Jira Server Rest API does not work Properly with SSL












0














I have a Jira instance running on a debian server which I want to access from a Cloud Application called HockeyApp. The Problem happens when HockeyApp tries to access the Project List of Jira (fails without error). So I checked the Jira API and found a Method that I expect to be called from the HockeyApp backend.



When I access the API using Chrome at https://jira.company.com/rest/api/latest/project I get the expected results as json. But when I try to call this API from Postman, curl or httpie I do get errors every time.



curl tells me:




curl: (60) SSL certificate problem: unable to get local issuer
certificate More details here: https://curl.haxx.se/docs/sslcerts.html



curl failed to verify the legitimacy of the server and therefore could
not establish a secure connection to it. To learn more about this
situation and how to fix it, please visit the web page mentioned
above.




So I tried downloading a the latest cacert-2018-10-17.pem file and tried it again. Without any luck. If I add the -k option to ignore the ssl verification, I do get the expected results.



postman tells me:
enter image description here



If I do turn off the SSL Verification in the Settings of postman I do get the expected results. But the server does not use a self-signed SSL certificate. The certificate looks like this:
enter image description here



The certificate is working fine on all browsers, other connected applications like Bitbucket and Confluence.



How can I find out what is causing this Issues?










share|improve this question



























    0














    I have a Jira instance running on a debian server which I want to access from a Cloud Application called HockeyApp. The Problem happens when HockeyApp tries to access the Project List of Jira (fails without error). So I checked the Jira API and found a Method that I expect to be called from the HockeyApp backend.



    When I access the API using Chrome at https://jira.company.com/rest/api/latest/project I get the expected results as json. But when I try to call this API from Postman, curl or httpie I do get errors every time.



    curl tells me:




    curl: (60) SSL certificate problem: unable to get local issuer
    certificate More details here: https://curl.haxx.se/docs/sslcerts.html



    curl failed to verify the legitimacy of the server and therefore could
    not establish a secure connection to it. To learn more about this
    situation and how to fix it, please visit the web page mentioned
    above.




    So I tried downloading a the latest cacert-2018-10-17.pem file and tried it again. Without any luck. If I add the -k option to ignore the ssl verification, I do get the expected results.



    postman tells me:
    enter image description here



    If I do turn off the SSL Verification in the Settings of postman I do get the expected results. But the server does not use a self-signed SSL certificate. The certificate looks like this:
    enter image description here



    The certificate is working fine on all browsers, other connected applications like Bitbucket and Confluence.



    How can I find out what is causing this Issues?










    share|improve this question

























      0












      0








      0







      I have a Jira instance running on a debian server which I want to access from a Cloud Application called HockeyApp. The Problem happens when HockeyApp tries to access the Project List of Jira (fails without error). So I checked the Jira API and found a Method that I expect to be called from the HockeyApp backend.



      When I access the API using Chrome at https://jira.company.com/rest/api/latest/project I get the expected results as json. But when I try to call this API from Postman, curl or httpie I do get errors every time.



      curl tells me:




      curl: (60) SSL certificate problem: unable to get local issuer
      certificate More details here: https://curl.haxx.se/docs/sslcerts.html



      curl failed to verify the legitimacy of the server and therefore could
      not establish a secure connection to it. To learn more about this
      situation and how to fix it, please visit the web page mentioned
      above.




      So I tried downloading a the latest cacert-2018-10-17.pem file and tried it again. Without any luck. If I add the -k option to ignore the ssl verification, I do get the expected results.



      postman tells me:
      enter image description here



      If I do turn off the SSL Verification in the Settings of postman I do get the expected results. But the server does not use a self-signed SSL certificate. The certificate looks like this:
      enter image description here



      The certificate is working fine on all browsers, other connected applications like Bitbucket and Confluence.



      How can I find out what is causing this Issues?










      share|improve this question













      I have a Jira instance running on a debian server which I want to access from a Cloud Application called HockeyApp. The Problem happens when HockeyApp tries to access the Project List of Jira (fails without error). So I checked the Jira API and found a Method that I expect to be called from the HockeyApp backend.



      When I access the API using Chrome at https://jira.company.com/rest/api/latest/project I get the expected results as json. But when I try to call this API from Postman, curl or httpie I do get errors every time.



      curl tells me:




      curl: (60) SSL certificate problem: unable to get local issuer
      certificate More details here: https://curl.haxx.se/docs/sslcerts.html



      curl failed to verify the legitimacy of the server and therefore could
      not establish a secure connection to it. To learn more about this
      situation and how to fix it, please visit the web page mentioned
      above.




      So I tried downloading a the latest cacert-2018-10-17.pem file and tried it again. Without any luck. If I add the -k option to ignore the ssl verification, I do get the expected results.



      postman tells me:
      enter image description here



      If I do turn off the SSL Verification in the Settings of postman I do get the expected results. But the server does not use a self-signed SSL certificate. The certificate looks like this:
      enter image description here



      The certificate is working fine on all browsers, other connected applications like Bitbucket and Confluence.



      How can I find out what is causing this Issues?







      debian ssl https openssl jira






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Dec 4 at 13:09









      console

      931210




      931210






















          1 Answer
          1






          active

          oldest

          votes


















          0














          After a lot more digging I finally found out what was causing the Issue.



          I did start looking into the Network Traffic when executing a REST call from cURL using Wireshark to find out that the certificate is indeed bad - just chrome does not mind.



          enter image description here



          so I checked the Certificate using:



          openssl s_client -showcerts -connect jira.company.com:443


          which responds with:



          Start Time: 1544006181
          Timeout : 300 (sec)
          Verify return code: 21 (unable to verify the first certificate)


          So finally I found out that the certificate used on my server does not provide the full certification chain. Which is why some clients deny it.



          I changed the JKS to contain the full chain copying the crt fiules into one company.com.pem file (more detailed description here: https://www.digicert.com/ssl-support/pem-ssl-creation.htm)



          -----BEGIN CERTIFICATE----- 
          (MyCompany.crt)
          -----END CERTIFICATE-----
          -----BEGIN CERTIFICATE-----
          (Intermediate.crt)
          -----END CERTIFICATE-----
          -----BEGIN CERTIFICATE-----
          (Root.crt)
          -----END CERTIFICATE-----


          and created a new JKS for the jira installation using



          openssl pkcs12 -export -in company.com.pem -name tomcat -out jira.p12
          keytool -importkeystore -srckeystore jira.p12 -srcstoretype pkcs12
          -destkeystore jira.jks -deststoretype JKS





          share|improve this answer





















            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "3"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1380696%2fjira-server-rest-api-does-not-work-properly-with-ssl%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            0














            After a lot more digging I finally found out what was causing the Issue.



            I did start looking into the Network Traffic when executing a REST call from cURL using Wireshark to find out that the certificate is indeed bad - just chrome does not mind.



            enter image description here



            so I checked the Certificate using:



            openssl s_client -showcerts -connect jira.company.com:443


            which responds with:



            Start Time: 1544006181
            Timeout : 300 (sec)
            Verify return code: 21 (unable to verify the first certificate)


            So finally I found out that the certificate used on my server does not provide the full certification chain. Which is why some clients deny it.



            I changed the JKS to contain the full chain copying the crt fiules into one company.com.pem file (more detailed description here: https://www.digicert.com/ssl-support/pem-ssl-creation.htm)



            -----BEGIN CERTIFICATE----- 
            (MyCompany.crt)
            -----END CERTIFICATE-----
            -----BEGIN CERTIFICATE-----
            (Intermediate.crt)
            -----END CERTIFICATE-----
            -----BEGIN CERTIFICATE-----
            (Root.crt)
            -----END CERTIFICATE-----


            and created a new JKS for the jira installation using



            openssl pkcs12 -export -in company.com.pem -name tomcat -out jira.p12
            keytool -importkeystore -srckeystore jira.p12 -srcstoretype pkcs12
            -destkeystore jira.jks -deststoretype JKS





            share|improve this answer


























              0














              After a lot more digging I finally found out what was causing the Issue.



              I did start looking into the Network Traffic when executing a REST call from cURL using Wireshark to find out that the certificate is indeed bad - just chrome does not mind.



              enter image description here



              so I checked the Certificate using:



              openssl s_client -showcerts -connect jira.company.com:443


              which responds with:



              Start Time: 1544006181
              Timeout : 300 (sec)
              Verify return code: 21 (unable to verify the first certificate)


              So finally I found out that the certificate used on my server does not provide the full certification chain. Which is why some clients deny it.



              I changed the JKS to contain the full chain copying the crt fiules into one company.com.pem file (more detailed description here: https://www.digicert.com/ssl-support/pem-ssl-creation.htm)



              -----BEGIN CERTIFICATE----- 
              (MyCompany.crt)
              -----END CERTIFICATE-----
              -----BEGIN CERTIFICATE-----
              (Intermediate.crt)
              -----END CERTIFICATE-----
              -----BEGIN CERTIFICATE-----
              (Root.crt)
              -----END CERTIFICATE-----


              and created a new JKS for the jira installation using



              openssl pkcs12 -export -in company.com.pem -name tomcat -out jira.p12
              keytool -importkeystore -srckeystore jira.p12 -srcstoretype pkcs12
              -destkeystore jira.jks -deststoretype JKS





              share|improve this answer
























                0












                0








                0






                After a lot more digging I finally found out what was causing the Issue.



                I did start looking into the Network Traffic when executing a REST call from cURL using Wireshark to find out that the certificate is indeed bad - just chrome does not mind.



                enter image description here



                so I checked the Certificate using:



                openssl s_client -showcerts -connect jira.company.com:443


                which responds with:



                Start Time: 1544006181
                Timeout : 300 (sec)
                Verify return code: 21 (unable to verify the first certificate)


                So finally I found out that the certificate used on my server does not provide the full certification chain. Which is why some clients deny it.



                I changed the JKS to contain the full chain copying the crt fiules into one company.com.pem file (more detailed description here: https://www.digicert.com/ssl-support/pem-ssl-creation.htm)



                -----BEGIN CERTIFICATE----- 
                (MyCompany.crt)
                -----END CERTIFICATE-----
                -----BEGIN CERTIFICATE-----
                (Intermediate.crt)
                -----END CERTIFICATE-----
                -----BEGIN CERTIFICATE-----
                (Root.crt)
                -----END CERTIFICATE-----


                and created a new JKS for the jira installation using



                openssl pkcs12 -export -in company.com.pem -name tomcat -out jira.p12
                keytool -importkeystore -srckeystore jira.p12 -srcstoretype pkcs12
                -destkeystore jira.jks -deststoretype JKS





                share|improve this answer












                After a lot more digging I finally found out what was causing the Issue.



                I did start looking into the Network Traffic when executing a REST call from cURL using Wireshark to find out that the certificate is indeed bad - just chrome does not mind.



                enter image description here



                so I checked the Certificate using:



                openssl s_client -showcerts -connect jira.company.com:443


                which responds with:



                Start Time: 1544006181
                Timeout : 300 (sec)
                Verify return code: 21 (unable to verify the first certificate)


                So finally I found out that the certificate used on my server does not provide the full certification chain. Which is why some clients deny it.



                I changed the JKS to contain the full chain copying the crt fiules into one company.com.pem file (more detailed description here: https://www.digicert.com/ssl-support/pem-ssl-creation.htm)



                -----BEGIN CERTIFICATE----- 
                (MyCompany.crt)
                -----END CERTIFICATE-----
                -----BEGIN CERTIFICATE-----
                (Intermediate.crt)
                -----END CERTIFICATE-----
                -----BEGIN CERTIFICATE-----
                (Root.crt)
                -----END CERTIFICATE-----


                and created a new JKS for the jira installation using



                openssl pkcs12 -export -in company.com.pem -name tomcat -out jira.p12
                keytool -importkeystore -srckeystore jira.p12 -srcstoretype pkcs12
                -destkeystore jira.jks -deststoretype JKS






                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Dec 5 at 10:55









                console

                931210




                931210






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Super User!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.





                    Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                    Please pay close attention to the following guidance:


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1380696%2fjira-server-rest-api-does-not-work-properly-with-ssl%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    Сан-Квентин

                    8-я гвардейская общевойсковая армия

                    Алькесар