Page History

{panel}

h3. Problem

The problem is that JIRA Client cannot connect to JIRA over a secure connection (for example, to the url https://jira.company.com), with the following error text:

 target
{panel}

This reason for this problem is that the SSL certificate used on the server is self-signed and not trusted by default by the underlying Java security platform.

{info}You might not experience this problem, even if the certificate you use is self-signed. Do not apply this solution if JIRA Client has no problem connecting to JIRA.{info}

{note}The self-signed certificate should have Common Name (CN) equal to the host name of the JIRA web site, otherwise the solution won't work! You can inspect Common Name among other certificate's properties when viewing it in a browser.{note}

h3. Solution

The solution involves getting the untrusted SSL certificate from the server and making it trusted by importing it into a special file, java keystore.

h4. 1. Locate Java in Use

If you downloaded the default JIRA Client distribution, it contains bundled JRE (Java Runtime) and when you run _jiraclient.exe_, it looks for the bundled JRE in the _installFolder_/jre. On Windows Vista 64-bit, the default location of the program is _C:\Program Files (x86)\JIRA Client_, and so the location of JRE will be _C:\Program Files (x86)\JIRA Client\jre_.

If you downloaded JIRA Client without bundled Java, or run it with .bat / .sh script, then you probably should know which Java does JIRA Client use, or you can find out by inspecting your PATH and JAVA_HOME variables.

h4. 2. Locale _cacerts_ Key Store File

The location of _cacerts_ is _jreHome/lib/security/cacerts_, where _jreHome_ is the home path of the JRE in use. (Note that if you're using a JDK, then _jreHome_ would be _jdkHome/jre_.)

h4. 3. Export Server Certificate

Now you need to get a file with exported server certificate. If you have Firefox browser installed, you can do the following:
# Open the JIRA web site in Firefox (if needed - go through the warnings and add site's certificate as an exception).
# Double-click on the "lock" icon in the status bar.
# Click on "View Certificate" in the Web Site Identity section
# Click on Details tab and then on Export button
# Select a .crt file to export your key, use the default X.509 PEM format.

h4. 4. Import Certificate into the Key Store

Now you can import the server's certificate into the located _cacerts_ file. Change into the directory where cacerts is located and run _keytool_ command, located in "bin" subdirectory under _jreHome_:
{code}
..\..\bin\keytool -import -file path/to/the/exported/file.crt -alias my_jira_server -keystore cacerts
{code}

The default password is *changeit*, unless you have changed it.

 

Keytool will ask for confirmation, to which you should answer *yes* and then write updated store to the disk.

{note

}You have to have write permissions to the cacerts file and its directory. If needed, start command line with Administrative permissions under Windows, or sudo under Linux or Mac OS X.

{note}

h4. 5. Start JIRA Client

 

Try to connect. If it doesn't work, double-check that

* file cacerts got modified;

* cacerts contains your server's certificate (use _keytool -list -keystore cacerts_ and look for alias my_jira_server);

* you're running JIRA Client with the JRE that has cacerts modified (not some other JRE on your hard drive).

If all looks correct but it doesn't work, please contact support.