JIRA's Tomcat SSL Connector fails to start with SSLContext not available

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform Notice: Server and Data Center Only. This article only applies to Atlassian products on the server and data center platforms.

Problem

Following Running JIRA applications over SSL or HTTPS to configure JIRA with a Tomcat SSL Connector, the Connector fails to start. This error is found in Tomcat logs:

18-Oct-2017 15:27:42.923 SEVERE [main] org.apache.catalina.core.StandardService.startInternal Failed to start connector [Connector[HTTP/1.1-9750]]
 org.apache.catalina.LifecycleException: Failed to start component [Connector[HTTP/1.1-9750]]
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:167)
	at org.apache.catalina.core.StandardService.startInternal(StandardService.java:440)
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
	at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:791)
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
	at org.apache.catalina.startup.Catalina.start(Catalina.java:655)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:355)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:495)
Caused by: org.apache.catalina.LifecycleException: service.getName(): "Catalina";  Protocol handler start failed
	at org.apache.catalina.connector.Connector.startInternal(Connector.java:976)
	at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
	... 11 more
Caused by: java.lang.IllegalArgumentException: java.security.NoSuchAlgorithmException: TLSv1.2,TLSv1.3 SSLContext not available
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:103)
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:81)
	at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244)
	at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:874)
	at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:590)
	at org.apache.catalina.connector.Connector.startInternal(Connector.java:969)
	... 12 more
Caused by: java.security.NoSuchAlgorithmException: TLSv1.2,TLSv1.3 SSLContext not available
	at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
	at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156)
	at org.apache.tomcat.util.net.jsse.JSSESSLContext.<init>(JSSESSLContext.java:37)
	at org.apache.tomcat.util.net.jsse.JSSEUtil.createSSLContext(JSSEUtil.java:167)
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:100)
	... 17 more

Diagnosis

Environment: JIRA 7.5.x bundled with Tomcat 8.5.6 and JRE 1.8.0_102.

There are 2 Connectors in server.xml like this:

  • The non-SSL connector (port 8750) is started normally
  • The SSL connector (port 9750) fails to start
<Connector acceptCount="100" bindOnInit="false" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false"
maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" useBodyEncodingForURI="true"
port="8750" protocol="HTTP/1.1" redirectPort="9750"/>

<Connector acceptCount="100" bindOnInit="false" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false"
maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" useBodyEncodingForURI="true"
keyAlias="tomcat" keystoreFile="keystore/tomcat.jks" keystorePass="password" keystoreType="JKS"
port="9750" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true"
sslEnabledProtocols="TLSv1.2,TLSv1.3" sslProtocol="TLSv1.2,TLSv1.3" SSLEnabled="true" clientAuth="false"/>

Cause

sslProtocol only supports a single value e.g. TLS. Configuring it with multiple values causes the problem.

JRASERVER-66168 - Getting issue details... STATUS  has been raised to address this Documentation issue.

Resolution

Remove sslProtocol and only use sslEnabledProtocols:

<Connector acceptCount="100" bindOnInit="false" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false"
maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" useBodyEncodingForURI="true"
keyAlias="tomcat" keystoreFile="keystore/tomcat.jks" keystorePass="password" keystoreType="JKS"
port="9750" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true"
sslEnabledProtocols="TLSv1.2,TLSv1.3" SSLEnabled="true" clientAuth="false"/>

Last modified on Nov 6, 2018

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.