Dear Jira Gurus,

I successfully replaced SSL Certificates in many of our Atlassian application environments (Bitbucket, Bamboo, and Jira).  All of our Atlassian products run on Linux (CentOS 7) and we use a corporate certificate authority to create our certificates. 

We are transitioning to a new internal CA server, so I need to replace the SSL Certificate in our Jira Development environment.  This development uses CentOS 7 and Jira version 7.13.0.  I followed all the usual steps:

• Found existing keystore file /home/jira/.keystore
• Confirmed that "  keystoreFile="/home/jira/.keystore"  "  is configured in our server.xml file
• Stopped Jira
• Renamed "/home/jira/.keystore" as "/home/jira/.keystore.OLD"
• Used "keytool" to create a new keystore

$ /jira-data/atlassian/jira/jre/bin/keytool -genkeypair -keysize 2048 -alias tomcat -keyalg RSA -sigalg SHA256withRSA -keystore /home/jira/.keystore

• Converted the keystore file as suggested by the warning

sudo /jira-data/atlassian/jira/jre/bin/keytool -importkeystore -srckeystore /home/jira/.keystore -destkeystore /home/jira/.keystore -deststoretype pkcs12

• Used "keytool" to create a certificate request

sudo /jira-data/atlassian/jira/jre/bin/keytool -certreq -keyalg RSA -alias tomcat -file myhost.csr -keystore /home/jira/.keystore -ext san=dns:myhost.corp.mycompany.com,ip:10.xx.yy.zz

• Used our corporate Certificate Authority to generate a certificate file, plus additional certificates for the certificate authority host and internal root certificate authority

$ sudo ls -latr /home/jira
. . . <SNIP> . . .
-rw-------  1 jeinhorn jeinhorn   970 Apr 30 16:01 mycahost.cer
-rw-------  1 jeinhorn jeinhorn   963 Apr 30 16:01 mycompanyRootCA.cer
-rw-------  1 jeinhorn jeinhorn  2090 Apr 30 16:01 myhost.cer

• Imported each certificate into the new keystore

sudo /jira-data/atlassian/jira/jre/bin/keytool -import -alias MycompanyRootCA -trustcacerts -file /home/jira/mycompanyRootCA.cer -keystore /home/jira/.keystore

sudo /jira-data/atlassian/jira/jre/bin/keytool -import -alias LocalCA         -trustcacerts -file /home/jira/mycahost.cer -keystore /home/jira/.keystore

sudo /jira-data/atlassian/jira/jre/bin/keytool -import -alias tomcat                        -file /home/jira/myhost.cer -keystore /home/jira/.keystore

• Used "keytool list -v" to confirm that the new .keystore file reflects the identify of our new certificate authority server
• Restarted Jira

When I connect to Jira and inspect the certificate that is being used, it shows the OLD certificate signed by the OLD certificate server.

I have perused uncountable blogs, articles, and guides on this topic.  And as I said, I have successfully replaced many SSL Certificates in many of our other Atlassian environments.  This environment is a baffling exception. 

To investigate, I tried using "strace -f" with my startup command:

sudo strace -f -o /tmp/strace_start_jira.out /jira-data/atlassian/jira/bin/start-jira.sh

I searched through all the "open" statements of the trace log and found only two files that relate to certificates: 

/home/jira/.keystore and /jira-data/atlassian/jira/jre/lib/security/cacerts 

I meticulously used "keytool list -v" on both these files to confirm that our OLD CA server is NOT referenced in either file, and our NEW CA server IS referenced in /home/jira/.keystore

Still, after I restart Jira, our Jira login page is using the old SSL certificate.  I have spent 3 days hunting for other certificate files on this server, and found none.  Could Jira be caching the old certificate somewhere?  I tried removing all log files in folders /jira-data/atlassian/jira/logs and  /jira-data/var/atlassian/application-data/jira/log and then reviewing these logs after startup.  I don't see any error that could relate to our SSL Certificate.

This has been baffling and painful, considering that I have accomplished the equivalent task in so many other environments.  I would be grateful for any suggestions.

Thanks,
Janet