Jira Server Rest API does not work Properly with SSL
I have a Jira instance running on a debian server which I want to access from a Cloud Application called HockeyApp. The Problem happens when HockeyApp tries to access the Project List of Jira (fails without error). So I checked the Jira API and found a Method that I expect to be called from the HockeyApp backend.
When I access the API using Chrome at https://jira.company.com/rest/api/latest/project
I get the expected results as json. But when I try to call this API from Postman, curl or httpie I do get errors every time.
curl tells me:
curl: (60) SSL certificate problem: unable to get local issuer
certificate More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could
not establish a secure connection to it. To learn more about this
situation and how to fix it, please visit the web page mentioned
above.
So I tried downloading a the latest cacert-2018-10-17.pem file and tried it again. Without any luck. If I add the -k
option to ignore the ssl verification, I do get the expected results.
postman tells me:
If I do turn off the SSL Verification in the Settings of postman I do get the expected results. But the server does not use a self-signed SSL certificate. The certificate looks like this:
The certificate is working fine on all browsers, other connected applications like Bitbucket and Confluence.
How can I find out what is causing this Issues?
debian ssl https openssl jira
add a comment |
I have a Jira instance running on a debian server which I want to access from a Cloud Application called HockeyApp. The Problem happens when HockeyApp tries to access the Project List of Jira (fails without error). So I checked the Jira API and found a Method that I expect to be called from the HockeyApp backend.
When I access the API using Chrome at https://jira.company.com/rest/api/latest/project
I get the expected results as json. But when I try to call this API from Postman, curl or httpie I do get errors every time.
curl tells me:
curl: (60) SSL certificate problem: unable to get local issuer
certificate More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could
not establish a secure connection to it. To learn more about this
situation and how to fix it, please visit the web page mentioned
above.
So I tried downloading a the latest cacert-2018-10-17.pem file and tried it again. Without any luck. If I add the -k
option to ignore the ssl verification, I do get the expected results.
postman tells me:
If I do turn off the SSL Verification in the Settings of postman I do get the expected results. But the server does not use a self-signed SSL certificate. The certificate looks like this:
The certificate is working fine on all browsers, other connected applications like Bitbucket and Confluence.
How can I find out what is causing this Issues?
debian ssl https openssl jira
add a comment |
I have a Jira instance running on a debian server which I want to access from a Cloud Application called HockeyApp. The Problem happens when HockeyApp tries to access the Project List of Jira (fails without error). So I checked the Jira API and found a Method that I expect to be called from the HockeyApp backend.
When I access the API using Chrome at https://jira.company.com/rest/api/latest/project
I get the expected results as json. But when I try to call this API from Postman, curl or httpie I do get errors every time.
curl tells me:
curl: (60) SSL certificate problem: unable to get local issuer
certificate More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could
not establish a secure connection to it. To learn more about this
situation and how to fix it, please visit the web page mentioned
above.
So I tried downloading a the latest cacert-2018-10-17.pem file and tried it again. Without any luck. If I add the -k
option to ignore the ssl verification, I do get the expected results.
postman tells me:
If I do turn off the SSL Verification in the Settings of postman I do get the expected results. But the server does not use a self-signed SSL certificate. The certificate looks like this:
The certificate is working fine on all browsers, other connected applications like Bitbucket and Confluence.
How can I find out what is causing this Issues?
debian ssl https openssl jira
I have a Jira instance running on a debian server which I want to access from a Cloud Application called HockeyApp. The Problem happens when HockeyApp tries to access the Project List of Jira (fails without error). So I checked the Jira API and found a Method that I expect to be called from the HockeyApp backend.
When I access the API using Chrome at https://jira.company.com/rest/api/latest/project
I get the expected results as json. But when I try to call this API from Postman, curl or httpie I do get errors every time.
curl tells me:
curl: (60) SSL certificate problem: unable to get local issuer
certificate More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could
not establish a secure connection to it. To learn more about this
situation and how to fix it, please visit the web page mentioned
above.
So I tried downloading a the latest cacert-2018-10-17.pem file and tried it again. Without any luck. If I add the -k
option to ignore the ssl verification, I do get the expected results.
postman tells me:
If I do turn off the SSL Verification in the Settings of postman I do get the expected results. But the server does not use a self-signed SSL certificate. The certificate looks like this:
The certificate is working fine on all browsers, other connected applications like Bitbucket and Confluence.
How can I find out what is causing this Issues?
debian ssl https openssl jira
debian ssl https openssl jira
asked Dec 4 at 13:09
console
931210
931210
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
After a lot more digging I finally found out what was causing the Issue.
I did start looking into the Network Traffic when executing a REST call from cURL using Wireshark to find out that the certificate is indeed bad - just chrome does not mind.
so I checked the Certificate using:
openssl s_client -showcerts -connect jira.company.com:443
which responds with:
Start Time: 1544006181
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
So finally I found out that the certificate used on my server does not provide the full certification chain. Which is why some clients deny it.
I changed the JKS to contain the full chain copying the crt fiules into one company.com.pem file (more detailed description here: https://www.digicert.com/ssl-support/pem-ssl-creation.htm)
-----BEGIN CERTIFICATE-----
(MyCompany.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Intermediate.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Root.crt)
-----END CERTIFICATE-----
and created a new JKS for the jira installation using
openssl pkcs12 -export -in company.com.pem -name tomcat -out jira.p12
keytool -importkeystore -srckeystore jira.p12 -srcstoretype pkcs12
-destkeystore jira.jks -deststoretype JKS
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1380696%2fjira-server-rest-api-does-not-work-properly-with-ssl%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
After a lot more digging I finally found out what was causing the Issue.
I did start looking into the Network Traffic when executing a REST call from cURL using Wireshark to find out that the certificate is indeed bad - just chrome does not mind.
so I checked the Certificate using:
openssl s_client -showcerts -connect jira.company.com:443
which responds with:
Start Time: 1544006181
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
So finally I found out that the certificate used on my server does not provide the full certification chain. Which is why some clients deny it.
I changed the JKS to contain the full chain copying the crt fiules into one company.com.pem file (more detailed description here: https://www.digicert.com/ssl-support/pem-ssl-creation.htm)
-----BEGIN CERTIFICATE-----
(MyCompany.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Intermediate.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Root.crt)
-----END CERTIFICATE-----
and created a new JKS for the jira installation using
openssl pkcs12 -export -in company.com.pem -name tomcat -out jira.p12
keytool -importkeystore -srckeystore jira.p12 -srcstoretype pkcs12
-destkeystore jira.jks -deststoretype JKS
add a comment |
After a lot more digging I finally found out what was causing the Issue.
I did start looking into the Network Traffic when executing a REST call from cURL using Wireshark to find out that the certificate is indeed bad - just chrome does not mind.
so I checked the Certificate using:
openssl s_client -showcerts -connect jira.company.com:443
which responds with:
Start Time: 1544006181
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
So finally I found out that the certificate used on my server does not provide the full certification chain. Which is why some clients deny it.
I changed the JKS to contain the full chain copying the crt fiules into one company.com.pem file (more detailed description here: https://www.digicert.com/ssl-support/pem-ssl-creation.htm)
-----BEGIN CERTIFICATE-----
(MyCompany.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Intermediate.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Root.crt)
-----END CERTIFICATE-----
and created a new JKS for the jira installation using
openssl pkcs12 -export -in company.com.pem -name tomcat -out jira.p12
keytool -importkeystore -srckeystore jira.p12 -srcstoretype pkcs12
-destkeystore jira.jks -deststoretype JKS
add a comment |
After a lot more digging I finally found out what was causing the Issue.
I did start looking into the Network Traffic when executing a REST call from cURL using Wireshark to find out that the certificate is indeed bad - just chrome does not mind.
so I checked the Certificate using:
openssl s_client -showcerts -connect jira.company.com:443
which responds with:
Start Time: 1544006181
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
So finally I found out that the certificate used on my server does not provide the full certification chain. Which is why some clients deny it.
I changed the JKS to contain the full chain copying the crt fiules into one company.com.pem file (more detailed description here: https://www.digicert.com/ssl-support/pem-ssl-creation.htm)
-----BEGIN CERTIFICATE-----
(MyCompany.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Intermediate.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Root.crt)
-----END CERTIFICATE-----
and created a new JKS for the jira installation using
openssl pkcs12 -export -in company.com.pem -name tomcat -out jira.p12
keytool -importkeystore -srckeystore jira.p12 -srcstoretype pkcs12
-destkeystore jira.jks -deststoretype JKS
After a lot more digging I finally found out what was causing the Issue.
I did start looking into the Network Traffic when executing a REST call from cURL using Wireshark to find out that the certificate is indeed bad - just chrome does not mind.
so I checked the Certificate using:
openssl s_client -showcerts -connect jira.company.com:443
which responds with:
Start Time: 1544006181
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
So finally I found out that the certificate used on my server does not provide the full certification chain. Which is why some clients deny it.
I changed the JKS to contain the full chain copying the crt fiules into one company.com.pem file (more detailed description here: https://www.digicert.com/ssl-support/pem-ssl-creation.htm)
-----BEGIN CERTIFICATE-----
(MyCompany.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Intermediate.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Root.crt)
-----END CERTIFICATE-----
and created a new JKS for the jira installation using
openssl pkcs12 -export -in company.com.pem -name tomcat -out jira.p12
keytool -importkeystore -srckeystore jira.p12 -srcstoretype pkcs12
-destkeystore jira.jks -deststoretype JKS
answered Dec 5 at 10:55
console
931210
931210
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1380696%2fjira-server-rest-api-does-not-work-properly-with-ssl%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown