Jira DC SSL not working on Apache on OpenSuse latest

marianogedisman

New Member
Joined
Apr 21, 2021
Messages
26
Reaction score
5
Credits
241
Hello! I've followed this instructions to enable SSL (through my CloudFlare domain) on my Jira DC instance (Server version: Apache/2.4.58 (Linux/SUSE))



https://thejiraguy.com/2021/10/14/adding-ssl-to-jira/

(here's the vhost code pastebin: https://pastebin.com/u7yyeBUx

Unfortunately it didn't work. I get a constant 301 loop (I guess http sends to https and so on?).

I have an A record setup on the server's pub_ip address, it works just fine with Zabbix for example.



I'm going a bit crazy trying to figure out where the loop happens. I've tried a few options like setting ProxyRequests Off and also setting my domain directly as HTTPS:



Code:
ProxyPass / https://jira.mediasoft.com:8080/

ProxyPassReverse / https://jira.mediasoft.com:8080/

But that didn't work either.



All my our other tools (Zabbix, Grafana, WikiJS) work just fine on reverse proxy Apache, not sure what's the deal with Jira not wanting to kick into work. Maybe an issue with Cloudflare?



Should Tomcat be listening on 443 instead of Apache??

Code:
ss -tulpn

Netid           State            Recv-Q            Send-Q                            Local Address:Port                       Peer Address:Port           Process                                                                                                                                                 

udp             UNCONN           3584              0                                  0.0.0.0%eth0:68                              0.0.0.0:*               users:(("wickedd-dhcp4",pid=892,fd=8))                                                                                                                 

udp             UNCONN           0                 0                                     127.0.0.1:323                             0.0.0.0:*               users:(("chronyd",pid=1448,fd=5))                                                                                                                     

udp             UNCONN           0                 0                                         [::1]:323                                [::]:*               users:(("chronyd",pid=1448,fd=6))                                                                                                                     

tcp             LISTEN           0                 128                                     0.0.0.0:22                              0.0.0.0:*               users:(("sshd",pid=13260,fd=3))                                                                                                                       

tcp             LISTEN           0                 10                                            *:8090                                  *:*               users:(("java",pid=27041,fd=45))                                                                                                                       

tcp             LISTEN           0                 100                                           *:8080                                  *:*               users:(("java",pid=4508,fd=121))                                                                                                                       

tcp             LISTEN           0                 128                                        [::]:22                                 [::]:*               users:(("sshd",pid=13260,fd=4))                                                                                                                       

tcp             LISTEN           0                 4096                                          *:80                                    *:*               users:(("httpd-prefork",pid=5470,fd=4),("httpd-prefork",pid=5469,fd=4),("httpd-prefork",pid=5468,fd=4),("httpd-prefork",pid=5467,fd=4),("httpd-prefork",pid=5466,fd=4),("httpd-prefork",pid=5452,fd=4))

tcp             LISTEN           0                 4096                                          *:443                                   *:*               users:(("httpd-prefork",pid=5470,fd=6),("httpd-prefork",pid=5469,fd=6),("httpd-prefork",pid=5468,fd=6),("httpd-prefork",pid=5467,fd=6),("httpd-prefork",pid=5466,fd=6),("httpd-prefork",pid=5452,fd=6))

tcp             LISTEN           0                 1                            [::ffff:127.0.0.1]:8000                                  *:*               users:(("java",pid=27041,fd=79))                                                                                                                       

tcp             LISTEN           0                 1                            [::ffff:127.0.0.1]:8005                                  *:*               users:(("java",pid=4508,fd=506))


When I try to hit the application, apache log shows:

[10/Sep/2024:16:15:40 +0000] "GET / HTTP/1.1" 500 - "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15"

So the server is reachable, it's just the config that is wrong. Not sure what could be though, tried several options but nothing.
 


The error logs for that particular Apache conf file when I try to access the site read:

Code:
[Tue Sep 10 16:22:07.183982 2024] [ssl:debug] [pid 5469] ssl_engine_kernel.c(2397): [client 172.69.56.206:14368] AH02043: SSL virtual host for servername jira.mediasoft.com found
[Tue Sep 10 16:22:07.184393 2024] [core:debug] [pid 5469] protocol.c(2468): [client 172.69.56.206:14368] AH03155: select protocol from , choices=h2,http/1.1 for server jira.mediasoft.com
[Tue Sep 10 16:22:07.188392 2024] [ssl:debug] [pid 5469] ssl_engine_kernel.c(2259): [client 172.69.56.206:14368] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
[Tue Sep 10 16:22:07.190245 2024] [ssl:debug] [pid 5469] ssl_engine_kernel.c(422): [client 172.69.56.206:14368] AH02034: Initial (No.1) HTTPS request received for child 3 (server jira.mediasoft.com:443)
[Tue Sep 10 16:22:07.190431 2024] [authz_core:debug] [pid 5469] mod_authz_core.c(818): [client 172.69.56.206:14368] AH01626: authorization result of Require all granted: granted
[Tue Sep 10 16:22:07.190449 2024] [authz_core:debug] [pid 5469] mod_authz_core.c(818): [client 172.69.56.206:14368] AH01626: authorization result of <RequireAny>: granted
[Tue Sep 10 16:22:07.190554 2024] [proxy:debug] [pid 5469] mod_proxy.c(1513): [client 172.69.56.206:14368] AH01143: Running scheme https handler (attempt 0)
[Tue Sep 10 16:22:07.190570 2024] [proxy:debug] [pid 5469] proxy_util.c(2572): AH00942: https: has acquired connection for (jira.mediasoft.com:8080)
[Tue Sep 10 16:22:07.190601 2024] [proxy:debug] [pid 5469] proxy_util.c(2635): [client 172.69.56.206:14368] AH00944: connecting https://jira.mediasoft.com:8080/ to jira.mediasoft.com:8080
[Tue Sep 10 16:22:07.190867 2024] [proxy:debug] [pid 5469] proxy_util.c(2858): [client 172.69.56.206:14368] AH00947: connected / to jira.mediasoft.com:8080
[Tue Sep 10 16:22:07.245255 2024] [proxy:debug] [pid 5469] proxy_util.c(3334): AH02824: https: connection established with 172.67.208.166:8080 (jira.mediasoft.com:8080)
[Tue Sep 10 16:22:07.245424 2024] [proxy:debug] [pid 5469] proxy_util.c(3520): AH00962: https: connection complete to 172.67.208.166:8080 (jira.mediasoft.com)
[Tue Sep 10 16:22:07.245473 2024] [ssl:info] [pid 5469] [remote 172.67.208.166:8080] AH01964: Connection to child 0 established (server jira.mediasoft.com:443)
[Tue Sep 10 16:22:07.300040 2024] [ssl:info] [pid 5469] [remote 172.67.208.166:8080] AH02003: SSL Proxy connect failed
[Tue Sep 10 16:22:07.300109 2024] [ssl:info] [pid 5469] SSL Library Error: error:0A00010B:SSL routines::wrong version number
[Tue Sep 10 16:22:07.300123 2024] [ssl:info] [pid 5469] [remote 172.67.208.166:8080] AH01998: Connection closed to child 0 with abortive shutdown (server jira.mediasoft.com:443)
[Tue Sep 10 16:22:07.300232 2024] [ssl:info] [pid 5469] [remote 172.67.208.166:8080] AH01997: SSL handshake failed: sending 502
[Tue Sep 10 16:22:07.300246 2024] [proxy:error] [pid 5469] (20014)Internal error (specific information not available): [client 172.69.56.206:14368] AH01084: pass request body failed to 172.67.208.166:8080 (jira.mediasoft.com)
[Tue Sep 10 16:22:07.300261 2024] [proxy:error] [pid 5469] [client 172.69.56.206:14368] AH00898: Error during SSL Handshake with remote server returned by /
[Tue Sep 10 16:22:07.300268 2024] [proxy_http:error] [pid 5469] [client 172.69.56.206:14368] AH01097: pass request body failed to 172.67.208.166:8080 (jira.mediasoft.com) from 172.69.56.206 ()
[Tue Sep 10 16:22:07.300275 2024] [proxy:debug] [pid 5469] proxy_util.c(2588): AH00943: https: has released connection for (jira.mediasoft.com:8080)
[Tue Sep 10 16:22:07.300377 2024] [authz_core:debug] [pid 5469] mod_authz_core.c(818): [client 172.69.56.206:14368] AH01626: authorization result of Require all granted: granted
[Tue Sep 10 16:22:07.300392 2024] [authz_core:debug] [pid 5469] mod_authz_core.c(818): [client 172.69.56.206:14368] AH01626: authorization result of <RequireAny>: granted
[Tue Sep 10 16:22:07.300432 2024] [proxy:debug] [pid 5469] mod_proxy.c(1513): [client 172.69.56.206:14368] AH01143: Running scheme https handler (attempt 0)
[Tue Sep 10 16:22:07.300443 2024] [proxy:debug] [pid 5469] proxy_util.c(2572): AH00942: https: has acquired connection for (jira.mediasoft.com:8080)
[Tue Sep 10 16:22:07.300451 2024] [proxy:debug] [pid 5469] proxy_util.c(2635): [client 172.69.56.206:14368] AH00944: connecting https://jira.mediasoft.com:8080/error/HTTP_INTERNAL_SERVER_ERROR.html.var to jira.mediasoft.com:8080
[Tue Sep 10 16:22:07.300460 2024] [proxy:debug] [pid 5469] proxy_util.c(2858): [client 172.69.56.206:14368] AH00947: connected /error/HTTP_INTERNAL_SERVER_ERROR.html.var to jira.mediasoft.com:8080
[Tue Sep 10 16:22:07.353684 2024] [proxy:debug] [pid 5469] proxy_util.c(3334): AH02824: https: connection established with 172.67.208.166:8080 (jira.mediasoft.com:8080)
[Tue Sep 10 16:22:07.353754 2024] [proxy:debug] [pid 5469] proxy_util.c(3520): AH00962: https: connection complete to 172.67.208.166:8080 (jira.mediasoft.com)
[Tue Sep 10 16:22:07.353772 2024] [ssl:info] [pid 5469] [remote 172.67.208.166:8080] AH01964: Connection to child 0 established (server jira.mediasoft.com:443)
[Tue Sep 10 16:22:07.407415 2024] [ssl:info] [pid 5469] [remote 172.67.208.166:8080] AH02003: SSL Proxy connect failed
[Tue Sep 10 16:22:07.407478 2024] [ssl:info] [pid 5469] SSL Library Error: error:0A00010B:SSL routines::wrong version number
[Tue Sep 10 16:22:07.407490 2024] [ssl:info] [pid 5469] [remote 172.67.208.166:8080] AH01998: Connection closed to child 0 with abortive shutdown (server jira.mediasoft.com:443)
[Tue Sep 10 16:22:07.407548 2024] [ssl:info] [pid 5469] [remote 172.67.208.166:8080] AH01997: SSL handshake failed: sending 502
[Tue Sep 10 16:22:07.407560 2024] [proxy:error] [pid 5469] (20014)Internal error (specific information not available): [client 172.69.56.206:14368] AH01084: pass request body failed to 172.67.208.166:8080 (jira.mediasoft.com)
[Tue Sep 10 16:22:07.407584 2024] [proxy:error] [pid 5469] [client 172.69.56.206:14368] AH00898: Error during SSL Handshake with remote server returned by /error/HTTP_INTERNAL_SERVER_ERROR.html.var
[Tue Sep 10 16:22:07.407591 2024] [proxy_http:error] [pid 5469] [client 172.69.56.206:14368] AH01097: pass request body failed to 172.67.208.166:8080 (jira.mediasoft.com) from 172.69.56.206 ()
[Tue Sep 10 16:22:07.407597 2024] [proxy:debug] [pid 5469] proxy_util.c(2588): AH00943: https: has released connection for (jira.mediasoft.com:8080)
[Tue Sep 10 16:22:07.407836 2024] [ssl:debug] [pid 5469] ssl_engine_io.c(1150): [client 172.69.56.206:14368] AH02001: Connection closed to child 3 with standard shutdown (server jira.mediasoft.com:443)


But when I check the SSL cert with openssl I get an OK response:

Code:
---


SSL handshake has read 2838 bytes and written 405 bytes


Verification: OK


---


New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384


Server public key is 256 bit


This TLS version forbids renegotiation.


Compression: NONE


Expansion: NONE


No ALPN negotiated


Early data was not sent


Verify return code: 0 (ok)
 
I don't have an answer for you regarding CloudFlair, but is there any particular reason why you don't just use Let's Encrypt?
 
I don't have an answer for you regarding CloudFlair, but is there any particular reason why you don't just use Let's Encrypt?
Hello! Thanks for your reply.
Our company forces us to use Cloudflare provided Origin certs. I believe my problem lies in the Apache configuration. For some reason it's constantly looping between http and https and I'm not sure what's causing it.

I will see if I can take the matter to cloudflare community. Thanks!
 
Our company forces us to use Cloudflare provided Origin certs.

That's a strange choice from my perspective. It's probably an edict from a pointy headed boss.

Anyhow, good luck. CF has a pretty good community support board plus you likely pay for support.
 
That's a strange choice from my perspective. It's probably an edict from a pointy headed boss.

Anyhow, good luck. CF has a pretty good community support board plus you likely pay for support.
I agree! Lets Encrypt is easier to deploy and maintain but oh well.

Thanks a lot! I'll make sure to add any resolution when I find one.
thanks again!
 
Hello! I've followed this instructions to enable SSL (through my CloudFlare domain) on my Jira DC instance (Server version: Apache/2.4.58 (Linux/SUSE))



https://thejiraguy.com/2021/10/14/adding-ssl-to-jira/

(here's the vhost code pastebin: https://pastebin.com/u7yyeBUx

Unfortunately it didn't work. I get a constant 301 loop (I guess http sends to https and so on?).

I have an A record setup on the server's pub_ip address, it works just fine with Zabbix for example.



I'm going a bit crazy trying to figure out where the loop happens. I've tried a few options like setting ProxyRequests Off and also setting my domain directly as HTTPS:
It sounds like you're experiencing a redirection loop issue. This often occurs when HTTP requests are being redirected to HTTPS, but then HTTPS requests are being redirected back to HTTP. Check your Apache configuration for conflicting or duplicate redirection rules. Ensure that only one set of redirections (either HTTP to HTTPS or HTTPS to HTTP) is configured, and verify that Cloudflare’s SSL/TLS settings are not causing additional redirects. Also, review your .htaccess files and any other virtual host configurations for possible conflicting settings.
 
Last edited:


Top