JIRA's Tomcat SSL Connector fails to start with SSLContext not available

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Problem

Following Running JIRA applications over SSL or HTTPS to configure JIRA with a Tomcat SSL Connector, the Connector fails to start. This error is found in Tomcat logs:

18-Oct-2017 15:27:42.923 SEVERE [main] org.apache.catalina.core.StandardService.startInternal Failed to start connector [Connector[HTTP/1.1-9750]]
 org.apache.catalina.LifecycleException: Failed to start component [Connector[HTTP/1.1-9750]]
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:167)
	at org.apache.catalina.core.StandardService.startInternal(StandardService.java:440)
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
	at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:791)
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
	at org.apache.catalina.startup.Catalina.start(Catalina.java:655)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:355)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:495)
Caused by: org.apache.catalina.LifecycleException: service.getName(): "Catalina";  Protocol handler start failed
	at org.apache.catalina.connector.Connector.startInternal(Connector.java:976)
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
	... 11 more
Caused by: java.lang.IllegalArgumentException: java.security.NoSuchAlgorithmException: TLSv1.2,TLSv1.3 SSLContext not available
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:103)
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:81)
	at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244)
	at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:874)
	at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:590)
	at org.apache.catalina.connector.Connector.startInternal(Connector.java:969)
	... 12 more
Caused by: java.security.NoSuchAlgorithmException: TLSv1.2,TLSv1.3 SSLContext not available
	at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
	at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156)
	at org.apache.tomcat.util.net.jsse.JSSESSLContext.<init>(JSSESSLContext.java:37)
	at org.apache.tomcat.util.net.jsse.JSSEUtil.createSSLContext(JSSEUtil.java:167)
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:100)
	... 17 more

Diagnosis

Environment: JIRA 7.5.x bundled with Tomcat 8.5.6 and JRE 1.8.0_102.

There are 2 Connectors in server.xml like this:

  • The non-SSL connector (port 8750) is started normally
  • The SSL connector (port 9750) fails to start
<Connector acceptCount="100" bindOnInit="false" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false"
maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" useBodyEncodingForURI="true"
port="8750" protocol="HTTP/1.1" redirectPort="9750"/>

<Connector acceptCount="100" bindOnInit="false" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false"
maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" useBodyEncodingForURI="true"
keyAlias="tomcat" keystoreFile="keystore/tomcat.jks" keystorePass="password" keystoreType="JKS"
port="9750" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true"
sslEnabledProtocols="TLSv1.2,TLSv1.3" sslProtocol="TLSv1.2,TLSv1.3" SSLEnabled="true" clientAuth="false"/>

Cause

sslProtocol only supports a single value e.g. TLS. Configuring it with multiple values causes the problem.

JRASERVER-66168 - Getting issue details... STATUS  has been raised to address this Documentation issue.

Resolution

Remove sslProtocol and only use sslEnabledProtocols:

<Connector acceptCount="100" bindOnInit="false" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false"
maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" useBodyEncodingForURI="true"
keyAlias="tomcat" keystoreFile="keystore/tomcat.jks" keystorePass="password" keystoreType="JKS"
port="9750" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true"
sslEnabledProtocols="TLSv1.2,TLSv1.3" SSLEnabled="true" clientAuth="false"/>

Last modified on Nov 6, 2018

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.