Jira is not picking my renewed certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: jira.accentedge.com

I ran this command: sudo certbot renew

It produced this output:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/jira.accentedge.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/jira.accentedge.com/privkey.pem
Your cert will expire on 2023-09-18. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew all of your certificates, run
"certbot renew"

My web server is (include version): Apache

The operating system my web server runs on is (include version): Ubuntu

My hosting provider, if applicable, is: AWS Ec2 instance

I can login to a root shell on my machine (yes or no, or I don't know): Yes i can login

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hi @seemi,

If you got the certificate via a method other than certbot --apache, Certbot will not automatically reload Apache for you. You may have to reload Apache manually for it to check for new certificates.

If so, you can also choose to add a --deploy-hook option to your Certbot configuration to run the command to reload Apache automatically whenever certificates are renewed.

4 Likes

I see that Port 443 is not open

$ nmap -Pn -p80,443 jira.accentedge.com
Starting Nmap 7.80 ( https://nmap.org ) at 2023-06-20 18:39 UTC
Nmap scan report for jira.accentedge.com (18.218.164.94)
Host is up (0.082s latency).
rDNS record for 18.218.164.94: ec2-18-218-164-94.us-east-2.compute.amazonaws.com

PORT    STATE    SERVICE
80/tcp  open     http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 2.03 seconds
4 Likes

Was that the actual command you ran?

3 Likes

Hi @schoen ,

Thanks for the quick response.
Initially i configured Let's Encrypt SSl on Jira with the help of this article on github HOWTO Configure Atlassian Jira to use Letsencrypt certificate · GitHub,
It was running fine with ssl, but recently i realized that my cert is expired so i renewed it using the command "certbot renew". It says that it has successfully renewd the certificate but when i ran the Jira service on my browser it doesn't pick the renewed certificate.
I tried again by adding --deploy-hook to the command but still it doesn't work.

2 Likes

Hi @rg305
Yes

I am running jira on 8443 port. However i have also opened 443 now.

What is cert ?
How was it installed?
What version are you using?

3 Likes

I have installed it with the help of this article HOWTO Configure Atlassian Jira to use Letsencrypt certificate · GitHub
I am using cert version : 0.31.0

Recently my certificate expired and i tried to renew it using certbot renew command

Are you sure you ran:
sudo cert renew

OR was it:
sudo certbot renew

? ? ?

2 Likes

I ran certbot renew

OK, now that makes sense.

This version is very old.
You should follow the recommended installation found at:
Certbot Instructions | Certbot (eff.org)

3 Likes

Should i uninstall the previous configuration? if yes how can i do that?

Those installation instructions [post #10] may be outdated.
There should be a way to avoid the whole keystore process and have Jira use the .pem files directly.

copied from the instruction page:

I did this on an Ubuntu 16.04 machine. I used the OpenJDK 8 for my Java install, so my $JAVA_HOME is /usr/lib/jvm/java-8-openjdk-amd64/jre

$ sudo su - # Become root (much easier)
    
# cd $JAVA_HOME
Create a PKCS12 that contains both your full chain and the private key

# openssl pkcs12 -export -out /tmp/jira.example.com_fullchain_and_key.p12 -in /etc/letsencrypt/live/jira.example.com/fullchain.pem -inkey /etc/letsencrypt/live/jira.example.com/privkey.pem -name jira
Convert that PKCS12 to a JKS

# keytool -importkeystore -deststorepass 1234 -destkeypass 1234 -destkeystore jira.jks -srckeystore /tmp/jira.example.com_fullchain_and_key.p12 -srcstoretype PKCS12 -srcstorepass 1234 -alias jira
If the system gives you a warning about PKCS12, it may tell you to run the following. Go ahead.

# keytool -importkeystore -srckeystore jira.jks -destkeystore jira.jks -deststoretype pkcs12
3 Likes

If not, you may have to script that entire part and pass that as an added --deploy-hook.

3 Likes

Specifically, the --deploy-hook option is meant to be used with commands that need to be run in order to deploy the certificate. It does not automatically figure out what those commands should be; you have to tell it. Like possibly the commands that @rg305 mentions above, perhaps combined into a single shell script, if those commands indeed need to be re-run in order to convert the certificate and key into a JKS format.

If your web server is pointing to a JKS file, that is definitely not automatically updated with the new certificate and new key by Certbot, unless you explicitly tell it commands to run in order to accomplish that (like via --deploy-hook and specifying those exact commands).

4 Likes

Yes, follow the 12-step process to make a PEM file into a keystore [so last century!]
and then...
Don't forget to restart/reload Jira afterwards too!

There must be a better way!!!

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.