问题
I'm stuck on a SSL problem with JIRA. I've followed the instructions to setup Jira+SSL on Ubuntu but am getting a blank file when accessing http://domain.com:8443/
In the blank file I can see these
1503 0300 0202 0a
I'm not sure what I can do the catalina logs don't report any problems.
回答1:
How to add SSL Certificate to secure JIRA installation:
Assumptions:
- JIRA is running on port 8080 or some other open port, on Linux Machine
- JIRA is using tomcat server and is indepedent from Apache HTTP Server
- You have already a valid CA signed root certificate and certificate chain, after generating CSR and key.
- No reverse proxy setting is enabled in Apache HTTP Server configuration
You will see little bit similar configuration in /conf/server.xml
<Service name="Catalina">
<!-- HTTP Connector with values for scheme, proxyName and proxyPort -->
<Connector port="8080"
acceptCount="100"
scheme="http"
maxThreads="150"
minSpareThreads="25"
connectionTimeout="20000"
enableLookups="false"
maxHttpHeaderSize="8192"
protocol="HTTP/1.1"
useBodyEncodingForURI="true"
disableUploadTimeout="true"/>
<Engine name="Catalina" defaultHost="localhost">
<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true">
<Context path="" docBase="${catalina.home}/atlassian-jira" reloadable="false" useHttpOnly="true">
<Resource name="UserTransaction" auth="Container" type="javax.transaction.UserTransaction"
factory="org.objectweb.jotm.UserTransactionFactory" jotm.timeout="60"/>
<Manager pathname=""/>
</Context>
</Host>
<Valve className="org.apache.catalina.valves.AccessLogValve"
pattern="%a %{jira.request.id}r %{jira.request.username}r %t "%m %U%q %H" %s %b %D "%{Referer}i" "%{User-Agent}i" "%{jira.request.assession.id}r""/>
</Engine>
</Service>
To Add SSL certificate you first need to include your key and root certificate in a single entity using keytool java executable. This is present in /bin/ folder.
The main thing to note here if you use keytool to import the root certificate or chain certificate without key, the browser may give SSL overlap or some different SSL related error. So the first requirement is to import the certificates with domain key.
Another thing we need to convert key and root .crt files into pkcs12 compatible so that java keytool can read it in its own format. Otherwise you will again face SSL errors on browsers.
Now combine key and certificate in pkcs format using openssl on you Linux Machine, say you are in /bin/ folder.
root@mail bin]# openssl pkcs12 -export -in /opt/certificate_store/root.crt -inkey /home/certificate_store/domain.key -out server.p12 -name jira_alias -CAfile /home/certificate/gd_bundle.crt -caname root
Enter Export Password:
Verifying - Enter Export Password:
This command will create a file server.p12 (u can give it any name). Dont forget alias name (U can give any alias name, which is an identifier to get information about certifcate from a list, if any)
[root@mail bin]# ls
java jjs keytool orbd pack200 policytool rmid rmiregistry server.p12 servertool tnameserv unpack200
Now use keytool to convert it to java readable
[root@mail bin]# keytool -importkeystore -deststorepass -destkeypass -destkeystore server.keystore -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass -alias jira_aliased
(For symmetry, U can try same password every where, this password is required to be given in server.xml further)
Above command will create a file server.keystore using given options
[root@mail bin]# ls
java jjs keytool orbd pack200 policytool rmid rmiregistry server.keystore server.p12 servertool tnameserv unpack20
Now your certificate keystore is ready to secure JIRA.
Open /conf/server.xml and Add following new connector after old connector
<!-- Standard HTTPS Connector -->
<Connector
acceptCount="100"
SSLEnabled="true"
connectionTimeout="20000"
disableUploadTimeout="true"
enableLookups="false"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
port="<PORT_NUMBER_ON_WHICH_YOU_WANT_TO_RUN_JIRA_ON_SSL>"
protocol="org.apache.coyote.http11.Http11NioProtocol"
scheme="https"
secure="true"
clientAuth="false"
keystoreType="JKS"
keystoreFile="/opt/atlassian/jira/jre/bin/server.keystore"
keystorePass="same password here that you had given in keytool"
useBodyEncodingForURI="true"/>
Comment out old HTTP connector, Save server.xml file now and restart jira. Open your jira site on specified port number like : http(s)://domain.com:, check its working or not. Alternatively on linux console you can try following command to check if SSL working on that port.
$openssl s_client -connect localhost:
It will produce all certificate chain , if working properly otherwise will not show any certifcate and error will be thrown.
If you still want to access JIRA on both HTTP and HTTPS, open server.xml file , uncomment old HTTP connector and put a forwader from HTTP to HTTPS. say your HTTP connector is listening on 8080 and HTTPS connector is listening on port number 9000, then your server.xml connectors should look like this.
<!-- HTTP Connector with values for scheme, proxyName and proxyPort -->
<!--<Connector port="8080"
acceptCount="100"
scheme="http"
maxThreads="150"
minSpareThreads="25"
connectionTimeout="20000"
enableLookups="false"
maxHttpHeaderSize="8192"
protocol="HTTP/1.1"
useBodyEncodingForURI="true"
redirectPort="9000"
disableUploadTimeout="true"/>-->
<!-- Standard HTTPS Connector -->
<Connector
acceptCount="100"
SSLEnabled="true"
connectionTimeout="20000"
disableUploadTimeout="true"
enableLookups="false"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
port="9000"
protocol="org.apache.coyote.http11.Http11NioProtocol"
scheme="https"
secure="true"
clientAuth="false"
keystoreType="JKS"
keystoreFile="/opt/atlassian/jira/jre/bin/server.keystore"
keystorePass="<PASSWORD_HERE>"
useBodyEncodingForURI="true"/>
Enjoy SSL !!
Don't Forget to add following lines in /atlassian-jira/WEB-INF/web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>all-except-attachments</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<url-pattern>*.jspa</url-pattern>
<url-pattern>/browse/*</url-pattern>
<url-pattern>/issues/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
回答2:
Following https://confluence.atlassian.com/display/JIRA/Running+JIRA+over+SSL+or+HTTPS
In /conf/server.xml, I removed "keyAlias="jira".
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxHttpHeaderSize="8192" SSLEnabled="true"
maxThreads="150" minSpareThreads="25"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" useBodyEncodingForURI="true"
keyAlias="jira" keystoreFile="<JIRA_HOME>/jira.jks" keystorePass="changeit" keystoreType="JKS"/>
来源:https://stackoverflow.com/questions/29867525/getting-a-blank-file-when-accessing-jira-on-ssl