How to enable SSL on JIRA software (Centos 7)

In this short tutorial i will go through how to enable SSL on Jira software on Centos 7.

Atlassian applications allow the use of SSL within range of their products, however Atlassian support doesn’t cover configuration of 3rd party software. Although there are many useful articles on Atlassian website on this subject, it is messy and hard to follow just one article from A to Z to especially for Centos 7 environment which doesn’t install latest required Apache web server by default.

There are few different ways to do this I will use Apache web server as reverse proxy server. Apache will serve as https server and Jira will stay on http.

You need to have Jira installed and working to continue with this tutorial. If you haven’t got Jira install you can do so by following my other post here: How to install Jira on Centos7 with postgresql

Environment

OS: Centos 7.3
Apache web server: 2.4.18 (Will be installed as part of scl package)

 

Install Dependencies

sudo yum -y update
sudo yum -y install centos-release-scl-rh
sudo yum -y install httpd24-httpd
sudo yum -y install httpd24-mod_ssl.x86_64
sudo yum -y install httpd24-mod_proxy_html.x86_64

Prepare SSL certificate

Get your certification and key files from the certifying authority and copy them into a directory in your machine.
For example:

/etc/ssl/certs/yourdomain_cert.crt

/etc/ssl/private/yourdomain_key.key

Set-up Apache

sudo vim /opt/rh/httpd24/root/etc/httpd/conf.d/jira.conf

 <VirtualHost *:443 >
 ServerName jira.yourdomain.com
 ErrorLog /var/www/jira/error.log
 CustomLog /var/www/jira/requests.log combined
 ProxyRequests Off
 #        ProxyPreserveHost On
 #        ProxyVia Off

<Proxy *>
 Require all granted
 </Proxy>

ProxyPass / http://jira.yourdomain.com:8080/
 ProxyPassReverse / http://jira.yourdomain.com:8080/

SSLEngine On
 SSLCertificateFile /certificate/yourdomain_cert.crt
 SSLCertificateKeyFile /certificate/yourdomain_key.key
 </VirtualHost>

<VirtualHost *:80>
 ServerName jira.yourdomain.com
 Redirect Permanent / https://jira.yourdomain.com/
 </VirtualHost>
sudo systemctl restart httpd24-httpd

If SELinux is set to enforce it might stop httpd24 from starting. To get around this you can disable the SELinux by updating the file below.

 sudo vim /etc/sysconfig/selinux

Change the status from enforce to disabled or permissive. For more details on SELinux refer to: An introduction to SELinux on Centos 7

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Set-up Jira

sudo vim /opt/atlassian/jira/conf/server.xml

Update the connector to look like these lines:

<Connector port="8080"

maxThreads="150"
minSpareThreads="25"
connectionTimeout="20000"
enableLookups="false"
maxHttpHeaderSize="8192"
protocol="HTTP/1.1"
useBodyEncodingForURI="true"
redirectPort="443"

acceptCount="100"
disableUploadTimeout="true"
bindOnInit="false"

proxyName="jira.yourdomain.com"
proxyPort="443"
secure="true"
scheme="https"/>
sudo systemctl restart jira

 

Add certificate keys to the Jira keystore

If you have followed the steps up to here your server should be accessible through the https address. However Jira will complain that it can not access itself from the backend. This is because the version on Java that Jira is using doesn’t have your certificates in keystore hence doesn’t trust it and drops any attempt to access it.

Follow these steps to add the key to Jira keystore.

cd ~
openssl s_client -connect jira.yourdomain.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt
sudo /opt/atlassian/jira/jre/bin/keytool -import -alias jira.yourdomain.com -keystore /opt/atlassian/jira/jre/lib/security/cacerts -file public.crt

Enter ‘changeit‘ as keystore password.

1 Comment

  1. Hi Saeed-

    Great write up!

    I had an issue w/ SELinux blocking httpd from making the connection to tomcat. I was able to see the TLS handshake complete successfully, but then got a 503 error and nothing more. Hunting through the apache logs pointed me to the issue.

    Symptom: Permission denied errors in access_log

    [proxy:error] [pid 27821] (13)Permission denied: AH00957: HTTP: attempt to connect to 127.0.0.1:8080 (localhost) failed

    Resolution: Allow the connection by changing the associated Boolean value.

    /usr/sbin/setsebool -P httpd_can_network_connect 1

    Hope this helps someone else out there who got stuck!

Leave a Reply