Cannot integrate Hipchat Server with Confluence or Jira with SSLHandshakeException
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Problem
We couldn't reach your server error occurred while trying to connect self-hosted Hipchat server with Confluence or Jira.
Confluence Server | Jira Server |
---|---|
is thrown and one of the following exception traces is logged to either
javax.net.ssl.SSLHandshakeExceptionatlassian-confluence.log
or atlassian-jira.log
:
2015-04-28 16:25:43,092 WARN [http-bio-9573-exec-16] [plugins.hipchat.rest.HipChatLinkResource] pingHipChat com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
-- referer: http://localhost:9573/confluence/plugins/servlet/hipchat/configure | url: /confluence/rest/hipchat/integration/latest/installation/ping | userName: admin
java.util.concurrent.ExecutionException: com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
...
Caused by: com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
...
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1512)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440)
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338)
at com.sun.jersey.client.urlconnection.URLConnectionClientHandler._invoke(URLConnectionClientHandler.java:240)
at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:147)
...
Caused by: java.security.cert.CertificateException: No subject alternative names present
2015-04-28 22:31:15,053 WARN [http-bio-9573-exec-15] [plugins.hipchat.rest.HipChatLinkResource] pingHipChat com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching hipchat.example.com found
-- referer: http://localhost:9573/confluence/plugins/servlet/hipchat/configure | url: /confluence/rest/hipchat/integration/latest/installation/ping | userName: admin
java.util.concurrent.ExecutionException: com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching hipchat.example.com found
...
Caused by: com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching hipchat.example.com found
at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:149)
...
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching hipchat.example.com found
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1512)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440)
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338)
at com.sun.jersey.client.urlconnection.URLConnectionClientHandler._invoke(URLConnectionClientHandler.java:240)
at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:147)
... 9 more
Caused by: java.security.cert.CertificateException: No name matching hipchat.example.com found
2015-04-28 23:01:54,798 WARN [http-bio-9573-exec-9] [plugins.hipchat.rest.HipChatLinkResource] pingHipChat com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
-- referer: http://localhost:9573/confluence/plugins/servlet/hipchat/configure | url: /confluence/rest/hipchat/integration/latest/installation/ping | userName: admin
java.util.concurrent.ExecutionException: com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
Caused by: com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:149)
at com.sun.jersey.api.client.Client.handle(Client.java:648)
at com.sun.jersey.api.client.AsyncWebResource$5.call(AsyncWebResource.java:797)
at com.sun.jersey.api.client.AsyncWebResource$5.call(AsyncWebResource.java:795)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
... 5 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1512)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440)
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338)
at com.sun.jersey.client.urlconnection.URLConnectionClientHandler._invoke(URLConnectionClientHandler.java:240)
at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:147)
... 9 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Cause
- The default SSL certificate is still being used and not updated on Hipchat server. Please note that the default certificate does not contain any
Common Name
- it does not recognize any FQDN.
- Hipchat server's SSL certificate is not imported into Confluence or Jira keystores. Hence, these applications cannot recognize Hipchat server which cause the SSL handshake process cannot be established properly.
Resolution
If you are still using the default Hipchat server SSL certificate, please update the certificate with the following steps
Verify that the hostname and domain have been set
hipchat network --show
If not, configure the hostname and domain as described in Configuring Hipchat Server's FQDN
Run the following command line on your Hipchat server terminal.
HipChat Server below 1.4.xhipchat ssl --selfsign
HipChat Server 1.4.x and laterhipchat certificates --selfsign
Next, the Hipchat Server certificate has to be imported into the Jira/Confluence SSL keystore
From a Unix command line, replacing 'example.hipchatserver.com' with the real FQDN:
openssl s_client -connect example.hipchatserver.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > hipchat_server.crt
From a Windows command line, replacing 'example.hipchatserver.com' with the real FQDN:
openssl s_client -connect example.hipchatserver.com:443 < NUL | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > hipchat_server.crt
The command above assumes OpenSSL and Sed for Windows have already been installed to the Windows system. Altenatively, export the certificate through a web browser, as described in these instructions for Mozilla Firefox for example.
Copy hipchat_server.crt to your Jira / Confluence instances and import it into the
cacerts
file of the JVM. You can check this on the java.home property under Administration > System > System Info (on Jira) or Administration > System Information (on Confluence):Before running the command below, please validate that your
$JAVA_HOME
environment variable matches java.home in your system's information. If it doesn't, $JAVA_HOME should be replaced by the value of java.home.For Windows environment,
keytool.exe
should typically be found under thebin/
directory under your Java installation directory. Example:C:\Program Files\Java\jre7\bin
keytool -importcert -alias hipchat -keystore $JAVA_HOME/jre/lib/security/cacerts -file hipchat.cer
You'll be prompted to enter a password and the password is changeit
Follow the steps in the documentations belwo to import the certificate into the Jira / Confluence Server's JVM trust store for example:
Validate the certificate was imported
keytool -list -v -alias hipchat -keystore $JAVA_HOME/jre/lib/security/cacerts
Restart Jira / Confluence Server
Follow the steps in the 'Integrating with Hipchat' portion of the Integrating with Collaboration Tools - Jira documentation to complete the installation
Troubleshooting
If the Jira / Confluence Server to Hipchat Server integration does not function as expected:
- Verify the Jira / Confluence Server can resolve the Hipchat Server's domain name. This can be accomplished using a tool like nslookup or ping.
- Use the hostname command at the Hipchat Server terminal/command-line interface to verify it is set as expected.
Remove conflicting certificates in the Jira / Confluence Server JVM trust store using the following command:
<JAVA_HOME>/bin/keytool -delete -noprompt -alias hipchat -keystore <JAVA_HOME>/jre/lib/security/cacerts
Replace 'hipchat' with any alias that may be associated with the Hipchat Server's certificate. Default password for this keystore is changeit
In some cases, importing the certificate into the $JAVA_HOME directory won't allow the certificate to be trusted in Jira / Confluence. Instead, you will need to install the certificate into the Jira / Confluence home path (by default: /opt/atlassian/jira). For example:
/opt/atlassian/jira/jre/bin/keytool -import -alias hipchat -keystore /opt/atlassian/jira/jre/lib/security/cacerts -file /path/to/cert-file/my-hipchat-cert-file.pem