JIRA Macro with self-signed Certificate

Vertganti · April 30, 2021, 8:30am

Hello!

I am trying to set up the JIRA macro for use with our JIRA instance. I have set the required fields in the JIRA administration and the requests reach the JIRA server. However, we use a self-managed instance in our local network, running on a .local domain with a self-signed certificate. Therefore the JIRA macro fails with the message: Failed to execute the JIRA macro. Cause: [unable to find valid certification path to requested target]. Click on this message for details.

Is there anything I can do to allow the connection even though the certificate cannot be verified? I have not found anything in the extension documentation and from a quick glance at the sources I don’t think I will be able to fix this in code myself.

Versions:
XWiki:13.0
JIRA Macro/Administration: 8.6.2

Edit: Failed to mention that we have an nginx reverse proxy in front of XWiki, in case it matters.

vmassol · April 30, 2021, 8:34am

Can you click on the message and paste the full stack trace?

tmortagne · April 30, 2021, 8:41am

I don’t think this is the extension’s job to deal with that. You should add your custom certificate to the JVM truststore, found How to Import Public Certificates into Java’s Truststore from a Browser | by Avinash Reddy Penugonda | Expedia Group Technology | Medium which seems interesting here.

Vertganti · April 30, 2021, 10:33am

Sorry, the first instance I encountered was not clickable. Otherwise I would have included the logs in the original posts. In summary it is:

org.xwiki.rendering.macro.MacroExecutionException: Failed to retrieve JIRA data from [SERVER] for JQL [issueKey in (ISSUEKEY)]
    at org.xwiki.contrib.jira.macro.internal.source.AbstractJIRADataSource.getXMLDocument(AbstractJIRADataSource.java:96)
    ...
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
    ...
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
    ...
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    ...

… which should already have brought me to:

Since I have had to do this for the exact same reason a couple of times already, I should have remembered Thanks for the quick replies, with the certificate added to the truststore the connection works.

We are using the docker image and the keytool command in the linked resource needed some modifications (might be because of the Java version or because the guide was for Mac). Here is a quick writeup of the full procedure in case others need it:

Download the certificate (I use Firefox contrary to the guide) and transfer it to the docker host
Use docker cp to copy the certificate to the docker container

Use docker exec to open a shell in the container and run the keytool command for certificate import:

 keytool -import -trustcacerts -cacerts -storepass changeit -noprompt -alias AliasForYourCertificate -file /path/to/cert.pem

Use exit to end the shell session in the container
Use docker cp to copy the cacerts file from the container to the host - the location in the container was /opt/java/openjdk/lib/security/cacerts in our case
Stop the container and start it with the modified cacerts file mounted