jira and hipchat integration

THE SETUP:

I have two servers one with hipchat and the other with JIRA each have their own external ips and are accessible from the web. 

The JIRA  server is on centos 6.5 and has the following open ports 22, 80, 443, 5222, 5223. It is not on an ssl at the moment. http://jira.myserver.com

the Hipchat server is a standard ova install, with a comodo wildcard ssl. https://chat.myserver.com

for troubleshooting I am allowing all ports through our firewall for both servers

 

THE PROBLEMS:

trying to connect hipchat to the JIRA directory I get the following error

Connection test failed. Response from the server:
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?

When whitelisting the hipchat server in jira, it accepts the url and adds it to the whitelist without problem

however when adding hipchat through "hipchat integration" is says We couldn't reach your server

is all this because they both need ssl?

 

OBTW

Ideally I would like the hipchat server available from the web and the JIRA server only on the lan but still have integration, is this possible?

 

many thanks

 

7 answers

Hi everyone

We managed to solve the problem and the solution was pretty simple. Just check your web certificate and look into the chain of trust. You will Likely see a trust chain of "Root CA > Intermediate CA > YOUR Certificate". This is almost a standard nowadays but not always and is has not been in the past. Long story short, when you feed your certificate to Atlassian, JIRA and Hipchat (this applies to all Atlassian products!) make sure to simply Append the "Intermediate CA" certificate, which was provided to you by your CA when you ordered your server certificate, to your normal server cert. Make sure to watch our for the order, the topmost certficate must be your own server certificate, directly followed by the intermediate one. Once you loaded all services with a fully verifiable trust chain it will work! :-)

Important: Just check the SSL Trust chain of your installation with a service like http://ssllabs.com 

The PEM File for the Tomcat service as well as the text stuff you Copy&Paste into Hipchat should look like this:

---CERTIFICATE---
Your Server Cert
---CERTIFICATE---
---CERTIFICATE---
Your CA Provided Intermediate Cert
---CERTIFICATE---
---PRIVATE KEY---
The key for your Cert
---PRIVATE KEY---

 

Many greetings

Robert

Hello,

this solution seems to me to be valid only in case you use a certificate that was issued by a trusted third-party. However, in out situation we have a self-signed certificate, as the servers do not have contact to the outer world, and the services are used only through a VPN. 

So, is there a way to have the JIRA server accept the HipChat's server's certificate anyway? Or to deactivate the SSL enforcement for the HipChat server?

Best regards,

Hardy

Same problem here, also using self-signed certs. Using inofficial certificates is a must-have feature for on-premise servers.

It's possible to integrate HipChat Server with self-signed certificate with JIRA/Confluence. You can refer to the resolution section in this KB for the steps: https://confluence.atlassian.com/display/HIPCHATKB/Unable+to+Integrate+HipChat+Server+with+Confluence+or+JIRA+Applications

Hi Paul

Just to jump in i almost have the exact same setup and the exact same issue. For me it is Confluence and HipChat deployed from the OVA. Both connected with their own IPs to the internet. Capable of talking to each other (you can SSH into the Confluence box and open up the HipChat WebSite successfully) but still the plugin gives me: "We couldn't reach your server". 

Any ideas would be great :-/

Greetings

Robert

For me the same, both Confluence and JIRA run on non-ssl instances, while Hipchat is with a CA certificate running. If JIRA and Confluence SSL setup was just as easy as Hipchat, I would test that but it looks like a lot of work comparing to Hipchat. And I'm guessing the non-SSL -> SSL connection is not working.

Hope they have a solution soon. Perhaps @Will DeHaan?

Peter

Robert, 

Thanks for your comment, this is the solution indeed. JIRA or Confluence can still run on http though, so that is perfect. I even had to add more certificates (I use Comodo Positive SSL), so this was my setup that is working:

---CERTIFICATE---
Your Server Cert
---CERTIFICATE---
---CERTIFICATE---
In my case the COMODORSADomainValidationSecureServerCA.cert
---CERTIFICATE---
---CERTIFICATE---
In my case the COMODORSAAddTrustCA.cert
---CERTIFICATE---
---PRIVATE KEY---
The key for your Cert
---PRIVATE KEY---
The first try was only with the COMODORSADomainValidationSecureServerCA certificate and http://ssllabs.com gave the A- classification, but in the path 2 I still saw one "download" action. After adding the second certificate it was still A- but there where no "download" actions in the paths. If it is all "sent by server", you are setup! 

Good luck everyone.

Peter

Configuration:

  • HipChat Server OVA, accessed over ssl, certificate provided by Thawte
  • Confluence and Jira running in a second (Ubuntu) server, not running behind ssl, but with all certificates imported into their respective keystores
  • Apache acting as ssl proxy for Confluence and JIRA on the second server, and all certificates included in the pem file being used by Apache
  • All relevant ports open between these two servers (one can ssh to one and access ports 80 and 443 on the other), and the HipChat server is accessible to the internet

When I go to "HipChat Integration" in Confluence and enter the FQDN for out HipChat server (https://hipchat.ourcompanyintranetdomain.com << not the real FQDN) and click "Connect HipChat", Confluence says "We couldn't reach your server". There is no record or this error in /var/atlassian/application-data/confluence/logs/atlassian-confluence.log – no record of it at all.

We are currently using an evaluation license (invoice and payment is pending). Is this functionality disabled under an evaluation license?

Just to add to what Robert and Peter have mentioned, to validate that you might be having the same problem:

If you watch the requests when clicking "Connect HipChat", you'll see a 404 request, or some other bad request. If you attempt that GET request in a browser directly, you will see this message embedded in the exception message:

"unable to find valid certification path to requested target"

If you see this, you're on the right track following their advice.

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Published Sunday in Agility

You asked for it, so we delivered: images on issues have arrived

A picture tells a thousand words. And agility boards have just released their latest feature: cover images on issues – so now your board can tell a story at first glance. Upload attachmen...

275 views 3 11
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you