Failing to download or update any plugins from UPM due to missing certificates
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
When UPM uses the proxy settings of the host application to connect to the Marketplace, Atlassian application uses HTTPS but UPM needs to connect http://api.media.atlassian.com:443. (plugin file server – api.media.atlassian.com:443)
However, because of missing certificates, the SSL connection to api.media.atlassian.com over port 443 becomes closed. Proxy is able to reach api.media.atlassian.com:443 but is not able to establish the secure connection
As a result, The user is getting an error message "Problem accessing the file Atlassian Troubleshooting and Support Tools." but no more specific or explicit error is shown either on the UI or logs.
Environment
Jira 8.x
Diagnosis
The below error has been seen during the plugin download/update attempts:
2023-03-02 11:54:30,933+0100 UpmAsynchronousTaskManager:thread-1 ERROR admin 845x41535x4 s33k3z 1.1.11.131,11.1.111.11 /rest/plugins/1.0/available/featured [c.a.u.c.r.resources.install.InstallFromUriTask]
Error downloading plugin from https://marketplace.atlassian.com/download/apps/1217696/version/14400001
2023-03-02 11:54:57,485+0100 http-nio-8080-exec-13 WARN admin 714x175763x2 dgpkke 1.1.11.131,11.1.111.11 /rest/plugins/1.0/installed-marketplace [c.a.upm.pac.PacClientImpl]
The request to check for app updates may take longer than expected because 200 apps are installed that could have updates. This may impact the performance of loading the Manage Apps page.
HTTP-HTTPS mismatch can be caught from diagnostics controls
2022-12-13 14:31:09,275+0100 UpmAsynchronousTaskManager:thread-3 ERROR admin 871x1074x2 1uytbha 1.1.11.131,11.1.111.11 /rest/plugins/1.0/ [c.a.u.c.r.resources.install.InstallFromUriTask]
Error downloading plugin from https://marketplace.atlassian.com/download/apps/1217696/version/14301001
Cause
The connection between the proxy and plugin file server – api.media.atlassian.com:443 is getting shut down. If previous SSL certificates are imported with problematic arguments then It might be possible that the SSL connection to api.media.atlassian.com over port 443 is closed because of missing/faulty certificates.
It is understood that the following trusted certificate is missing:
javax.net.ssl|DEBUG|01|main|2023-03-22 13:03:30.876 CET|null:-1|Found trusted certificate (
"certificate" : {
"version" : "v3",
"serial number" : "",
"signature algorithm": "SHA1withRSA",
"issuer" : "CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US",
"not before" : "2006-11-10 01:00:00.000 CET",
"not after" : "2031-11-10 01:00:00.000 CET",
"subject" : "CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US",
"subject public key" : "RSA",
Solution
Before proceeding, it can help to ensure that Atlassian hostnames are on the allow list:
Please see Configuring the allowlist
Warning
Only applicable to the Jira environment that has the outbound or forward proxy configured. For more details refer to Configure an outbound proxy for use in Jira server.
- Review all the certificates in the Cacerts.
keytool -list -keystore cacerts
- Import the SSL certificates of api.media.atlassian.com in Jira's trust store <JAVA_HOME>/jre/lib/security/cacerts by following the steps in Manage apps page throws Marketplace server not reachable error in Jira OR How to import a public SSL certificate into a JVM.
- Check if the api.media.atlassian.com SSL certificate was installed correctly
keytool -list -v -keystore <JAVA_HOME>\jre\lib\security\cacerts -alias <api_media_alias>
keytool -list -v -keystore <jira-install>\lib\security\cacerts -alias <api_media_alias>
- Run httpclienttest tool as described in the readme of the repository and upload the result:
- Download the JAR File
- Run the tool with the following command: Please check your custom trust store path inside of the "-Djavax.net.ssl.trustStore" parameter if you do use not the default path
java -Dhttp.proxyHost=“Host of Proxy” -Dhttp.proxyPort=8080 -Dhttps.proxyHost=“Host of Proxy” -Dhttps.proxyPort=8080 -Dhttp.nonProxyHosts=localhost|“Host of Proxy” -Djavax.net.ssl.trustStore="D:\Program Files\Atlassian\Jira\jre\lib\security\cacerts" -jar httpclienttest-1.0.2.jar https://api.media.atlassian.com:443
java -Dhttp.proxyHost=“Host of Proxy” -Dhttp.proxyPort=8080 -Dhttps.proxyHost=“Host of Proxy” -Dhttps.proxyPort=8080 -Dhttp.nonProxyHosts=localhost|“Host of Proxy” -Djavax.net.ssl.trustStore="<jira-install>\lib\security\cacerts" -jar httpclienttest-1.0.2.jar https://api.media.atlassian.com:443
- Test the trust between the server and the outbound proxy
java -jar httpclienttest-1.0.2.jar http://YOUR_PROXY_URL:8080
java -jar httpclienttest-1.0.2.jar https://YOUR_PROXY_URL:443
- Get the certificate of proxy as well
openssl s_client -showcerts -connect YOUR_PROXY_URL:8080
openssl s_client -showcerts -connect YOUR_PROXY_URL:443
- Compare the results and check if “digicertglobalrootca” trusted certificate is missing
- Import it to the non-working instance with the below or equivalent command
keytool -import -alias digicertglobalrootca -keystore <your_keystore_filename> -trustcacerts -file <filename_of_the_root>
- Test the marketplace again