Message-ID: <208342591.15404.1711691713738.JavaMail.appbox@confluence> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_15403_366503952.1711691713738" ------=_Part_15403_366503952.1711691713738 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html Connecting to a Bugzilla, JIRA server with a self-signed SSL cer= tificate

Connecting to a Bugzilla, JIRA server with a self-signed SSL certif= icate

=20

This article applies to: *Deskzilla 1.x-2.0, JIRA Client 1.x-2.0, and co= nnecting to Bugzilla and JIRA servers via https://... connections.
For = clarity, this article is written about JIRA Client and JIRA, but it applies= to Deskzilla / Bugzilla as well.

=20

This does not apply to JIRA Client version 2.1 and late= r and Deskzilla version 2.1 and later, as the issue has been solved.

=20
=20

Problem

=20

The problem is that JIRA Client cannot connect to JIRA over a secure con= nection (for example, to the url https://jira.company.com), with the following error = text:

=20
=20

Connection problem: sun.security.validator.ValidatorException: PKIX path= building failed: sun.security.provider.certpath.SunCertPathBuilderExceptio= n: unable to find valid certification path to registered target

=20
=20

This reason for this problem is that the SSL certificate used on the ser= ver is self-signed and not trusted by default by the underlying Java securi= ty platform.

=20

You might not experience this problem, even if the certificate you use i= s self-signed. Do not apply this solution if JIRA Client has no problem con= necting to JIRA.

=20

The self-signed certificate should have Common Name (CN) equal to the ho= st name of the JIRA web site, otherwise the solution won't work! You can in= spect Common Name among other certificate's properties when viewing it in a= browser.

=20

Solution

=20

The solution involves getting the untrusted SSL certificate from the ser= ver and making it trusted by importing it into a special file, java keystor= e.

=20

1. Locate Java in Use

=20

If you downloaded the default JIRA Client distribution, it contains bund= led JRE (Java Runtime) and when you run jiraclient.exe, it looks f= or the bundled JRE in the installFolder/jre. On Windows Vista 64-b= it, the default location of the program is C:\Program Files (x86)\JIRA = Client, and so the location of JRE will be C:\Program Files (x86)\= JIRA Client\jre.

=20

If you downloaded JIRA Client without bundled Java, or run it with .bat = / .sh script, then you probably should know which Java does JIRA Client use= , or you can find out by inspecting your PATH and JAVA_HOME variables.

= =20

2. Locate cacerts Key Store File

= =20

The location of cacerts is jreHome/lib/security/cacerts, where jreHome is the home path of the JRE in use. (Note that if= you're using a JDK, then jreHome would be jdkHome/jre.)<= /p>=20

3. Export Server Certificate

=20

Now you need to get a file with exported server certificate. If you have= Firefox browser installed, you can do the following:

=20
    =20
  1. Open the JIRA web site in Firefox (if needed - go through the warnings = and add site's certificate as an exception).
  2. =20
  3. Double-click on the "lock" icon in the status bar.
  4. =20
  5. Click on "View Certificate" in the Web Site Identity section
  6. =20
  7. Click on Details tab and then on Export button
  8. =20
  9. Select a .crt file to export your key, use the default X.509 PEM format= .
  10. =20
=20

4. Import Certificate into the Key Store<= /h4>=20

Now you can import the server's certificate into the located cacerts= file. Change into the directory where cacerts is located and run = keytool command, located in "bin" subdirectory under jreHome:=

=20
=20
..\..\bin\keytool -import -file path/to/the/exported/file.crt -alias my_jir=
a_server -keystore cacerts
=20
=20

The default password is changeit, unless you have chang= ed it.

=20

Keytool will ask for confirmation, to which you should answer ye= s and then write updated store to the disk.

=20

You have to have write permissions to the cacerts file and its directory= . If needed, start command line with Administrative permissions under Windo= ws, or sudo under Linux or Mac OS X.

=20

5. Start JIRA Client

=20

Try to connect. If it doesn't work, double-check that

=20 =20

If all looks correct but it doesn't work, please contact support.

=20

Other solutions are also possible, for example, setting Java key store t= o a different file with certificate already there.

------=_Part_15403_366503952.1711691713738--