Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

SSL certificate Issue : Unable to get local issuer certificate issue for Jira app over HTTPs

bhimashankar_poddar
bhimashankar_poddar
Contributor
August 17, 2024

Hello Atlassian Community,

Before diving into problem, here are the details of Jira setup that I have,

  • Jira Server : 9.4.14 Data Center
  • Base URL : https://qa-jira.com
  • Host platform : Kubernetes
  • SSL Certificate : Self Signed, Managed by Nginx Ingress controller
  • Nginx Ingress : Host = qa-jira.com, Target port = 443, Backend port = 443
  • Jira Webserver (server.xml) : Configured with 2 connectors. (1) for HTTP/HTTPS without proxy. Port=8080, Redirect_port=8443 (2) for HTTPS with proxy. Port=8443, ProxyName=qa-jira.com, ProxyPort=443

With this setup, Jira application starts without an issue and can be accessed at 'qa-jira.com'.

But issue is gadgets are not properly getting loaded and internal API calls executed via scripts returns 'Unable to get local issuer certificate'.

Also when I test it with openssl s_client -connect qa-jira.com:443 returns 'verify error:num=20:unable to get local issuer certificate'

Do I have to make any additional configuration in Jira to get this 'Self Signed' certificate to be trusted in Jira? I am not sure.

Your help or suggestions to get more insights on the issue would be very much appreciated.

Thank you.

Answer
Watch
Like Be the first to like this
1130 views

2 answers

0 votes
Yevhen
Yevhen
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 18, 2024

You need to follow https://atlassian.github.io/data-center-helm-charts/userguide/CONFIGURATION/#self-signed-certificates

Reply
0 votes
Victor Law
Victor Law
Community Champion
August 17, 2024

Hi @bhimashankar_poddar

Have you tried importing the certificate into Java's truststore that Jira utilizes?

Kindly refer to the steps below for importing the cert into the truststore:

https://confluence.atlassian.com/kb/how-to-import-a-public-ssl-certificate-into-a-jvm-867025849.html

Thank you.

View More Comments
bhimashankar_poddar
bhimashankar_poddar
Contributor
August 17, 2024

Hi @Victor Law 

Thank you for your response and the information shared.

And I have already tried this. I have imported ssl-cert into jvm truststore. The issue still persists. 

Apart from this, I tried below,

  • Mounted root cert and intermediate cert into 'configmap' in Kubernetes on path /usr/local/share/ca-certificates and /etc/ssl/certs respectively. And used 'update-ca-certificates' command to update.

But it is still not working.  

Like
Ralf Fehling
Ralf Fehling
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
August 17, 2024

Hey @bhimashankar_poddar

Why did you configure two connectors in the Server.xml? This is where I see the problem. Only 443 with 8443 and proxy name should be active here.

The diversion must take place in Nginx. So that all requests to jira are only ever made via 443. 

https://vsys.host/how-to/how-to-redirect-http-to-https-in-nginx

Best Regards

Ralf 

 

Like
bhimashankar_poddar
bhimashankar_poddar
Contributor
August 18, 2024

Hi @Ralf Fehling 

Thank you for your reply.

I configured 2 connector because one for handling traffic over HTTPs and another for redirecting HTTP --> HTTPs.

But as per your suggestion, i modified 'server.xml' with only one connector 443 with 8443 port for HTTPs and removed another connector.

As per link to redirect http-->https in nginx, tried to configured annotations such as 'ssl-redirect', 'force-ssl-redirect', but issue still persists. Gadgets are not getting loaded and API calls still shows 'unable to get local issuer certificate' 

I am not sure, where the things are wrong? At Ingress level (k8s) or at webserver (Jira side) level?

 

Like
bhimashankar_poddar
bhimashankar_poddar
Contributor
August 18, 2024

I followed this documentation for SSL certificate configuration in Jira.

https://thejiraguy.com/2021/10/14/adding-ssl-to-jira/

And I am facing the SSL certificate issue...Is there anything missing in this document? I am not sure.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.