Attempting to create an application link from JIRA to another application will fail if that application runs over HTTPS with an SSL certificate that uses Subject Alternative Name (SAN). This will also impact existing Application Links, causing them to stop working. This will also impact JIRA gadgets in case of JIRA is behind the proxy with TLS offload as JIRA needs to connect to itself through proxy (see JRASERVER-64137).
JIRA 7.4.0 bundled with Apache HttpClient 4.5.3.
- Configure JIRA and Bamboo to run over HTTPS with an SSL certificate using SAN
- Ensure Bamboo's certificate has been imported into JIRA's trust store (and vice-versa)
- From JIRA, create an application link to Bamboo
- The applinks creation is successful on both sides.
- JIRA is able to load gadgets
The applinks fails on JIRA side with the following symptoms:
- Bamboo is not detected and JIRA is asked to provide Consumer key and Shared secret as if Bamboo's SSL cert hadn't been imported. However, there's no PKIX error in the log.
- Upon the creation completion (just Continue), the following error appears in JIRA GUI:
- In JIRA log, the following error is thrown:
JIRA 7.4 uses Apache HttpClient 4.5.3 as can be seen in pom.xml:
This version carries this bug that affects SSL certificates with SAN:
- Use unproxied applinks that would bypass the SSL check
- Temporarily use the linked application/s over HTTP (Bamboo as in the context of this report)
- Temporarily use a certificate that doesn't use SAN
- This could be a problem if you use Chrome 58+
httpclient version was upgraded to 4.5.4: pom.xml
- This may cause a JIRA's Base URL healthcheck problem which in turn leads to the following problem:
- Also note that Chromium/Chrome removed support for matching common name (CN) in certificates in M58, so enforcing users to switch to SAN, so that makes bug more critical.