1

I have a Jira instance running on a debian server which I want to access from a Cloud Application called HockeyApp. The Problem happens when HockeyApp tries to access the Project List of Jira (fails without error). So I checked the Jira API and found a Method that I expect to be called from the HockeyApp backend.

When I access the API using Chrome at https://jira.company.com/rest/api/latest/project I get the expected results as json. But when I try to call this API from Postman, curl or httpie I do get errors every time.

curl tells me:

curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.

So I tried downloading a the latest cacert-2018-10-17.pem file and tried it again. Without any luck. If I add the -k option to ignore the ssl verification, I do get the expected results.

postman tells me: enter image description here

If I do turn off the SSL Verification in the Settings of postman I do get the expected results. But the server does not use a self-signed SSL certificate. The certificate looks like this: enter image description here

The certificate is working fine on all browsers, other connected applications like Bitbucket and Confluence.

How can I find out what is causing this Issues?

Improve this question

1 Answer 1

Reset to default
0

After a lot more digging I finally found out what was causing the Issue.

I did start looking into the Network Traffic when executing a REST call from cURL using Wireshark to find out that the certificate is indeed bad - just chrome does not mind.

enter image description here

so I checked the Certificate using:

openssl s_client -showcerts -connect jira.company.com:443

which responds with:

Start Time: 1544006181
Timeout   : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)

So finally I found out that the certificate used on my server does not provide the full certification chain. Which is why some clients deny it.

I changed the JKS to contain the full chain copying the crt fiules into one company.com.pem file (more detailed description here: https://www.digicert.com/ssl-support/pem-ssl-creation.htm)

-----BEGIN CERTIFICATE----- 
(MyCompany.crt) 
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE----- 
(Intermediate.crt) 
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE----- 
(Root.crt) 
-----END CERTIFICATE-----

and created a new JKS for the jira installation using

openssl pkcs12 -export -in company.com.pem -name tomcat -out jira.p12
keytool -importkeystore -srckeystore jira.p12 -srcstoretype pkcs12 
        -destkeystore jira.jks -deststoretype JKS
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .