JIRA's Tomcat SSL Connector fails to start with SSLContext not available

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Problem

Following Running JIRA applications over SSL or HTTPS to configure JIRA with a Tomcat SSL Connector, the Connector fails to start. This error is found in Tomcat logs:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 18-Oct-2017 15:27:42.923 SEVERE [main] org.apache.catalina.core.StandardService.startInternal Failed to start connector [Connector[HTTP/1.1-9750]] org.apache.catalina.LifecycleException: Failed to start component [Connector[HTTP/1.1-9750]] at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:167) at org.apache.catalina.core.StandardService.startInternal(StandardService.java:440) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:791) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) at org.apache.catalina.startup.Catalina.start(Catalina.java:655) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:355) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:495) Caused by: org.apache.catalina.LifecycleException: service.getName(): "Catalina"; Protocol handler start failed at org.apache.catalina.connector.Connector.startInternal(Connector.java:976) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) ... 11 more Caused by: java.lang.IllegalArgumentException: java.security.NoSuchAlgorithmException: TLSv1.2,TLSv1.3 SSLContext not available at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:103) at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:81) at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244) at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:874) at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:590) at org.apache.catalina.connector.Connector.startInternal(Connector.java:969) ... 12 more Caused by: java.security.NoSuchAlgorithmException: TLSv1.2,TLSv1.3 SSLContext not available at sun.security.jca.GetInstance.getInstance(GetInstance.java:159) at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156) at org.apache.tomcat.util.net.jsse.JSSESSLContext.<init>(JSSESSLContext.java:37) at org.apache.tomcat.util.net.jsse.JSSEUtil.createSSLContext(JSSEUtil.java:167) at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:100) ... 17 more

Diagnosis

Environment: JIRA 7.5.x bundled with Tomcat 8.5.6 and JRE 1.8.0_102.

There are 2 Connectors in server.xml like this:

  • The non-SSL connector (port 8750) is started normally

  • The SSL connector (port 9750) fails to start

1 2 3 4 5 6 7 8 9 <Connector acceptCount="100" bindOnInit="false" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" useBodyEncodingForURI="true" port="8750" protocol="HTTP/1.1" redirectPort="9750"/> <Connector acceptCount="100" bindOnInit="false" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" useBodyEncodingForURI="true" keyAlias="tomcat" keystoreFile="keystore/tomcat.jks" keystorePass="password" keystoreType="JKS" port="9750" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslEnabledProtocols="TLSv1.2,TLSv1.3" sslProtocol="TLSv1.2,TLSv1.3" SSLEnabled="true" clientAuth="false"/>

Cause

sslProtocol only supports a single value e.g. TLS. Configuring it with multiple values causes the problem.

JRASERVER-66168 - Documentation regarding configuring SSL uses wrong attribute in example config has been raised to address this Documentation issue.

Solution

Resolution

Remove sslProtocol and only use sslEnabledProtocols:

1 2 3 4 5 <Connector acceptCount="100" bindOnInit="false" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" useBodyEncodingForURI="true" keyAlias="tomcat" keystoreFile="keystore/tomcat.jks" keystorePass="password" keystoreType="JKS" port="9750" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslEnabledProtocols="TLSv1.2,TLSv1.3" SSLEnabled="true" clientAuth="false"/>
Updated on April 2, 2025
Platform
Data Center only
Product
Jira Software Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community