Migrating Jira projects to Cloud with JCMA fails with SSLPeerUnverifiedException
Platform Notice: Data Center and Cloud By Request - This article was written for the Atlassian data center platform but may also be useful for Atlassian Cloud customers. If completing instructions in this article would help you, please contact Atlassian Support and mention it.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Sometimes the JCMA migration may get stuck with 0% completion during the App migration phase.
From the application logs there will be an error similar to the below.
2024-06-18 11:26:30,983-0400 pool-107-thread-1 ERROR [c.a.m.a.upload.consumers.MultipartUploadConsumer] upload for transferId=(...redacted...), s3key=(...redacted...) failed
com.atlassian.jira.migration.httpclient.exceptions.HttpCommunicationException: An error occurred when requesting against resource https://(...redacted...).s3.amazonaws.com/(...redacted...): Certificate for <(...redacted...).s3.amazonaws.com> doesn't match any of the subject alternative names: [*.s3.amazonaws.com, s3.amazonaws.com]
at com.atlassian.jira.migration.httpclient.exceptions.ExceptionsKt.communicationError(Exceptions.kt:13)
at com.atlassian.jira.migration.httpclient.AbstractPluginHttpClient.getResponse(AbstractPluginHttpClient.kt:166)
at com.atlassian.jira.migration.amsclient.DefaultAppMigrationServiceClient.getS3UploadHeaders(DefaultAppMigrationServiceClient.kt:564)
at com.atlassian.jira.migration.amsclient.DefaultAppMigrationServiceClient.uploadToS3(DefaultAppMigrationServiceClient.kt:384)
at com.atlassian.migration.app.upload.consumers.MultipartUploadConsumer.perform(MultipartUploadConsumer.kt:33)
at com.atlassian.migration.app.upload.consumers.MultipartUploadConsumer.run(MultipartUploadConsumer.kt:69)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.base/java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLPeerUnverifiedException: Certificate for <(...redacted...).s3.amazonaws.com> doesn't match any of the subject alternative names: [*.s3.amazonaws.com, s3.amazonaws.com]
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:507)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:437)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at org.apache.http.impl.execchain.ServiceUnavailableRetryExec.execute(ServiceUnavailableRetryExec.java:85)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
at com.atlassian.jira.migration.httpclient.AbstractPluginHttpClient.getResponse(AbstractPluginHttpClient.kt:162)
... 9 moreThis doesn't affect every migration and is triggered by a still unknown problem with the Apache HTTP Client.
Environment
- Jira Server or Data Center (JSW or JSM) – no specific version.
- Jira Cloud Migration Assistant (JCMA) – no specific version.
Diagnosis
- JCMA project migration is stuck on the App (plugin) migration phase.
- On the application logs (
atlassian-jira.log) there's an entry similar to the below.
2024-06-18 11:26:30,983-0400 pool-107-thread-1 ERROR [c.a.m.a.upload.consumers.MultipartUploadConsumer] upload for transferId=(...redacted...), s3key=(...redacted...) failed
com.atlassian.jira.migration.httpclient.exceptions.HttpCommunicationException: An error occurred when requesting against resource https://(...redacted...).s3.amazonaws.com/(...redacted...): Certificate for <(...redacted...).s3.amazonaws.com> doesn't match any of the subject alternative names: [*.s3.amazonaws.com, s3.amazonaws.com]
at com.atlassian.jira.migration.httpclient.exceptions.ExceptionsKt.communicationError(Exceptions.kt:13)
at com.atlassian.jira.migration.httpclient.AbstractPluginHttpClient.getResponse(AbstractPluginHttpClient.kt:166)
at com.atlassian.jira.migration.amsclient.DefaultAppMigrationServiceClient.getS3UploadHeaders(DefaultAppMigrationServiceClient.kt:564)
at com.atlassian.jira.migration.amsclient.DefaultAppMigrationServiceClient.uploadToS3(DefaultAppMigrationServiceClient.kt:384)
at com.atlassian.migration.app.upload.consumers.MultipartUploadConsumer.perform(MultipartUploadConsumer.kt:33)
at com.atlassian.migration.app.upload.consumers.MultipartUploadConsumer.run(MultipartUploadConsumer.kt:69)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.base/java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLPeerUnverifiedException: Certificate for <(...redacted...).s3.amazonaws.com> doesn't match any of the subject alternative names: [*.s3.amazonaws.com, s3.amazonaws.com]
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:507)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:437)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at org.apache.http.impl.execchain.ServiceUnavailableRetryExec.execute(ServiceUnavailableRetryExec.java:85)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
at com.atlassian.jira.migration.httpclient.AbstractPluginHttpClient.getResponse(AbstractPluginHttpClient.kt:162)
... 9 more- Looking at the
<jira-install-dir>/atlassian-jira/WEB-INF/libdirectory, the Apache HTTP Client is on a version higher than4.5.10.
<jira-install-dir>/atlassian-jira/WEB-INF/lib/httpclient-cache-4.5.14.jar
<jira-install-dir>/atlassian-jira/WEB-INF/lib/httpclient-4.5.14.jarCause
Apache HTTP Client on versions higher than 4.5.10 started to throw SSLPeerUnverifiedException errors on specific cases when trying to establish a connection to AWS S3 buckets, which are used by JCMA to temporarily upload Cloud migration data.
The edge case to trigger the error is still unknown.
Workaround
As a workaround to complete the Cloud migration, Jira administrators are advised to temporarily use version 4.5.10 of the library.
On a clustered Data Center instance one should apply the steps on each node of the cluster.
Once the Cloud migration is complete, you are recommended to rollback the changes.
- Take a backup of the following files.
<jira-install-dir>/atlassian-jira/WEB-INF/lib/httpclient-cache-<library-version>.jar
<jira-install-dir>/atlassian-jira/WEB-INF/lib/httpclient-<library-version>.jar
<jira-install-dir>/atlassian-jira/WEB-INF/atlassian-bundled-plugins/httpclient-osgi-<library-version>.jar- Upload the following files to a temporary location within the Jira server.
Expand to see the list of files...
httpclient-4.5.10.jarhttpclient-cache-4.5.10.jarhttpclient-osgi-4.5.10.jar
These files were extracted from Jira Software 8.13.0, which had the Apache HTTP Client on version 4.5.10.
File names are as follows:
httpclient-4.5.10.jar
httpclient-cache-4.5.10.jar
httpclient-osgi-4.5.10.jar- Stop Jira following your standard procedure.
- Delete the files from their original location.
<jira-install-dir>/atlassian-jira/WEB-INF/lib/httpclient-cache-<library-version>.jar
<jira-install-dir>/atlassian-jira/WEB-INF/lib/httpclient-<library-version>.jar
<jira-install-dir>/atlassian-jira/WEB-INF/atlassian-bundled-plugins/httpclient-osgi-<library-version>.jar- Move the 4.5.10 files to the following locations.
<jira-install-dir>/atlassian-jira/WEB-INF/lib/httpclient-cache-4.5.10.jar
<jira-install-dir>/atlassian-jira/WEB-INF/lib/httpclient-4.5.10.jar
<jira-install-dir>/atlassian-jira/WEB-INF/atlassian-bundled-plugins/httpclient-osgi-4.5.10.jar- Start Jira following your standard procedure.
Last modified on Jul 19, 2024
Powered by Confluence and Scroll Viewport.