSA -file certreq.csr -keystore "/opt/atlassian/jira/jre/bin/keystore"
  3. CSR->CA; Save signed Cert
  4. (Also import the root cert of the CA)
  5. keytool -import -alias newssl -file "/opt/atlassian/jira/jre/bin/cert.cer" -keystore "/opt/atlassian/jira/jre/bin/keystore"
  6. edit /opt/atlassian/jira/conf/server.xml to point to the right certificate alias
  7. /etc/init.d/jira stop ; /etc/init.d/jira start

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Published Thursday in Jira

5 ways you can make the most of Jira Software and Bitbucket Cloud

As part of the Bitbucket product team I'm always interested in better understanding what kind of impact the use of our tools have on the way you work. In a recent study we conducted of software devel...

119 views 0 5
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you