Cannot integrate Hipchat Server with Confluence or Jira with SSLHandshakeException

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the server and data center platforms.

This solution applies to Hipchat Server releases at version 1.3.9 and earlier and Hipchat Server 1.4.2 and up. This will not work for Hipchat Server 2.0, build 1.4.1 due to HCPUB-815 - Getting issue details... STATUS

Problem

We couldn't reach your server error occurred while trying to connect self-hosted Hipchat server with Confluence or Jira.

Confluence ServerJira Server


javax.net.ssl.SSLHandshakeException
is thrown and one of the following exception traces is logged to either atlassian-confluence.log or atlassian-jira.log:

Trace 1
2015-04-28 16:25:43,092 WARN [http-bio-9573-exec-16] [plugins.hipchat.rest.HipChatLinkResource] pingHipChat com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
 -- referer: http://localhost:9573/confluence/plugins/servlet/hipchat/configure | url: /confluence/rest/hipchat/integration/latest/installation/ping | userName: admin
java.util.concurrent.ExecutionException: com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
	...
Caused by: com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
	...
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1512)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440)
	at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338)
	at com.sun.jersey.client.urlconnection.URLConnectionClientHandler._invoke(URLConnectionClientHandler.java:240)
	at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:147)
	...
Caused by: java.security.cert.CertificateException: No subject alternative names present 
Trace 2
2015-04-28 22:31:15,053 WARN [http-bio-9573-exec-15] [plugins.hipchat.rest.HipChatLinkResource] pingHipChat com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching hipchat.example.com found
 -- referer: http://localhost:9573/confluence/plugins/servlet/hipchat/configure | url: /confluence/rest/hipchat/integration/latest/installation/ping | userName: admin
java.util.concurrent.ExecutionException: com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching hipchat.example.com found
	...
Caused by: com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching hipchat.example.com found
	at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:149)
	...
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching hipchat.example.com found
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1512)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440)
	at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338)
	at com.sun.jersey.client.urlconnection.URLConnectionClientHandler._invoke(URLConnectionClientHandler.java:240)
	at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:147)
	... 9 more
Caused by: java.security.cert.CertificateException: No name matching hipchat.example.com found
Trace 3
2015-04-28 23:01:54,798 WARN [http-bio-9573-exec-9] [plugins.hipchat.rest.HipChatLinkResource] pingHipChat com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 -- referer: http://localhost:9573/confluence/plugins/servlet/hipchat/configure | url: /confluence/rest/hipchat/integration/latest/installation/ping | userName: admin
java.util.concurrent.ExecutionException: com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	...
Caused by: com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:149)
	at com.sun.jersey.api.client.Client.handle(Client.java:648)
	at com.sun.jersey.api.client.AsyncWebResource$5.call(AsyncWebResource.java:797)
	at com.sun.jersey.api.client.AsyncWebResource$5.call(AsyncWebResource.java:795)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	... 5 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1512)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440)
	at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338)
	at com.sun.jersey.client.urlconnection.URLConnectionClientHandler._invoke(URLConnectionClientHandler.java:240)
	at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:147)
	... 9 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	...
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

  1. The default SSL certificate is still being used and not updated on Hipchat server. Please note that the default certificate does not contain any Common Name -  it does not recognize any FQDN.
  2. Hipchat server's SSL certificate is not imported into Confluence or Jira keystores. Hence, these applications cannot recognize Hipchat server which cause the SSL handshake process cannot be established properly.

Resolution

If you are still using the default Hipchat server SSL certificate, please update the certificate with the following steps

  1. Verify that the hostname and domain have been set

    hipchat network --show

    (info) If not, configure the hostname and domain as described in Configuring Hipchat Server's FQDN

  2. Run the following command line on your Hipchat server terminal.

    HipChat Server below 1.4.x
    hipchat ssl --selfsign
    HipChat Server 1.4.x and later
    hipchat certificates --selfsign

Next, the Hipchat Server certificate has to be imported into the Jira/Confluence SSL keystore

  1. From a Unix command line, replacing 'example.hipchatserver.com' with the real FQDN:

    openssl s_client -connect example.hipchatserver.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > hipchat_server.crt	

    From a Windows command line, replacing 'example.hipchatserver.com' with the real FQDN:

    openssl s_client -connect example.hipchatserver.com:443 < NUL | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > hipchat_server.crt

    (info) The command above assumes OpenSSL and Sed for Windows have already been installed to the Windows system. Altenatively, export the certificate through a web browser, as described in these instructions for Mozilla Firefox for example.

  2. Copy hipchat_server.crt to your Jira / Confluence instances and import it into the cacerts file of the JVM. You can check this on the java.home property under Administration > System > System Info (on Jira) or Administration > System Information (on Confluence):

    Before running the command below, please validate that your $JAVA_HOME environment variable matches java.home in your system's information. If it doesn't, $JAVA_HOME should be replaced by the value of java.home.

    For Windows environment, keytool.exe should typically be found under the bin/ directory under your Java installation directory. Example: C:\Program Files\Java\jre7\bin

    keytool -importcert -alias hipchat -keystore $JAVA_HOME/jre/lib/security/cacerts -file hipchat.cer

    (info) You'll be prompted to enter a password and the password is changeit


  3. Follow the steps in the documentations belwo to import the certificate into the Jira / Confluence Server's JVM trust store for example:

    1. Connecting to SSL services

    2. Running Confluence Over SSL or HTTPS

  4. Validate the certificate was imported 

     keytool -list -v -alias hipchat -keystore $JAVA_HOME/jre/lib/security/cacerts
  5. Restart Jira / Confluence Server

  6. Follow the steps in the 'Integrating with Hipchat' portion of the Integrating with Collaboration Tools - Jira documentation to complete the installation

 

Troubleshooting

 

If the Jira / Confluence Server to Hipchat Server integration does not function as expected:

 
  • Verify the Jira / Confluence Server can resolve the Hipchat Server's domain name. This can be accomplished using a tool like nslookup or ping.
  • Use the hostname command at the Hipchat Server terminal/command-line interface to verify it is set as expected.
  • Remove conflicting certificates in the Jira / Confluence Server JVM trust store using the following command:

    <JAVA_HOME>/bin/keytool	 -delete -noprompt -alias hipchat -keystore <JAVA_HOME>/jre/lib/security/cacerts

    (info) Replace 'hipchat' with any alias that may be associated with the Hipchat Server's certificate. Default password for this keystore is changeit

  • In some cases, importing the certificate into the $JAVA_HOME directory won't allow the certificate to be trusted in Jira / Confluence. Instead, you will need to install the certificate into the Jira / Confluence home path (by default: /opt/atlassian/jira). For example:

    /opt/atlassian/jira/jre/bin/keytool -import -alias hipchat -keystore /opt/atlassian/jira/jre/lib/security/cacerts -file /path/to/cert-file/my-hipchat-cert-file.pem

Last modified on Nov 2, 2018

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.