This was news to me in a few ways; first, there’s a new DNS resource record called CAA (Certificate Authority Authorization) and second, Certificate Authorities are now required to check that record before issuing a certificate, to determine if they’re allowed to do so. Cool! What’s a CAA (Certificate Authority Authorization)? When in doubt, consult the RFC: […]
I recently had to move a JIRA and Confluence environment to a new infrastructure stack. During the move, we also changed the TLS Certificates and instead of using one of the paid-for incumbents we decided to give Lets Encrypt a go.
Everything with the migration went smoothly. The first hurdle we hit was when we were checking the Application Integration between the two systems. The integration wasnt functioning and no amount of delete, change, recreate would fix it. The admin pages in JIRA and Confluence were both reporting SSL errors. When I dug into the actual Tomcat logs for each instance, the following errors were appearing:
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException : unable to find valid certification path to requested target
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Some quick googlephoo found a few items on the internet about this, not specific to JIRA and Confluence though.
The root cause of the problem is that the JRE thats included with our version JIRA and Confluence is too old and doesn’t include the Lets Encrypt root keychain in its included keystore. The above articles had references and code snippets to help get the Lets Encrypt certificates into the JRE keystore but they were all very ugly.
Its worth mentioning that Oracle JAVA JRE 1.8.0_101 DOES include the Lets Encrypt certificates.
Options at this point were:
- Find a way to get the required certificates into the JRE keystore (the CLI method to do this is described in the Lets Encrypt community post above).
- Install a new JRE on the servers and make JIRA and Confluence work with that. Most likely putting us out of support with Atlassian.
- Find out if current JIRA and Confluence include the required JRE version and then upgrade JIRA and Confluence. This would need another round of testing to properly do the upgrade.
Moving to unsupported configuration was undesirable and I didnt have the time to properly dive into a new round of testing to see if newer JIRA and Confluence had the required JRE version. I did look for some detail on the Atlassian pages to determine the answer to this and wasn’t able to locate anything.
What I did find on an Atlassian page was this article https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html which shows how to use a free JIRA and Confluence plugin to get third party root certificates into the JRE keystore using a simple web page GUI. Some small CLI steps (a cp) are still required after the plug-in does its thing but it does make the fix less likely to fail.
This post contains a catalogue of useful Internet performance testing tools.
sivel/speedtest-cli: Command line interface for testing internet bandwidth using speedtest.net
A nifty tool for the CLI jockeys to test the internet performance of their machine.
speedtest-cli – Command line interface for testing internet bandwidth using speedtest.net
Here is a good presentation given at SAGE-AU back in February 2011 about how an Australian ISP dealt with a flood crisis in Queensland.
Provides good insight into how DR and BCP is a business issue and NOT a technology issue.
The following link describes Simon Hackett’s prediction for the NBN under the Liberal Party. Leaving it here for future reference.
My home internet has been pretty flakey of late and I needed a way to monitor the performance of the connection over long periods of time so that I could gather evidence to escalate to my ISP for support and troubleshooting.
Due to the absence of a suitable machine at home to run the tools on I decided to build an Ubuntu VM with smokeping and Cacti. This would allow me to build the environment quickly and then move the VM to a temporary laptop running VMware Workstation at home.
The following steps describe the sequence of events and references I used to complete the work.
- Install and update latest Ubuntu LTS
- Install and configure smokeping
- `apt-get install smokeping mailutils tcptraceroute mtr-tiny`
- install and configure tcpping (required to be able to probe Diablo3 servers)
- install and configure Cactii
- Install and configure smokeping to integrate with Cactii
- Install VMware Workstation on temp laptop
- Import VM from Mac
- Configure VM as standalone device on home network
- Configure smokeping
- to smokeping home gateway
- to smokeping LNS
- to smokeping Internode border
- battlenet servers
- to smokeping some high visibility public internet things
- Configure cacti to poll Billion 7800NL (SNMP)