Hi Oliver,

Thanks for your feedback.

When I click on the ur that you have done I have :

Looks like we’re off the beaten track

They say that all roads, lead to Rome.

But we’ve lost our way, so let’s try going home.

Head to our documentation homepage that does exist.

Could you send here step to follow please?

kindly,

Jacyntha

Interesting, the community editor is adding some extra parameter at the end "ga ...."

just remove it i the browser header and then the link worked.

I try to insert it again How to fix gadget titles showing as __MSG_gadget

Maybe this article will help you to:

• https://confluence.atlassian.com/jirakb/jira-displays-an-error-banner-about-the-base-url-314447143.html
• https://community.atlassian.com/t5/Jira-questions/Base-URL-for-gadgets-problem/qaq-p/617205

Oliver,

All gadget seems fine on my dashboard but I have this warning detailled on my first creation.

What does this check do?

Checks if JIRA is able to access itself through the configured Base URL to ensure that dashboard gadgets will work.

What did means? how to avoir it.

$ curl -v https://tapq186lv/lynx
* About to connect() to tapq186lv port 443 (#0)
*   Trying 192.168.183.129... connected
* Connected to tapq186lv (192.168.183.129) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Remote Certificate has expired.
* NSS error -8181
* Closing connection #0
* Peer certificate cannot be authenticated with known CA certificates
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
[ TAPQ186LV | root | 2018-02-22 11:14:28 | /root ]
$ curl -k https://tapq186lv/lynx
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://tapq186lv/lynx/">here</a>.</p>
</body></html>

Kindly,

Jacyntha

$ wget https://tapq186lv/lynx --no-check-certificate
--2018-02-22 11:48:58--  https://tapq186lv/lynx
Resolving tapq186lv... 192.168.183.129
Connecting to tapq186lv|192.168.183.129|:443... connected.
WARNING: cannot verify tapq186lv’s certificate, issued by “/DC=mg/DC=telma/DC=corp/CN=Telma CA”:
  Self-signed certificate encountered.
WARNING: certificate common name “TAPP85LV” doesn’t match requested host name “tapq186lv”.
HTTP request sent, awaiting response... 302 Found
Location: https://tapq186lv/lynx/ [following]
--2018-02-22 11:48:58--  https://tapq186lv/lynx/
Reusing existing connection to tapq186lv:443.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: “index.html”

    [ <=>                                                                                                                           ] 37,097      --.-K/s   in 0.03s

2018-02-22 11:48:58 (1.33 MB/s) - “index.html” saved [37097]

"What did means? how to avoir it." It means that Jira can't connect to itself with https requests. The reasons are the reasons I exlplained

It sounds as your SSL is self signed, so you need to import it into your keystore so that Jira is not unhappy with it:

https://community.atlassian.com/t5/Jira-questions/Import-Certificate-into-the-Trust-store/qaq-p/206480

And check your server.xml setting if it's correct with proxyName .... 

Did you clone the prod machine to test and assign a different URL to  the clone?

Hi Oliver,

No issue on the certificate. I have verified it.

Hi Danyal,

our test server is a clone of our Prod but the cloning was already long and the test had always worked on all the updates that we have done since

Kindly,

Jacyntha

and assign a different URL to  the clone?

This bit is kind a important :)

You might have ignored this error previously. It is not an obvious eye catcher.

May I see the jira log. Is there a PKIX exception in the logs ?

Hi Danyal,

I have this on catalina.out:

2018-02-22 15:11:01,604 HealthCheck:thread-8 ERROR ServiceRunner     [c.a.t.j.healthcheck.support.BaseUrlHealthCheck] An error occurred when performing the Base URL hea
lthcheck:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp ch
eck failed
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
        at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
        at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectio

Kindly,

Jacyntha

No issue on the certificate. I have verified it.

how did you verify it? the exception points towards a corrupt/untrusted certificate.

You need to add a valid certificate to the java keystore used by your instance. Use ps -ef or the task manager to see the path of the java installation used by your tomcat, since multiple java installations are common in atlassian servers.

Only one instance for java:

jira     26244     1  2 12:08 ?        00:05:15 /opt/java/jre/bin/java -Djava.util.logging.config.file=/opt/atlassian2/jira/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Xms512m -Xmx1024m -Djava.awt.headless=true -Datlassian.standalone=JIRA -Dorg.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER=true -Dmail.mime.decodeparameters=true -Dorg.dom4j.factory=com.atlassian.core.xml.InterningDocumentFactory -XX:-OmitStackTraceInFastThrow -Datlassian.plugins.startup.options= -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Xloggc:/opt/atlassian2/jira/logs/atlassian-jira-gc-%t.log -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=20M -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+PrintGCTimeStamps -XX:+PrintGCCause -classpath /opt/atlassian2/jira/bin/bootstrap.jar:/opt/atlassian2/jira/bin/tomcat-juli.jar -Dcatalina.base=/opt/atlassian2/jira -Dcatalina.home=/opt/atlassian2/jira -Djava.io.tmpdir=/opt/atlassian2/jira/temp org.apache.catalina.startup.Bootstrap start

generate a new certificate with the correct URL and import it into the java keystore, in your case /opt/java/jre/lib/security/cacert

Let me do it and give you feedback after

Danyal,

Certicifate has done and applied on cacert but always have error:

2018-02-22 17:34:15,325 HealthCheck:thread-3 ERROR      [c.a.t.j.healthcheck.support.BaseUrlHealthCheck] An error occurred when performing the Base URL healthcheck:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
        at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)

Kindly,

Jacyntha

2018-02-22 17:34:15,310 HealthCheck:thread-5 WARN      [c.a.t.j.healthcheck.util.SupportEolCheckUtil] Not able to retrieve the JIRA version information from MPAC
2018-02-22 17:34:15,310 HealthCheck:thread-5 ERROR      [c.a.t.j.healthcheck.support.EolSupportHealthCheck] An error occurred when performing the EOL check, see the exceptions for more info
org.apache.http.conn.HttpHostConnectException: Connect to marketplace.atlassian.com:443 [marketplace.atlassian.com/34.239.16.84, marketplace.atlassian.com/34.205.61.250, marketplace.atlassian.com/52.2.89.223] failed: Connection refused
        at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:159)
        at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:359)
        at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
        at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
        at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
        at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
        at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
        at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)

Hi all,

Update please?

This error is not due to this warning when starting jira:

2018-02-26 09:48:06,024 JIRA-Bootstrap WARN      [c.a.jira.health.HealthChecks] We've found a problem with your database connection URL
2018-02-26 09:48:06,026 JIRA-Bootstrap WARN      [c.a.jira.health.HealthChecks] The connection URL in your dbconfig.xml file contains the storage_engine parameter, which has been deprecated. This should be replaced with the default_storage_engine parameter.

Kindly,

Jacyntha

2018-02-26 10:15:28,833 HealthCheck:thread-7 WARN      [c.a.t.j.healthcheck.util.SupportEolCheckUtil] Not able to retrieve the JIRA version information from MPAC
2018-02-26 10:15:28,834 HealthCheck:thread-7 ERROR      [c.a.t.j.healthcheck.support.EolSupportHealthCheck] An error occurred when performing the EOL check, see the exceptions for more info
org.apache.http.conn.HttpHostConnectException: Connect to marketplace.atlassian.com:443 [marketplace.atlassian.com/34.239.16.84, marketplace.atlassian.com/34.205.61.250, marketplace.atlassian.com/52.2.89.223] failed: Connection refused
        at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:159)
        at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:359)
        at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
        at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
        at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
        at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
        at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
        at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)

......

        at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
        ... 18 more
2018-02-26 10:15:28,864 HealthCheck:thread-5 ERROR      [c.a.t.j.healthcheck.support.BaseUrlHealthCheck] An error occurred when performing the Base URL healthcheck:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)

...

        at java.lang.Thread.run(Thread.java:745)
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed
        at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:352)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:249)
        at sun.security.validator.Validator.validate(Validator.java:260)
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
        ... 27 more
Caused by: java.security.cert.CertPathValidatorException: timestamp check failed
        at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
        at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:219)
        at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140)
        at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79)
        at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
        ... 33 more
Caused by: java.security.cert.CertificateExpiredException: NotAfter: Sun Oct 11 16:02:27 EAT 2015
        at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274)
        at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629)
        at sun.security.provider.certpath.BasicChecker.verifyTimestamp(BasicChecker.java:190

sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed

You are trying to communicate with a server whose certificate has expired. The previously mentioned solution is still valid. You can either renew the certificate or switch to http:)

Hi all,

The certificate is now OK but I have a question: Is possible that upgrade make an attachment disappeared or surpressed?

Kindly,

Jacyntha

No attachments never get removed or compressed in upgrade process.

Hi all,

When I upgraded now to 7.6.2. I have this error:

Backing up the JIRA home directory

com.install4j.runtime.beans.actions.files.CreateZipFileAction failed

Ignore [i, Enter], Quit [q]

Deleting the previous JIRA installation directory...

Extracting files ...


Please wait a few moments while JIRA Software is configured.
Installation of JIRA Software 7.6.2 is complete
Start JIRA Software 7.6.2 now?
Yes [y], No [n, Enter]

Installation of JIRA Software 7.6.2 is complete
Your installation of JIRA Software 7.6.2 is now ready.
Custom modifications
Your previous JIRA installation contains customisations (eg server.xml) that
must be manually transferred. Refer to our documentation more information:
http://docs.atlassian.com/jira/jadm-docs-076/Upgrading+JIRA+applications+manually#UpgradingJIRAapplicationsmanually-configuringnewjiraasold3.4MigrateyourexistingJIRAconfigurationsovertoyournewJIRAinstallation
Finishing installation ...

And then we it's finished with this error JIra can't be started.

Could you help please?

Kindly,

Jacyntha