Why I can't import .crt to JIRA?

My site is: www.affinex.net
SSL certificate has been installed

I am getting errors and I couldn't get JIRA to work under SSL. For now, the installation is completed, I am able to run JIRA on port 8080, however I couldn't get it to run on HTTPS.

I have uncommented the SSL section of conf/server.xml (refer to attachment)

I am getting keytool error message from Command Prompt: (refer to attachment)
keytool error: java.io.FileNotFoundException: www_affinex_net.crt <The system cannot find the file specified>

I have checked the directory and path, everything is correct.

3 answers

0 votes

Check that the files and directories are read/write enabled for your user on both

1. The current one with the .crt file in it

2. The place where keytool will be keeping the certificate store

Where is your certificate store?

Can you run the keytool commands with the -v flag for more info?

refer to attachment. the crt file is stored at this directory: C:\Program Files\Atlassian\JIRA\jre\bin\keytool

how do I run keytool cmd with v-flag? Please enlighten. Thanks Nic!

Checked all folders are read/write enabled. Error is still there.

www.affinex.net:8080 works fine.

Just can't get it to run on HTTPS.

Please refer to printscreen for folder permission. Modified enabled.

I'm not familiar with where windows JVMs might default the keytools to, or what the grey ticks in the permissions mean (is it ok that "read" is greyed out for your user?)

With keytool, add the -v as a parameter - instead of "keytool -import ...", try "keytool -v -import ..."

greyed out means it's enabled by default. Attached picture is the v flag, please advise.

mmm, ok, that's not a huge amount of help, sorry. Worth a try, but it's a plain "file you're talking about is not there error", rather than something obscure.

Simple fact is, the keytool program is not finding the .crt file (it might not be able to open the keystore, but as you're entering a password and it's accepting it, I doubt that's it). It looks like the file isn't in the current directory. Could you try these two commands, in the current directory that you're running keytool from:

dir *.crt

attrib *.crt

(By the way - screenshots are not needed, the plain text of the command window is much nicer)

Could it be the password?

I entered "changit" for both the password. Keystore password and new password. How to check whether I setup keystore properly and check what is the password?

I meant "changeit" twice. Sorry about the typo

The whole point of the password is that it can't be extracted! To check it just try "keytool -list", which will ask you for it and if you get it right, it will list your imported certificates.

I suspect this is not the issue though, it's the fact it can't find your .crt file.

Error message as below:

C:\Users\Administrator>"C:\Program Files\Atlassian\JIRA\jre\bin\keytool" -list
keytool error: java.lang.Exception: Keystore file does not exist: C:\Users\Admin
istrator\.keystore

C:\Users\Administrator>

Well, that answers that then. You haven't created a keystore, so the system can't find it when you're running the command to add the certificate.

Note - you probably don't want to create one for the admin user - you probably want it for the user that Jira will be running as.

I know this might sound very stupid. But how do I create a keystore for user? Can you direct me to a link or something?

Thanks Nic!

Run the keytool program as that user.

http://docs.oracle.com/javase/6/docs/technotes/tools/ and look under "security tools" section

I tried creating the keystore with the -genkeypair command but more error messages came out:

C:\Program Files\Atlassian\JIRA\jre\bin>-genkeypair
'-genkeypair' is not recognized as an internal or external command,
operable program or batch file.

C:\Program Files\Atlassian\JIRA\jre\bin>-genkeypair {-alias alias} {-keyalg keya
lg} {-keysize keysize} {-sigalg sigalg} [-dname dname] [-keypass keypass] {-vali
dity valdays} {-storetype storetype} {-keystore keystore} [-storepass storepass]
{-providerClass provider_class_name {-providerArg provider_arg}} {-v} {-protect
ed} {-Jjavaoption}
'-genkeypair' is not recognized as an internal or external command,
operable program or batch file.

C:\Program Files\Atlassian\JIRA\jre\bin>-genkey
'-genkey' is not recognized as an internal or external command,
operable program or batch file.

C:\Program Files\Atlassian\JIRA\jre\bin>-genkeypair
'-genkeypair' is not recognized as an internal or external command,
operable program or batch file.

C:\Program Files\Atlassian\JIRA\jre\bin>-keystore
'-keystore' is not recognized as an internal or external command,
operable program or batch file.

C:\Program Files\Atlassian\JIRA\jre\bin>-keystore keystore
'-keystore' is not recognized as an internal or external command,
operable program or batch file.

C:\Program Files\Atlassian\JIRA\jre\bin>

Don't know. How have you configured it? What do you mean "can't run it with https"?

I have added the keystore as below, but I still can't run JIRA with HTTPS. What's the next step?

C:\Program Files\Atlassian\JIRA\jre\bin>keytool -genkey -alias mydomain -keyalg
RSA -keystore keystore.jks -keysize 2048
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: Daniel Ong
What is the name of your organizational unit?
[Unknown]: Cloud
What is the name of your organization?
[Unknown]: Dossologic
What is the name of your City or Locality?
[Unknown]: Singapore
What is the name of your State or Province?
[Unknown]: Singapore
What is the two-letter country code for this unit?
[Unknown]: SG
Is CN=Daniel Ong, OU=Cloud, O=Dossologic, L=Singapore, ST=Singapore, C=SG correc
t?
[no]: YES

Enter key password for <mydomain>
(RETURN if same as keystore password):

C:\Program Files\Atlassian\JIRA\jre\bin>keytool -v
Usage error: no command provided
Try keytool -help

C:\Program Files\Atlassian\JIRA\jre\bin>keytool -import -trustcacerts -alias roo
t -file www_affinex_net.crt -keystore keystore.jks
Enter keystore password:
Owner: CN=www.affinex.net, OU=EssentialSSL, OU=Hosted by Tucows, OU=Domain Contr
ol Validated
Issuer: CN=EssentialSSL CA, O=COMODO CA Limited, L=Salford, ST=Greater Mancheste
r, C=GB
Serial number: 1a4eea1d8877139b6571378cc308b0e3
Valid from: Tue Aug 28 08:00:00 SGT 2012 until: Thu Aug 29 07:59:59 SGT 2013
Certificate fingerprints:
MD5: B6:DA:FD:A5:58:63:9C:18:30:55:DE:20:BD:82:A9:CB
SHA1: 93:B6:07:E8:3D:62:6F:A3:2D:8C:52:2B:21:12:3D:AA:E8:36:A8:6A
Signature algorithm name: SHA1withRSA
Version: 3



Trust this certificate? [no]: YES
Certificate was added to keystore




printcert check:

C:\Program Files\Atlassian\JIRA\jre\bin>keytool -list -v -keystore keystore.jks
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: root
Creation date: Sep 18, 2012
Entry type: trustedCertEntry

Owner: CN=www.affinex.net, OU=EssentialSSL, OU=Hosted by Tucows, OU=Domain Contr
ol Validated
Issuer: CN=EssentialSSL CA, O=COMODO CA Limited, L=Salford, ST=Greater Mancheste
r, C=GB
Serial number: 1a4eea1d8877139b6571378cc308b0e3
Valid from: Tue Aug 28 08:00:00 SGT 2012 until: Thu Aug 29 07:59:59 SGT 2013
Certificate fingerprints:
MD5: B6:DA:FD:A5:58:63:9C:18:30:55:DE:20:BD:82:A9:CB
SHA1: 93:B6:07:E8:3D:62:6F:A3:2D:8C:52:2B:21:12:3D:AA:E8:36:A8:6A
Signature algorithm name: SHA1withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F9 BE 85 5E 55 CE E8 6E FA EB EB 1A EF 97 FC E5 ...^U..n........
0010: A6 19 0A 4C ...L
]
]

#4: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: 1.3.6.1.5.5.7.48.2
accessLocation: URIName: http://crt.comodoca.com/EssentialSSLCA_2.crt,
accessMethod: 1.3.6.1.5.5.7.48.1
accessLocation: URIName: http://ocsp.comodoca.com]
]

#5:
ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.comodoca.com/EssentialSSLCA.crl]
]]

#6:
ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [1.3.6.1.4.1.6449.1.2.2.7]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1D 68 74 74 70 73 3A 2F 2F 73 65 63 75 72 65 ..https://
secure
0010: 2E 63 6F 6D 6F 64 6F 2E 63 6F 6D 2F 43 50 53 .comodo.com/CPS

]] ]
]




I want to run JIRA with SSL. For example, right now I am able to run JIRA on port 8080. e.g. www.affinex.net:8080 but I couldn't get it to run on a secure port e.g. HTTPS://www.affinex.net:8443

I am not too sure how to make this configuration.

Thanks Nic.

Yes, I understand that you want to access it via SSL (which implies https unless you're doing something unusual, but is NOT the same thing as SSL), but I'm afraid I'm not grasping the details. My main client uses certificates to access Jira (bypassing logins) and the system needs a certificate to get to confluence, source control and other places it's integrated with, so I'm probably just getting confused.

If it is just allowing (and requiring) access via https, then please work through https://confluence.atlassian.com/display/JIRA/Running+JIRA+over+SSL+or+HTTPS and tell us where you're getting stuck there.

Okay, now I am stuck at the configuration tool. I have tried running config.bat but to no avail. Any ideas?

I have java running.

Not really, because I don't know what you're doing. What does "stuck at the configuration tool" mean? Running config.bat - so? What does it do? What's the error.

Have you read and followed the document I referred to? Where are you stuck in that?

I apologize for being vague. What I meant was, I couldn't run the configuration tool. I understand I need it to configure JIRA to run using HTTPS port. But I tried runnning (double-clicking and cmd run) config.bat in the JIRA bin sub-directory but I just couldn't get the configuration tool to run.

Hope I clarified. Thanks.

Stuck = couldn't get it to run = clicked and nothing happen.

Nice one with the penguins though.

mmm, that doesn't tell us any more - "I couldn't get it to run" is the same as "stuck".

To reuse my standard car analogy - "I couldn't get the car to move" doesn't tell us if it's not starting on ignition, the petrol tank is empty, it's in a ditch or if it's been trampled into bits by rampaging penguins.

You need to tell us what the symptoms are, error messages and so-on. Tell us where you are stuck in the documentation. More importantly, tell us where you've done something *different* from the documentation - that's probably where you're going wrong. Again, please work through https://confluence.atlassian.com/display/JIRA/Running+JIRA+over+SSL+or+HTTPS and tell us where you're getting stuck there.

I know, it's hard to explain to someone not in front of your screen, but it's just as hard to try to guess your way through without information too.

One of the wonders of running Windows is that it's utterly awful at telling you what's wrong. There IS something happening when you click on whatever you're clicking on, and Windows is failing miserably to tell you anything useful (which means it's not useful as an "operating system" because real ones give you feed back).

Try it on a command line. Take apart the shortcut and work out what it's actually running and run that from a cmd prompt. It should tell you more. Look for the application logs too - they will probably tell you why it's not running, assuming you can find them.

Command prompt gives me this:

C:\Program Files\Atlassian\JIRA\bin>config.bat
The system cannot find the path specified.
C:\Program Files\Atlassian\JIRA\bin>

But the path is valid, the files are valid. This is really mind boggling.

Well, that's the reason why I prefer putting up screenshots but you advised me against it. A picture speaks a thousand words Nic.

The text is fine, it tells you all we need to know

The path and/or files are definitely not valid, according to the Operating System, and that's the thing that matters (you're now in a situation where you're saying "paint the car yellow" and the Operating system is saying "I have a brush, but there's not actually any car here... um... help")

However, because Windows is not helping a lot, I've got a feeling it might actually be telling you "something inside config.bat is missing". Useless error message, but hey.

Could you try:

  1. "type config.bat" from there? To see what the file contains and what it might be calling that isn't running.
  2. Run it with the full real path - should be something like c:\progra~1\atlass~1\JIRA\bin\config.bat to make sure you're actually running this config.bat and not another one (the ~s are there because Windows "long file names" are a complete bodge and not really long)
  3. Also, "echo %PATH%" - just in case there's more than one thing called "config.bat" that Windows is trying to run.

Tried running all 3 suggestions. Nothing.

Is there any way I can "re-installing" or download the JIRA configuration tool program/files?

Could it be Java?

C:\Program Files\Java\jdk1.6.0_34\bin>java -version
Error occurred during initialization of VM
java/lang/ClassNotFoundException: error in opening JAR file C:\Program Files\Jav
a\jdk1.6.0_34\jre\lib\rt.jar

All three of those commands would have given you something, albeit the first two might just be the same error message again.

Your next comment is an excellent idea on testing though and, even better, it does tell us something. Two things actually - first rt.jar is missing from your java install. I'm pretty sure this is a simple consequence of the second point - you are running a JRE, and that won't work - you need a JDK to run Atlassian stuff. Java Runtime Environment and Java Development Kit, before you ask ;-)

It's a bit of a misnomer - when they were first built, a JRE was what goes on a users machine if they wanted to run a java application, and developers needed a JDK. For many years though, that's simply not true - most applications need stuff in the JDK to run. Nowadays, a JRE is probably more than enough if my Mom wants to run something, but developers, servers, advanced users and even the cat needs a JDK.

Anyway, end rant, could you install a JDK and try again? Make sure it's JDK 1.6 though - Atlassian stuff doesn't work on 1.7 (yet). If you're worried about breaking other stuff, don't, a JDK contains the JRE and most apps won't care that there are extra bits in it.

Thank Nic for the pointers. I got the configuration tool running, it seems like java is corrupted. Configuration tool is running after I re install Java.

However, on the webserver tab of the configuration tool, there are only 2 text box (HTTP Port and Control port) I can't see profile, keystore, HTTPS and the rest of the textboxes. Refer picture:

I don't know if the configuration tool supports those options, it might only handle http setup. I'm not familiar with it - never had a client who doesn't need a WAR build for some reason.

Not sure if this matters or not but did you run the cmd windows under administrator's rights?

Yes I did. Right click and "run as administrator". Thanks for the reminder though.

Suggest an answer

Log in or Join to answer
Community showcase
Sarah Schuster
Posted Jan 29, 2018 in Jira

What are common themes you've seen across successful & failed Jira Software implementations?

Hey everyone! My name is Sarah Schuster, and I'm a Customer Success Manager in Atlassian specializing in Jira Software Cloud. Over the next few weeks I will be posting discussion topics (8 total) to ...

2,811 views 11 18
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot