Manage apps page throws Marketplace server not reachable error in Jira

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

症状

When going to manage/add new add-ons page, this error is displayed:

The Atlassian Marketplace server is not reachable. To avoid problems when loading this page, you can disable the connection to the Marketplace server

The atlassian-jira.log contain the following errors:

2013-10-29 14:30:17,194 WARN  [http-bio-7990-exec-5] user 870x497x1 1lzkc13 XXX.XXX.XXX.XXX,127.0.0.1 "GET /plugins/servlet/upm/marketplace HTTP/1.0" com.atlassian.upm.pac.PacClientImpl Error when querying application info from MPAC: com.atlassian.marketplace.client.MpacException: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

原因

When Java establishes an outbound connection, it needs to establish trust when it reads the server certificate of the Marketplace. In order to do this, it checks the Java trust store for a certificate chain that indicates the certificate served by the Atlassian Marketplace can be trusted. This trust store is located at JAVA_HOME/jre/lib/security/cacerts by default, but a customized location can be defined by the startup parameter -Djavax.net.ssl.trustStore

If Jira is unable to establish trust when accessing the marketplace, the connection will be refused and your admins will not be able to use the Marketplace within JIRA.

This occurs because the default Java trust store has been modified, and therefore is missing a valid trust chain, or, the certificate presented by Marketplace has been tampered with by a local proxy, and therefore is not trusted.

ソリューション

If using Windows we recommend using the tool specified in Connecting to SSL services to do this as it is easier.

  1. Download the Atlassian Marketplace certificates with the commands below:
    Linux

    openssl s_client -connect marketplace.atlassian.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > marketplace.atlassian.com.crt
    openssl s_client -connect plugins.atlassian.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > plugins.atlassian.com.crt
    openssl s_client -connect marketplace-cdn.atlassian.com:443 -servername marketplace-cdn.atlassian.com < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > marketplace-cdn.atlassian.com.crt

    Windows

    openssl s_client -connect marketplace.atlassian.com:443 < NUL > marketplace.atlassian.com.cert
    openssl s_client -connect plugins.atlassian.com:443 < NUL > plugins.atlassian.com.cert
    openssl s_client -connect marketplace-cdn.atlassian.com:443 -servername marketplace-cdn.atlassian.com < NUL > marketplace-cdn.atlassian.com.cert

    After saving the certificates in Windows, edit them and delete everything before the "BEGIN CERTIFICATE" line and everything after the "END CERTIFICATE" line. This step is not required for Linux.

  2. Import the certificates into the Java trust store:

    keytool -import -alias marketplace.atlassian.com:443 -keystore /path/to/keystore -file /path/to/marketplace.atlassian.com.cert
    keytool -import -alias plugins.atlassian.com:443 -keystore /path/to/keystore -file /path/to/plugins.atlassian.com.cert
    keytool -import -alias marketplace-cdn.atlassian.com:443 -keystore /path/to/keystore -file /path/to/marketplace-cdn.atlassian.com.cert

    The trust store is located in the following directories:

    • Windows/Linux: $JAVA_HOME/jre/lib/security/cacerts
    • Mac OS (not supported): $JAVA_HOME/lib/security/cacerts
    • If customised: Check the value of the startup parameter  -Djavax.net.ssl.trustStore

    If keytool prompts for a password, the default is changeit.

  3. Restart the Jira application. Certificates are loaded into the JVM on startup and such changes need a restart to take effect.

Please see the following question on Atlassian Answers and Problems Connecting to the Atlassian Marketplace for further information.


最終更新日 2020 年 7 月 26 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.