Categories
Linux

Jira – Login not working

Problem

Login into JIRA not working. JIRA is connected to LDAP.

Analysis

less /app/jira/jira/logs/catalina.out

[...]
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
[...]
less /app/jira/jira/bin/setenv.sh 

[...]
# DO NOT remove the following line
JAVA_HOME="/app/jira/jira/jre/"; export JAVA_HOME
[...]
ls -lisah /app/jira/jira/jre/lib/security/

[...]
134994220 116K -rw-rw-r--.  1 jira myusers 113K Jun 28  2019 cacerts
[...]
keytool -list -v -keystore /app/jira/jira/jre/lib/security/cacerts
Enter keystore password: <Just hit RETURN>

[...]
lots of certificates
[...]

keytool -list -v -keystore /app/jira/jira/jre/lib/security/cacerts -alias ldap.services.mycompany
--> Shows LDAP Certificate Details

Fix the Problem

Get LDAP SSL Cerificate and put it into Keystore:

openssl s_client -connect ldap.services.mycompany:636 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/ldap-sslcert.pem
/app/jira/jira/jre/bin/keytool -import -keystore /app/jira/jira/jre/lib/security/cacerts -file /tmp/ldap-sslcert.pem -alias ldap.services.mycompany
Enter keystore password: changeit
keytool error: java.lang.Exception: Certificate not imported, alias <ldap.services.mycompany> already exists

keytool -delete -keystore /app/jira/jira/jre/lib/security/cacerts -alias ldap.services.mycompany
Enter keystore password: changeit

/app/jira/jira/jre/bin/keytool -import -keystore /app/jira/jira/jre/lib/security/cacerts -file /tmp/ldap-sslcert.pem -alias ldap.services.mycompany
Enter keystore password: changeit
Trust this certificate? [no]:  yes
Certificate was added to keystore

Restart Jira:

systemctl start jira

###########
## Restart of Jira takes very long, wait for 10 minutes
###########

Test

Go to JIRA Login Page and login.
It is working again.

Leave a Reply

Your email address will not be published. Required fields are marked *