Hipchat Server is unavailable after updating SSL certificate
プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Fisheye および Crucible は除く
This is for an outdated version of Hipchat Server
This article applies to a version of Hipchat Server which will be deprecated soon. After that period the version will no longer be supported.
You should upgrade to a more recent version of Hipchat Server as soon as you can to take advantage of new features, and security and bug fixes.
問題
Hipchat Server is inaccessible after applying an SSL certificate. The services restarted successfully but users cannot access the system. Restarting the server from the command line produces the same results.
/var/log/hipchat/nginx.err.log
に次のメッセージが出力される。
2017/05/30 04:21:13 [emerg] 16780#16780: PEM_read_bio_X509("/hipchat/certs/star_hipchat_com_chain.crt") failed (SSL: error:0906D064:PEM routines:PEM_read_bio:bad base64 decode)
2017/05/30 04:23:44 [emerg] 16811#16811: PEM_read_bio_X509("/hipchat/certs/star_hipchat_com_chain.crt") failed (SSL: error:0906D064:PEM routines:PEM_read_bio:bad base64 decode)
2017/05/30 04:26:15 [emerg] 16833#16833: PEM_read_bio_X509("/hipchat/certs/star_hipchat_com_chain.crt") failed (SSL: error:0906D064:PEM routines:PEM_read_bio:bad base64 decode)
2017/05/30 04:28:46 [emerg] 16870#16870: PEM_read_bio_X509("/hipchat/certs/star_hipchat_com_chain.crt") failed (SSL: error:0906D064:PEM routines:PEM_read_bio:bad base64 decode)
2017/05/30 04:31:17 [emerg] 16892#16892: PEM_read_bio_X509("/hipchat/certs/star_hipchat_com_chain.crt") failed (SSL: error:0906D064:PEM routines:PEM_read_bio:bad base64 decode)
2017/05/30 04:33:47 [emerg] 16900#16900: PEM_read_bio_X509("/hipchat/certs/star_hipchat_com_chain.crt") failed (SSL: error:0906D064:PEM routines:PEM_read_bio:bad base64 decode)
2017/05/30 04:36:18 [emerg] 16908#16908: PEM_read_bio_X509("/hipchat/certs/star_hipchat_com_chain.crt") failed (SSL: error:0906D064:PEM routines:PEM_read_bio:bad base64 decode)
診断
Use the following commands to generate an MD5 sum for the private key, certificate signing request (CSR), and certificate files:
openssl rsa -noout -modulus -in domain.key | openssl md5
openssl x509 -noout -modulus -in domain.crt | openssl md5
openssl req -noout -modulus -in domain.csr | openssl md5
Verify that the output string from each command is identical to verify that the files are matching. If the outputs are not identical OR identical but problem persists, proceed to the Resolution section.
原因
The line of certificate in the PEM file is not 64 characters wide.
ソリューション
SSH into the server through the terminal/command-line
Start with reconfiguring the server to use self-signed certificate:
hipchat certificates --selfsign
The server should be accessible again since it is reverted back to using self-signed certificate
Double check your SSL certificate formatting and make sure it is following this standard:
-----BEGIN CERTIFICATE----- (Primary SSL certificate: your_domain_name.crt) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (All required intermediate certificate files: intermediates.crt) -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- (The private key you generated: fqdn.key) -----END RSA PRIVATE KEY-----
Note: A .pem file is just a Base64-encoded .der file. Few things worth to note:
The file must contain:
-----BEGIN CERTIFICATE-----
on a separate line (i.e. it must be terminated with a newline).
- Each line of certificate must be 64 characters wide.
The file must end with:
-----END CERTIFICATE-----
and also be terminated with a newline.
- Don't save the cert text with Word. It must be in ASCII.
- Don't mix DOS and UNIX style line terminations.
Next, after ensuring the above requirements are fulfilled, re-import the trusted SSL certificate into the server again through the server's terminal/command line or through the UI from Server admin > SSL. To import the certificate through the server's terminal/command line, run the followings:
cat hipchat-example-com.crt > new_domain_name.pem cat hipchat-example-com.key >> new_domain_name.pem hipchat certificates --import new_domain_name.pem