Knowledge Base
Page tree

Versions Compared

Old Version 2

changes.mady.by.user Anonymous

Saved on

compared with

New Version Current

changes.mady.by.user Igor Baltiyskiy

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin
{workflow-include} {panel}This article applies to: *Deskzilla
Wiki Markup
Panel

This article applies to: *Deskzilla 1.x-2.

x

0,

JIRA

Client

1.x-2.

x*

0,

and

connecting

to

Bugzilla

and

JIRA

servers

via

https://...

connections.


For

clarity,

this

article

is

written

about

JIRA

Client

and

JIRA,

but

it

applies

to

Deskzilla

/

Bugzilla

as

well.

{panel} h3. Problem The problem is that JIRA Client cannot connect to JIRA over a secure connection (for example, to the url

This does not apply to JIRA Client version 2.1 and later and Deskzilla version 2.1 and later, as the issue has been solved.

Problem

The problem is that JIRA Client cannot connect to JIRA over a secure connection (for example, to the url https://jira.company.com),

...

with

...

the

...

following

...

error

...

text:

...

Panel

Connection problem:

sun.security.validator.ValidatorException:

PKIX

path

building

failed:

sun.security.provider.certpath.SunCertPathBuilderException:

unable

to

find

valid

certification

path

to

registered

target {panel} This reason for this problem is that the SSL certificate used on the server is self-signed and not trusted by default by the underlying Java security platform. {info}You might not experience this problem, even if the certificate you use is self-signed. Do not apply this solution if JIRA Client has no problem connecting to JIRA.{info} {note}The self-signed certificate should have Common Name (CN) equal to the host name of the JIRA web site, otherwise the solution won't work! You can inspect Common Name among other certificate's properties when viewing it in a browser.{note} h3. Solution The solution involves getting the untrusted SSL certificate from the server and making it trusted by importing it into a special file, java keystore. h4. 1. Locate Java in Use If you downloaded the default JIRA Client distribution, it contains bundled JRE (Java Runtime) and when you run _jiraclient.exe_, it looks for the bundled JRE in the _installFolder_/jre. On Windows Vista 64-bit, the default location of the program is _C:\Program Files (x86)\JIRA Client_, and so the location of JRE will be _C:\Program Files (x86)\JIRA Client\jre_. If you downloaded JIRA Client without bundled Java, or run it with .bat / .sh script, then you probably should know which Java does JIRA Client use, or you can find out by inspecting your PATH and JAVA_HOME variables. h4. 2. Locale _cacerts_ Key Store File The location of _cacerts_ is _jreHome/lib/security/cacerts_, where _jreHome_ is the home path of the JRE in use. (Note that if you're using a JDK, then _jreHome_ would be _jdkHome/jre_.) h4. 3. Export Server Certificate Now you need to get a file with exported server certificate. If you have Firefox browser installed, you can do the following: # Open the JIRA web site in Firefox (if needed - go through the warnings and add site's certificate as an exception). # Double-click on the "lock" icon in the status bar. # Click on "View Certificate" in the Web Site Identity section # Click on Details tab and then on Export button # Select a .crt file to export your key, use the default X.509 PEM format. h4. 4. Import Certificate into the Key Store Now you can import the server's certificate into the located _cacerts_ file. Change into the directory where cacerts is located and run _keytool_ command, located in "bin" subdirectory under _jreHome_: {code}

target

This reason for this problem is that the SSL certificate used on the server is self-signed and not trusted by default by the underlying Java security platform.

Info

You might not experience this problem, even if the certificate you use is self-signed. Do not apply this solution if JIRA Client has no problem connecting to JIRA.

Note

The self-signed certificate should have Common Name (CN) equal to the host name of the JIRA web site, otherwise the solution won't work! You can inspect Common Name among other certificate's properties when viewing it in a browser.

Solution

The solution involves getting the untrusted SSL certificate from the server and making it trusted by importing it into a special file, java keystore.

1. Locate Java in Use

If you downloaded the default JIRA Client distribution, it contains bundled JRE (Java Runtime) and when you run jiraclient.exe, it looks for the bundled JRE in the installFolder/jre. On Windows Vista 64-bit, the default location of the program is C:\Program Files (x86)\JIRA Client, and so the location of JRE will be C:\Program Files (x86)\JIRA Client\jre.

If you downloaded JIRA Client without bundled Java, or run it with .bat / .sh script, then you probably should know which Java does JIRA Client use, or you can find out by inspecting your PATH and JAVA_HOME variables.

2. Locate cacerts Key Store File

The location of cacerts is jreHome/lib/security/cacerts, where jreHome is the home path of the JRE in use. (Note that if you're using a JDK, then jreHome would be jdkHome/jre.)

3. Export Server Certificate

Now you need to get a file with exported server certificate. If you have Firefox browser installed, you can do the following:

  1. Open the JIRA web site in Firefox (if needed - go through the warnings and add site's certificate as an exception).
  2. Double-click on the "lock" icon in the status bar.
  3. Click on "View Certificate" in the Web Site Identity section
  4. Click on Details tab and then on Export button
  5. Select a .crt file to export your key, use the default X.509 PEM format.

4. Import Certificate into the Key Store

Now you can import the server's certificate into the located cacerts file. Change into the directory where cacerts is located and run keytool command, located in "bin" subdirectory under jreHome:

Code Block
..\..\bin\keytool -import -file path/to/the/exported/file.crt -alias my_jira_server -keystore cacerts
{code}

The

...

default

...

password

...

is

...

changeit

...

,

...

unless

...

you

...

have

...

changed

...

it.

...

Keytool

...

will

...

ask

...

for

...

confirmation,

...

to

...

which

...

you

...

should

...

answer

...

yes

...

and

...

then

...

write

...

updated

...

store

...

to

...

the

...

disk.

...

}
Note

You

have

to

have

write

permissions

to

the

cacerts

file

and

its

directory.

If

needed,

start

command

line

with

Administrative

permissions

under

Windows,

or

sudo

under

Linux

or

Mac

OS

X.

{note} h4.

5.

...

Start

...

JIRA

...

Client

...

Try

...

to

...

connect.

...

If

...

it

...

doesn't

...

work,

...

double-check

...

that

...

  • file

...

  • cacerts

...

  • got

...

  • modified;

...

  • cacerts

...

  • contains

...

  • your

...

  • server's

...

  • certificate

...

  • (use

...

  • keytool

...

  • -list

...

  • -keystore

...

  • cacerts

...

  • and

...

  • look

...

  • for

...

  • alias

...

  • my_jira_server);

...

  • you're

...

  • running

...

  • JIRA

...

  • Client

...

  • with

...

  • the

...

  • JRE

...

  • that

...

  • has

...

  • cacerts

...

  • modified

...

  • (not

...

  • some

...

  • other

...

  • JRE

...

  • on

...

  • your

...

  • hard

...

  • drive).

...

If

...

all

...

looks

...

correct

...

but

...

it

...

doesn't

...

work,

...

please

...

contact

...

support.

...

Info

Other solutions are also possible, for example, setting Java key store to a different file with certificate already there.