@Daniel EadsWill nginx work for me I'm using Windows Storage Server 2012R2 or should I use IIS if I have a server OS? Is there an Atlassian guide on configuring Jira Tomcat Server to use Let's Encrypt certificate on Windows? On the official Let's Encrypt documentation page (Let's Encrypt documentation ) the following is written:

To figure out what method will work best for you, you will need to know whether you have shell access (also known as SSH access) to your web host. If you manage your website entirely through a control panel like cPanel, Plesk, or WordPress, there’s a good chance you don’t have shell access. You can ask your hosting provider to be sure.

I installed Jira Software using the Installer. How do I know if I have SSH access to Tomcat server that Jira's working on?

From Let's Encrypt documentation:

To kick off the process, the agent asks the Let’s Encrypt CA what it needs to do in order to prove that it controls example.com. The Let’s Encrypt CA will look at the domain name being requested and issue one or more sets of challenges. These are different ways that the agent can prove control of the domain. For example, the CA might give the agent a choice of either:

• Provisioning a DNS record under example.com, or
• Provisioning an HTTP resource under a well-known URI on http://example.com/

I don't really understand how can I complete these challenges, because I've never worked with certificates before. What should I do first get the certificate or set up the reverse proxy and where's the connection between those processes? And what about this article: Running Jira applications over SSL or HTTPS ?

I'm quite confused, because I'm new to this topic and don't really understand where should I start and what is the sequence of required actions from A to Z - the consistency.

As I'm not proxying JIRA at the moment the following connector is set up in server.xml file:

There are connectors for proxying Jira via Apache and Nginx and they are commented at the moment. But there's no connector for IIS. According to the documentation I have to put this connector:

instead of the one that's currently set up in server.xml, right?

What do the following lines from the current configuration mean and do I need to put them into the new connector for IIS?

Relaxing chars because of JRASERVER-67974
relaxedPathChars="[]|" relaxedQueryChars="[]|{}^\`"<>"

use proxyPort="443" and scheme="https" in case the SSL is being terminate at IIS.

What does in case the SLL is being terminate at IIS mean?

The choice between IIS and nginx is whichever you're most comfortable with - both will run on Windows Server 2012.

We don't have official documentation on using LetsEncrypt - our documentation starts with the assumption that you've been able to procure a certificate already and are going to use that with your proxy. I would not recommend using LetsEncrypt with serving HTTPS directly from Jira. LetsEncrypt gives you a certificate with a relatively short expiration period - you'll want to have certbot renew this certificate for you. And that's difficult to do when trying to serve HTTPS directly from Tomcat/Jira, because the certificate has to be imported into the Java keystore rather than just sitting as a file on disk.

I'd suggest these actions in this order for you:

1. Get a web server set up - either IIS or nginx, and serve a simple "Hello world" page over HTTP / port 80 so you know the web server is running. The default web page either of those serve up is fine. While it's not many steps to download and run nginx, it doesn't install itself as a Windows Service so you need to take some additional action to make sure it runs when you reboot. Here's an article for getting that set up after nginx is installed
2. Procure a certificate - if you're using Let's Encrypt, set it up so that the certificate automatically renews itself. Don't insert the certificate into Jira - insert it at the proxy. Here's some instructions for doing this on Windows with nginx 
3. Only after you've completed the above steps, configure Jira to be proxied over HTTPS. Here's the one document to do the https proxy with nginx and Jira .

As far as the other questions - I think the above path will bypass a lot of the questions that you have. But I'll try and answer some if that helps give you a better picture:

• If you're going to use IIS, then yes - you'll need to copy in a new connector as the IIS article mentions. The connectors for Apache / nginx that are already in the file can be uncommented if you're using one of those - which the setup guides for those will have you do
• The relaxedPathChars prevents some characters that might be in a URL, like "&" from potentially breaking the proxy setup. Whichever guide you follow should specify if you need to do this for whichever proxy you're using.
• Terminating SSL at IIS (or nginx) means that the proxy is where the certificate is installed, and that's where user's browsers would get the HTTPS connection from. In a simple diagram, you'd have:

  (user's computer)  <--HTTPS-->  (IIS)  <--HTTP-->  (Jira)

  When users interact via https://yourjira.whatever.com - it's IIS or nginx that is serving the site over HTTPS - or "terminating the SSL connection". The traffic between IIS and Jira doesn't use SSL/TLS in this scenario - it's regular unencrypted HTTP.

@Daniel EadsThat article that you mentioned on step 3 is about running Confluence behind nginx and SSL. Don't I need this one instead: Configure Jira server to run behind a NGINX reverse proxy ?

Yes - apologies @JConstantine and good catch! The process is the same, but the context paths (if you use one) and port numbers will be different between Jira and Confluence. You've found the correct article for Jira that won't require changing the port numbers :)

@Daniel Eads I've stumbled upon this:

And there's this:

For me it's:

http://<JIRA Server Machine's IP address>.<JIRA Server Machine's domain name>:8080/

But whenever I try to procure a certificate from Let's Encrypt I end up with this error:

A and CNAME records for my domain name has been created. Port 80 for http and 443 for https are opened. Firewall has been temporarily disabled. Looks like I can't get the certificate from Let's Encrypt :(