Unable to configure SSL in JIRA

Sunil Pothireddy [Intel] March 11, 2013

As per instructions mentioned in https://confluence.atlassian.com/display/JIRA/Running+JIRA+over+SSL+or+HTTPS#RunningJIRAoverSSLorHTTPS-trust

I have created a CSR file and imported to THAWTE for generating a CA file.

Thawte has given me file in X509 format.

As per instrcutions in THAWTE,

  1. Follow Step 1 by downloading an X.509 certificate file format.
  2. Downoad both Primary and Secondary Intermediate certificate as separate files, refer to article.AR1384.
  3. Select the Intermediate CAs link based on your certificate product type. Once you have the SSL certificate, Primary and Secondary Intermediate CA certificate files, begin the import process.
    Note: It is imperative the installation of Primary Intermediate CA, Secondary Intermediate CA and SSL certificate on the keystore is followed below.
  4. Import the Primary Intermediate certificate (e.g., use alias: primary)
    keytool -import -alias primary -trustcacerts -file primary_intermediate_file_name -keystore [keystorename]
  5. Import the Secondary Intermediate certificate (e.g., use alias: secondary)
    keytool -import -alias secondary -trustcacerts -file secondary_intermediate_file_name -keystore [keystorename]
  6. Import the SSL certificate (Use the same alias name based on the created keystore and submitted CSR from Thawte)
    keytool -import -alias [your_alias_name] -trustcacerts -file X.509_file_name -keystore [keystorename]
I have followed and created a keystore file.
 
While trying to configire SSL, I am getting this issue ?
Keystore Path (leave blank to exit)> /home/a.b2cops/.keystore Keystore Password> Key Alias> jira The referenced certificate could not be found or accessed. Do you want to try again? ([Y]/N)? > 
I have verfied the contents in Keystore as well.....
keytool -list -v -keystore .kesytore

Please let me know what went wrong ??
 

6 answers

1 accepted

1 vote
Answer accepted
Sunil Pothireddy [Intel] March 14, 2013

Thank you , I have fixed it myself....While running the commands here keytool -import -alias [your_alias_name] -trustcacerts -file X.509_file_name -keystore [keystorename]

keystorename should be the JKS which you have provided before submitting to your CA, whereas I pointed that to new keystore.

4 votes
aaronbean May 24, 2013

This thread was very useful to me in getting our JIRA instance's SSL configured, but it still took a lot of fiddling and forum-crawling. I thought I'd give a rundown of what I needed to go to get it configured in a step-by-step manner, in case it would help anyone else (or if I ever needed to do it again!):

  1. Create a new keystore (mine is at /home/jira/.keystore
    1. /opt/atlassian/jira/jre/bin/keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore /home/jira/.keystore
    2. Set a keystore password that you'll be using throughout this process, so don't lose it
  2. Create my CSR
    1. /opt/atlassian/jira/jre/bin/keytool -certreq -keyalg RSA -alias tomcat -file domain_filename.csr -keystore /home/jira/.keystore
  3. Submit my CSR to certificate authority
  4. Store my returned certificate from authority on server
  5. Add returned certificates to keychain
    (Note: If root or intermediate certificates are necessary, they MUST be inserted into the keychain in the order root -> intermediate(s) -> domain)
    1. (optional) /opt/atlassian/jira/jre/bin/keytool -import -trustcacerts -alias rootca -file /home/jira/cert/root_filename.crt -v -keystore /home/jira/.keystore
      1. You may get a message that "Certificate already exists in system-wide CA keystore under alias <alias_name>
      2. Do you still want to add it to your own keystore? [no]: yes
    2. (optional) /opt/atlassian/jira/jre/bin/keytool -import -trustcacerts -alias intermediateca -file /home/jira/cert/intermediate_filename.crt -v -keystore /home/jira/.keystore
    3. /opt/atlassian/jira/jre/bin/keytool -import -trustcacerts -alias tomcat -file /home/jira/cert/domain_filename.crt -v -keystore /home/jira/.keystore
      (Note: The domain certificate MUST have the same alias as the key. Here, I used the alias "tomcat").
      1. Upon issuing this command, you should receive a message that "Certificate reply was installed in keystore", which is different than the previous root and intermediate certificate success messages of "Certificate was added to keystore"
  6. (optional) Set proper user and rights for keystore and certificates
    1. chown jira:users *
    2. chmod 400 *
  7. Configure JIRA to use this keystore
    1. JRE_HOME=/opt/atlassian/jira/jre /opt/atlassian/jira/bin/config.sh
      1. [W] Web Server (incl. HTTP/HTTPs configuration)
      2. [S] Configure SSL Encryption (requires an installed X509 certificate)
      3. [U] User-defined location
        1. Keystore Path (leave blank to exit)> /home/jira/.keystore
        2. Keystore Password> password
        3. Key Alias> tomcat
          (Note: This is the same alias as your key and domain certificate)
      4. If this information is correct, you'll get the response that "The following certificate was found:" with your certificate info
      5. Do you want to use this certificate? ([Y]/N)? > Y
      6. HTTPs Port> port_number
  8. Restart JIRA
    1. /etc/init.d/jira stop
    2. /etc/init.d/jira start
mc March 5, 2015

Thank you for the detailed steps. I am self-signing, so I skipped steps 2-5, but this saved me some serious hair pulling. Thanks again!

1 vote
LucasA
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
March 11, 2013

Hi Sunil,

It seems to me that you've imported the certificate file in a different keystore than the one used by JIRA. I suggest you to repeat all the steps but adding the parameter "-keyfile $JAVA_HOME/jre/lib/security/cacerts" -- please fill the $JAVA_HOME variable according to your system. It will add the certificates on the JAVA-wide keystore.

When you'd finished to add the certificates on the keystore, copy it for $JIRA_INST/conf and set it on the 'Keystore Path' under the JIRA Configuration Tool.

Best regards,
Lucas Timm

Sunil Pothireddy [Intel] March 12, 2013

I tried to import onto $JAVA_HOME/jre/lib/security/cacerts and tried to point it

Please select the keystore from the options below. It must contain the certificate and the private key to be used.

[S] The system-wide Java keystore (/cust/soe/opt/jdk/1.6.0-19/jre/lib/security/cacerts)

[U] User-defined location

Keystore> S

Keystore Password>

Key Alias> tomcat

The referenced certificate could not be found or accessed. Do you want to try again? ([Y]/N)? > N
but still no luck.......
You asked me to copy it onto $JIRA_INST/conf..... what does it mean here..because we added cert onto cacerts.......
0 votes
Jon Camfield March 20, 2013

Thanks! Following all of that worked.

  1. keytool -genkey -keysize 2048 -keyalg RSA -alias newssl -keystore "/opt/atlassian/jira/jre/bin/keystore"
  2. keytool -certreq -alias newssl -keyalg RSA -file certreq.csr -keystore "/opt/atlassian/jira/jre/bin/keystore"
  3. CSR->CA; Save signed Cert
  4. (Also import the root cert of the CA)
  5. keytool -import -alias newssl -file "/opt/atlassian/jira/jre/bin/cert.cer" -keystore "/opt/atlassian/jira/jre/bin/keystore"
  6. edit /opt/atlassian/jira/conf/server.xml to point to the right certificate alias
  7. /etc/init.d/jira stop ; /etc/init.d/jira start
0 votes
Jon Camfield March 19, 2013

I don't understand the solution you've found here, and seem to be having a similar problem. I submitted my CSR to a CA, received my signed cert, and imported it into the keystore (now twice, under a separate alias):

root@track:/opt/atlassian/jira/jre/bin# ./keytool -import -alias ssl -file /etc/ssl/certs/server.crt -keystore "/opt/atlassian/jira/jre/lib/security/cacerts" 
Enter keystore password:  
Certificate already exists in keystore under alias &lt;tomcatcacert&gt;
Do you still want to add it? [no]:  yes
Certificate was added to keystore
root@track:/opt/atlassian/jira/jre/bin#

But then when I go back in to config.sh, I get this:

Please select the keystore from the options below. It must contain the certificate and the private key to be used.
  [S] The system-wide Java keystore (/opt/atlassian/jira/jre/lib/security/cacerts)
  [U] User-defined location
  [C] The currently configured (/opt/atlassian/jira/jre/bin/keystore)
Keystore&gt; s
Keystore Password&gt; 
Key Alias&gt; ssl
The referenced certificate could not be found or accessed. Do you want to try again?  ([Y]/N)? &gt; n

Sunil Pothireddy [Intel] March 19, 2013

Jon,

You should import server.crt onto keystore which you have generated before submitting it to your CA.

In my case I followed https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO832 and generated keytool -genkey -keysize 2048 -keyalg RSA -alias [Alias name] -keystore [Keystore Name]

So you have to use "[Keystore Name]" instead of any other keystore.

Try again it should work.....

Note:

When you run the below command after your last step , you should see Entry type: PrivateKeyEntry,

Certificate chain length: 3 (depending upon CA certs) and Certificate[1] should be 1

$ keytool -list -v -keystore .kesytore

Enter keystore password:

Keystore type: JKS

Keystore provider: SUN

Your keystore contains 1 entry

Alias name: tomcat

Creation date: Mar 15, 2013

Entry type: PrivateKeyEntry

Certificate chain length: 3

Certificate[1]:

Oren Alexandroni February 4, 2014

>>>You should import server.crt onto keystore which you have generated before submitting it to your CA.

If I have sertificate which was created long time ago and keystore where it was genereted doen't exist anymore? How can I use it?

Can't import it, it show me

The referenced certificate could not be found or accessed.

0 votes
C_ Faysal
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
March 11, 2013

i assume the keystore you're lookin for is inside jiras installataion directory.

i.e. if defaults are used please have a look at

/opt/atlassian/jira/jre/lib/security/cacerts

this is the keystore jira will use unless you change JAVA_HOME in "$INSTALL/jira/bin/permgen.sh"

what you did is creating a keystore for the current user which was placed in your home directory ->

/home/a.b2cops/.keystore

you could tell jira to use this keystore but i wouldn't do that...

in your shell run sth like
echo $JAVA_HOME

if this differs from

grep "export JAVA_HOME" /opt/atlassian/jira/bin/permgen.sh

you can proceed from there


Sunil Pothireddy [Intel] March 13, 2013

My JAVA_HOME is different from ATlassian inbuilt JRE .....

When I followed the same steps for self signed certificate in QA environment, it worked fine.

LucasA
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
March 13, 2013

It doesn't matter where the JAVA_HOME come from as long as you use the '-keyfile' parameter pointing to the correct keystore file. Try to copy the /cust/soe/opt/jdk/1.6.0-19/jre/lib/security/cacert file to $JIRA_INST/conf. Also try a 'keytool -list -v -keyfile $JIRA_INST/conf/cacert what is the "Entry Type" for the Tomcat aliased certificate whether it's a PrivateKeyEntry or a TrustedCert.

Best regards,
Lucas Timm

Sunil Pothireddy [Intel] March 13, 2013

Please select the keystore from the options below. It must contain the certificate and the private key to be used.

[S] The system-wide Java keystore (/cust/soe/opt/jdk/1.6.0-19/jre/lib/security/cacerts)

[U] User-defined location

Keystore> U

Keystore Path (leave blank to exit)> /cust/atlassian/jira_app1/conf/cacerts

Keystore Password>

Key Alias> tomcat

The referenced certificate could not be found or accessed. Do you want to try again? ([Y]/N)? > N

Sunil Pothireddy [Intel] March 13, 2013
Entry type: trustedCertEntry
Alias name: tomcat
Creation date: Mar 13, 2013
Entry type: trustedCertEntry
Sunil Pothireddy [Intel] March 14, 2013

Thank you , I have fixed it myself....While running the commands here keytool -import -alias [your_alias_name] -trustcacerts -file X.509_file_name -keystore [keystorename]

keystorename should be the JKS which you have provided before submitting to your CA, whereas I pointed that to new keystore.

Suggest an answer

Log in or Sign up to answer