Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

jira subject alternative name errors with SSL certificate even when the name MATCHES. Why?

g1patnaik
g1patnaik
Contributor
February 2, 2019

Hi,

I am getting the following errors in JIRA with few plugins:

javax.net.ssl.SSLPeerUnverifiedException: Certificate for <192.168.60.5> doesn't match any of the subject alternative names: [IP:192.168.60.5, localhost, IP:127.0.0.1]

As you can see, the IP mentioned in the braces MATCHES with the one of the IP listed  in the Suggested Alternative Names

(Earlier, it was NOT matching. Then I recreated the certificates.

I also came to know that the format for mentioning IPs in SAN is by adding IP: as prefix as above. However, I have also tried WITHOUT adding the IP: prefix and still it throws the error)

  • I am evaluating JIRA software on my desktop VMs and hasn't configured any DNS for the Application IP
  • I have setup proxy with nginx running on 443 port.
  • JIRA application is running on 8080 port with out SSL enabled and configured to use the proxy running on 443 with https scheme.
  • ServerBase URL is pointing to the proxyserver i.e., https://192.168.60.5/jira  and there is no issue with accessing the application. But I see the above mentioned errors with few plugins, which also may be failing.

Certificate entry in the keystore:

# keytool -list -v -keystore /etc/pki/java/cacerts -alias jiratest
Creation date: Feb 2, 2019
Entry type: trustedCertEntry

Owner: CN="JIRA Test, Jeevan", O=MyCompany, L=Hyderabad, ST=Telangana, C=IN
Issuer: CN="JIRA Test, Jeevan", O=MyCompany, L=Hyderabad, ST=Telangana, C=IN
Serial number: e00a70d182c2e31e
Valid from: Sat Feb 02 16:34:14 IST 2019 until: Sun Feb 02 16:34:14 IST 2020
Certificate fingerprints:
 MD5: B4:F2:71:D6:AE:39:9D:61:37:17:82:6C:E0:C5:B8:9E
 SHA1: 5E:83:1A:6B:2C:D7:78:4D:C5:1D:81:11:F1:43:F0:6E:08:08:8D:0E
 SHA256: 51:42:7A:39:3D:7A:D9:59:04:4F:5B:50:26:3B:98:1F:18:F0:D4:58:A0:9B:B2:A3:1E:C0:02:12:AB:3A:DD:98
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
 DNSName: IP:192.168.60.5
 DNSName: localhost
 DNSName: IP:127.0.0.1
]

 

Any ideas, please suggest.

Thanks!

P.S.: My previous post for the same on discussion form was deleted .. If you are going to delete this post too, please mention the reason. I have checked almost all questions on this site and couldn't find solution for my particular case :( 

Answer
Watch
Like Mihai Schwarz likes this
5057 views

2 answers

1 accepted

1 vote
Answer accepted
g1patnaik
g1patnaik
Contributor
February 2, 2019

My bad..the IP: prefix is not the only way to mention IP address inside Suggested Alternative Names and may or maynoma supported by all user agents. IPAddress field instead of DNS can be used to mention the IP.

So, it can be as below:

SubjectAlternativeName [
 IPAddress: 192.168.60.5
 IPAddress: 127.0.0.1
 DNSName: IP:192.168.60.5
 DNSName: localhost
 DNSName: IP:127.0.0.1
]

 It worked after making these changes :)

View More Comments
Craig Castle-Mead
Craig Castle-Mead
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 3, 2019

Glad you got it solved and thank you for taking the time to come back and post your findings Incase they help others in the future.

CCM

Like g1patnaik likes this
Reply
0 votes
Anurag Jalan
Anurag Jalan
Contributor
July 3, 2019

Hi Jeevan,

 

I need to include multiple SANs (both IP & DNS) while executing below command to generate keystore. So my requirement is similar to yours of having multiple SANs.

For one SAN, I can use below command. How do I include multiple SANs in this command?

./keytool -genkeypair -keyalg RSA -keysize 2048 -keystore keystore_samplecrowd.jks -alias crowd.sg.uobnet.com -ext san=dns:jira.xxx.xxx.com

 

Any help on this regard would be helpful.

View More Comments
Anurag Jalan
Anurag Jalan
Contributor
July 4, 2019

Please ignore it. I managed to find the solution

./keytool -genkeypair -keyalg RSA -keysize 2048 -keystore keystore_crowd.jks -alias jira.xxx.xxx.com -ext san=dns:jira.xxx.xxx.com,dns:abc.def.ghi.com,dns:xxx.xxx.xxx.xxx,ip:172.xxx.xxx.xxx,ip:172.xxx.xxx.xxx

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.