logs flooded with ssl errors

jocar June 14, 2014

Hello

I recently installed jira 6.2.5 and added https support following the steps described here. The site seemed to be working fine (can log, and work), but the catalina.out log file is flooded with this kind of entries:

httpclient-io:thread-2 ERROR anonymous [http.nio.protocol.HttpAsyncRequestExecutor] http-outgoing-2 [CLOSED] HTTP protocol exception: null

java.nio.channels.ClosedChannelException

at sun.nio.ch.SocketChannelImpl.ensureReadOpen(Unknown Source)

at sun.nio.ch.SocketChannelImpl.read(Unknown Source)

at org.apache.http.nio.reactor.ssl.SSLIOSession.receiveEncryptedData(SSLIOSession.java:340)

at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:366)

at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:118)

at org.apache.http.impl.nio.reactor.BaseIOReactor.validate(BaseIOReactor.java:220)

at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:284)

at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:106)

at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:604)

at java.lang.Thread.run(Unknown Source)

Once it starts it nevers stops, and keeps flooding the log till is GBs of size. I have to stop the service and delete the log. When I restart the service the same entries start to flood again the log.Before the flooding starts I have this entries in the log:

javax.net.ssl.SSLHandshakeException: General SSLEngine problem

...

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I thought i had a problem with the certificate ( It is self signed). I found in internet that when using a self signed certificate I had to make sure of two things:

  • making sure the certificate common name matched the domain name (it does).
  • Add the certificate to the list of trusted certificates. I did this using installCert:

http://code.google.com/p/java-use-examples/source/browse/trunk/src/com/aw/ad/util/InstallCert.java

But I still get the same errors. Any idea of how I could fix/troubleshoot this issue?

I guess I have done something wrong when integrating apache + ssl + Jira but I cannot figure out where is the error. Any idea os how to solve this issue, or how to troubleshoot it more effectively?

1 answer

1 accepted

0 votes
Answer accepted
Danilo Conrad
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 14, 2014

Hi Jocar,

The exception you have pasted is addressed by the article below:

Could you please check if the steps provided in the document above help to resolve these errors?

Cheers,

Danilo

jocar June 14, 2014

Hello Danilo,

I 'd like to try the method described in the link you provided, but I am stuck at step one: importing the certs into the java keystore. I went to this section:

If you're unable to install Portecle on the server or prefer the command line please see ourCommand Line Installation section below.

But it leads me to a n EMPTY section !?

Please, could you clarify how could I import the certs using the CLI? I am conecting to a remote server with no X System whatsoever.

Danilo Conrad
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 15, 2014

Hi Jocar,

That's rather strange - the section should not be empty and I was also able to browse it accessing the link below:

https://confluence.atlassian.com/display/JIRA/Connecting+to+SSL+services#ConnectingtoSSLservices-commandline

I have copied the commands provided in that section below for your convenience. Please make sure to replace the JAVA_HOME for JIRA's JAVA_HOME path.

Cheers,

Danilo

----

Command Line Installation

1. Fetch the certificate, replacing google.comwith the FQDN of the server JIRA is attempting to connect to:

$ openssl s_client -connect google.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt

2. Import the certificate:

<JAVA_HOME>/keytool -import -alias <server_name> -keystore <JAVA_HOME>/lib/security/cacerts -file public.crt
jocar June 15, 2014

Hi Danilo,

I tried the provided commands but now I am facing this error in the second step:

keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect

Command I used:

/opt/atlassian/jira/jre/bin/keytool-import-aliasmyserver.com-keystore /opt/atlassian/jira/jre/lib/security/cacerts-file /etc/pki/tls/certs/myserver.com.crt

Basically I got a problem when the previous command asks me for a passwd that I have no set. Since I do not remember to have generated a keytore (maybe the JAVA bundled with JIRA ships wth one?), I tried creating a new one using the info I found in this atlassian site Running Jira over SSl:

keytool -genkey -alias myserver.com -keyalg RSA -keystore /opt/atlassian/jira/jre/bin/myserver.com.jks

The I tried to run again the import command but I got the same error.

Could you help me with this one, please?

jocar June 15, 2014

Thank you very much. I followed those steps and so far no more SSLEngine errors :)

Suggest an answer

Log in or Sign up to answer