Installing/Renewing Certificate for JIRA, in Windows


#1

I think I chose the most unfriendly mix of technologies…

Here is the setup:

Atlassian JIRA Server for Windows, self-hosted on a laptop at home. (I chose Windows because it lets me create a “hot” image backup as a very simple DR plan.) JIRA is currently happy using http, port 80.

Using letsencrypt-win-simple, I was unable to give it a local file system path that it could write to for the ACME verification so I temporarily stopped the JIRA service and ran Mongoose web server. That worked and it gave me the following .pem files:

ca-0A0141420000015385736A0B85ECA708-crt.pem
jira.findmyshit.ca-crt.pem
jira.findmyshit.ca-csr.pem
jira.findmyshit.ca-key.pem

Using this post as a reference, it looks like I just need the full chain .pem file and the private key .pem file but which one is which from above??

Using trial and error, I successfully ran the following:

openssl pkcs12 -export -in jira.findmyshit.ca-crt.pem -inkey jira.findmyshit.ca-key.pem -out fullchain_and_key.p12 -name tomcat

and then successfully ran:

"C:\Program Files (x86)\Java\jre1.8.0_131\bin\keytool.exe" -importkeystore -destkeystore MyDSKeyStore.jks -srckeystore fullchain_and_key.p12 -srcstoretype PKCS12 -alias tomcat -deststorepass _my-password_ -destkeypass _my-password_ -srcstorepass _my-password_

“Successful” simply means that I did not get any errors.

Using these instructions from Atlassian, I copied MyDSKeyStore.jks to the JIRA folder as jira.jks and used JIRA’s config.exe as per the instructions. However, hitting config’s “test” button, I got “The private key could not be found in the keystore”.

I suspect that I am doing something wrong at either the openssl or the keytool phase.

Once I learned about Certify here, I hoped it would output more friendly .pem files but all I found was the Visual Studio project, which seemed to be missing ACMESharp, and downloading that as a separate project seemed like a rabbit hole.

I’m really hoping that someone can point out my folly(ies).

Thanks!
Craig


#2

Hi Craig

I believe your issue is with alias

You seemed to be using tomcat vs the recommended jira

Questions I have for you

A) Can you paste screenshots of your Jira Config?
B) Can you paste screenshots of your Portecle Config?

Andrei


#3

Alternatively I can do a step by step guide if you prefer?

Andrei


#4

Hi Andrei,

Holy smokes, that worked! At least, JIRA’s config.bat tool gave me thumbs up.

However, after selecting http+https, whether I enter port 443 or 8443, the JIRA service fails to restart. I checked netstat -an | find "443" but nothing is listening. Here is the Windows service start error message:

Here is my config:

I should say that when I ran config.bat (as Administrator, yes), it complained about: “No JRE_HOME or JAVA_HOME environment variable is set - attempting to just run ‘java’ command” but since the GUI did fire up, I thought it wasn’t a problem.

Thank you very much for offering to help! If you do not think it’s just another tweak then a step-by-step guide would be much appreciated.

Oh, I did see the Porecle steps on the JIRA page but I thought that the “Cry for help…” LE page with the openssh and the keytool steps would take the place of Portecle. Was that wrong?

Thanks again,
Craig


#5

Hi Craig

I get a lot of shit for this but usually I spend 70-80% of my time reading manuals before I type anything on a keyboard :wink:

I haven’t installed JIRA for a while but one of the steps you used to have to do was setup the JAVA_HOME and JRE_HOME Environmental variables.

https://confluence.atlassian.com/adminjiraserver071/installing-java-802592166.html

The reason is that most of the commands are run in this fashion JAVA_HOME/some command

Without having JAVA_HOME as an Environmental Variable Windows will not be able execute the commands

Have a look at your config.bat file and you will find that the paths aren’t hard coded (C:\Program…etc) they are relative to the JAVA_HOME directory :smiley:

Andrei


#6

Well, I do have a JAVAHOME=C:\ProgramData\Oracle\Java\javapath. Perhaps that is why JIRA runs at all?

I added JAVA_HOME and gave it the same path but then config complained that I must use at least Java 1.8.

I noticed that I had installed C:\Program Files (x86)\Java\jre1.8.0_131\bin\java so I changed JAVA_HOME to that but the result re: config was the same: it ran but I could still not start the JIRA service with https selected.

It surprises me that installing the JRE does not add the JAVA_HOME environment variable during installation. And what is the difference between JAVAHOME and JAVA_HOME?

Perhaps I’m getting too much into a set of JIRA/Java questions when this is a Let’s Encrypt forum. I do appreciate any help though. Still stuck.

Craig


#7

Hi @csilver

Not at all

I use Jira and Confluence Personally for all my projects so happy to help out

For now revert the HTTPS config to HTTP only.

I am installing JIRA on my laptop today or tomorrow so will be able to give more recent advice.

I believe the HTTPS version requires extra libraries in the JAVA_HOME path hence your errors.

Andrei


#8

Thanks, Andrei. I’ve reverted back for now. Whenever you have news is great.

Craig


#9

Hi Andrei, did you have the chance to look at this any?


#10

hi @csilver

I did :D, apologies for the delays I misread your message and would have sent something through sooner :frowning: .

I believe the root cause is the bindings that config.bat creates are inaccurate so I used the instructions here instead: https://confluence.atlassian.com/adminjiraserver073/running-jira-applications-over-ssl-or-https-861253906.html - the advanced section

I had a JKS I created in this tutorial Tutorial - Java KeyStores (JKS) With Let's Encrypt. As long as your JKS is in line (use the KeyExplorer tool to confirm) you should have no issues

Server.xml file updated manually

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
          maxHttpHeaderSize="8192" SSLEnabled="true"
          maxThreads="150" minSpareThreads="25"
          enableLookups="false" disableUploadTimeout="true"
          acceptCount="100" scheme="https" secure="true"
          sslEnabledProtocol="TLSv1.2"
          clientAuth="false" sslProtocol="TLSv1.2" useBodyEncodingForURI="true"
          keyAlias="simple-cert" keystoreFile="D:\LETSENCRYPT\JAVA-KEY-TOOL\letsencrypt.jks" keystorePass="test12345" keystoreType="JKS"/>

Running Using localhost:8443 (errors occur due to name matching but right cert is used)

Running using jks-simple-cert.firecube.xyz pointing to localhost

Note: this is a bit of hack don’t use it in production. Setup proper DNS.

Andrei


Can't Renew my JIRA (Tomcat) cert
#11

Thanks, Andrei! I’ll pore over this as soon as I get the chance.


#12

Hi Andrei. I finally have the chance to look into this. I can’t believe how involved it has to be. (Rhetorically) Why can’t it just be a matter of executing certbot and dumping the files in a folder?? (That is more frustration with the process than an actual question to you.)

One question about https://community.letsencrypt.org/t/tutorial-java-keystores-jks-with-lets-encrypt/34754/7: what should I use for the two domain names? The example has jks-san-cert.firecube.xyz and jks-san-cert_firecube_xyz. My domain is jira.findmyshit.ca. What should I be using for those two domains?

Craig


#13

hi craig

i wanted to show SAN certificates as well as single certificates

You should whatever certbot generates. At the end it will tell you the certificate names.

I renamed mine from the certbot default to the ones I imported

Andrei


#14

I’d say that the trouble that makes this challenging is that there is no client (to my knowledge) that generates JKS directly. Therefore, all existing methods to obtain certificates in a JKS environment have a certificate generation step and a separate certificate conversion/import step.

Maybe somebody could address this problem by developing a Let’s Encrypt client that is more directly integrated with JKS (or pointing out one that already exists).


#15

Seth - I understand. Oh, how I wish someone had already written a Windows client.

Andrei - Okay, I ignored the SAN part of the .jks file generation and I assume that means I’ll leave off the -ext part of the CSR generation.

For anyone following this, I am referring to: Tutorial - Java KeyStores (JKS) With Let's Encrypt. Andrei - let me know if I should ask my questions there instead of here.

My next question: Where in the world did you get certbot for Windows? I assume from the (PowerShell?) screenshots that you are working in Windows? I resorted to cmd.exe, in case that matters.

As you may recall, I did find letsencrypt-win-simple\letsencrypt.exe. Perhaps that will do the trick? I’d just prefer something simpler. letsencrypt.exe seems not to support DNS challenge so unless I get figure out, or get help with, instructing le-win-simple how to challenge JIRA/Tomcat, I’ll have to: stop JIRA, fire up a temporary web server, do the challenge and then do the reverse (and automate that for renewals).

Not to complain but this seems to be incredibly “challenging” (pardon the pun).

Thanks for your continued support.
Craig


#16

hi @schoen

yes there is such a client

https://www.manageengine.com/key-manager/certificate-lifecycle-management.html

The only limitation is HTTP challenges supported currently

I will write up

@csilver - if you search this forum for certbot + windows all will be made known

@csilver - choose a windows client and i will write you a powershell script to run after

Andrei


#17

Thanks, I’ll try to hunt it down this weekend. So far, looks like I need to install a couple versions of Python.


#18

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.