JIRA, Confluence and Lets Encrypt

2017/02/17

I recently had to move a JIRA and Confluence environment to a new infrastructure stack. During the move, we also changed the TLS Certificates and instead of using one of the paid-for incumbents we decided to give Lets Encrypt a go.

Everything with the migration went smoothly. The first hurdle we hit was when we were checking the Application Integration between the two systems. The integration wasnt functioning and no amount of delete, change, recreate would fix it. The admin pages in JIRA and Confluence were both reporting SSL errors. When I dug into the actual Tomcat logs for each instance, the following errors were appearing:

Confluence:

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException
: unable to find valid certification path to requested target

JIRA:

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification
path to requested target

Some quick googlephoo found a few items on the internet about this, not specific to JIRA and Confluence though.

ttps://community.letsencrypt.org/t/will-the-cross-root-cover-trust-by-the-default-list-in-the-jdk-jre/134/3

http://stackoverflow.com/questions/34110426/does-java-support-lets-encrypt-certificates

The root cause of the problem is that the JRE thats included with our version JIRA and Confluence is too old and doesn’t include the Lets Encrypt root keychain in its included keystore. The above articles had references and code snippets to help get the Lets Encrypt certificates into the JRE keystore but they were all very ugly.

Its worth mentioning that Oracle JAVA JRE 1.8.0_101 DOES include the Lets Encrypt certificates.

Options at this point were:

  • Find a way to get the required certificates into the JRE keystore (the CLI method to do this is described in the Lets Encrypt community post above).
  • Install a new JRE on the servers and make JIRA and Confluence work with that. Most likely putting us out of support with Atlassian.
  • Find out if current JIRA and Confluence include the required JRE version and then upgrade JIRA and Confluence. This would need another round of testing to properly do the upgrade.

Moving to unsupported configuration was undesirable and I didnt have the time to properly dive into a new round of testing to see if newer JIRA and Confluence had the required JRE version. I did look for some detail on the Atlassian pages to determine the answer to this and wasn’t able to locate anything.

What I did find on an Atlassian page was this article https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html which shows how to use a free JIRA and Confluence plugin to get third party root certificates into the JRE keystore using a simple web page GUI. Some small CLI steps (a cp) are still required after the plug-in does its thing but it does make the fix less likely to fail.

Recommended.


IPv6 Best Current Practices | APNIC

2017/01/31

APNIC has a list of documents and information regarding Best Practices for IPv6 deployments in various types of environments.

FYI, I dislike the term ‘Best Practice’ because in IT solutions are almost never “one size fits all”. I’ll generally refer to Recommended Practices.


Plain Text Productivity Redux · Scott’s Weblog

2017/01/31

Ive been a follower of Scott Lowe for a fair few years now and always find his contributions useful. In particular is his insights into personal task management. His latest update is useful and mirrors some recent attempts of my own to using a text based task management approach. I failed at my last attempt.

 


TechNet Diskspd Utility: A Robust Storage Testing Tool (superseding SQLIO)

2017/01/31

A feature-rich and versatile storage testing tool, Diskspd (version 2.0.17) combines robust and granular IO workload definition with flexible runtime and output options, creating an ideal tool for synthetic storage subsystem testing and validation.

Source: TechNet Diskspd Utility: A Robust Storage Testing Tool (superseding SQLIO)


EtreCheck – A simple Mac OS health check tool

2017/01/31

I had to help a friend the other week to resolve some page hijacking that was occurring on their Mac. See https://discussions.apple.com/docs/DOC-8071. I was surprised to learn that such a thing actually happens with Macs and Safari.

I needed a quick way to run a health check of the Mac OS and found EtreCheck. Recommended.

Source: EtreCheck: About EtreCheck


Lessons in presales – unsane.info

2017/01/10

Working for system integrators for 15+ years in a variety of implementation, management and other roles, I’d never formally worn the title of presales engineering, or systems engineering, yet…

Source: Lessons in presales – unsane.info


Evernote account deletion?

2016/12/19

I severed the tether to Evernote a long time ago for a few different reasons including security, privacy and the plain fact that the client was just getting too monolithic and slow.

I finally got around to contacting them last week to delete my account. Their support team sent me to https://help.evernote.com/hc/en-us/articles/208314088 which has everything you need to do.

The last two steps are a problem though. The second last step is to deactivate your account. The last step is to contact them and ask them to delete the account.

The problem is, is that the last step requires you to login with your account credentials you deactivated in the previous step.

🤔