Jira のアプリの管理画面で Marketplace server not reachable エラーが返される
症状
アドオンの管理/新規追加ページに移動すると、次のエラーが表示される。
The Atlassian Marketplace server is not reachable. To avoid problems when loading this page, you can disable the connection to the Marketplace server
Cause #1
Java は外向き接続を確立するときに、Marketplace のサーバー証明書を読む際に信頼を確立する必要があります。これを行うため、Atlassian Marketplace によって提供される証明書が信頼可能であることを示す証明書チェーンを Java のトラスト ストアで探します。このトラスト ストアはデフォルトでは JAVA_HOME/jre/lib/security/cacerts
に配置されていますが、起動パラメーター -Djavax.net.ssl.trustStore
でカスタマイズされた場所が定義されている可能性があります。
atlassian-jira.log
には次のエラーが含まれる。
2013-10-29 14:30:17,194 WARN [http-bio-7990-exec-5] user 870x497x1 1lzkc13 XXX.XXX.XXX.XXX,127.0.0.1 "GET /plugins/servlet/upm/marketplace HTTP/1.0" com.atlassian.upm.pac.PacClientImpl Error when querying application info from MPAC: com.atlassian.marketplace.client.MpacException: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
If Jira is unable to establish trust when accessing the marketplace, the connection will be refused and your admins will not be able to use the Marketplace within JIRA. This occurs because the default Java trust store has been modified, and therefore is missing a valid trust chain, or, the certificate presented by Marketplace has been tampered with by a local proxy, and therefore is not trusted.
ソリューション #1
Windows を利用している場合、「SSL サービスへの接続」で指定されているツールを利用することをおすすめします。こちらのほうが簡単に行えます。
次のコマンドで Atlassian Marketplace の証明書をダウンロードします。
Linuxopenssl s_client -connect marketplace.atlassian.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > marketplace.atlassian.com.crt openssl s_client -connect marketplace-cdn.atlassian.com:443 -servername marketplace-cdn.atlassian.com < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > marketplace-cdn.atlassian.com.crt openssl s_client -connect api.media.atlassian.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > api.media.atlassian.com.crt
Windows
openssl s_client -connect marketplace.atlassian.com:443 < NUL > marketplace.atlassian.com.crt openssl s_client -connect marketplace-cdn.atlassian.com:443 -servername marketplace-cdn.atlassian.com < NUL > marketplace-cdn.atlassian.com.crt openssl s_client -connect api.media.atlassian.com:443 -servername api.media.atlassian.com.crt < NUL > api.media.atlassian.com.crt
Windows で証明書を保存したら、それらを編集し、"BEGIN CERTIFICATE" 行よりも前のすべての情報と "END CERTIFICATE" 行よりもあとのすべての情報を削除します。このステップは Linux では不要です。
証明書を Java トラスト ストアにインポートします。
keytool -import -alias marketplace.atlassian.com:443 -keystore /path/to/keystore -file /path/to/marketplace.atlassian.com.crt keytool -import -alias marketplace-cdn.atlassian.com:443 -keystore /path/to/keystore -file /path/to/marketplace-cdn.atlassian.com.crt keytool -import -alias api.media.atlassian.com.crt.crt:443 -keystore /path/to/keystore -file /path/to/api.media.atlassian.com.crt
トラスト ストアは次のディレクトリに格納されています。
- Windows/Linux:
$JAVA_HOME/jre/lib/security/cacerts
- Mac OS (サポート対象外):
$JAVA_HOME/lib/security/cacerts
- カスタマイズを行っている場合:起動パラメーター
-Djavax.net.ssl.trustStore
の値を確認
If keytool prompts for a password, the default is
changeit
.- Windows/Linux:
- Jira アプリケーションを再起動します。証明書は起動時に JVM に読み込まれるため、このような変更を有効化するには再起動が必要です。
Cause #2
Jira establishes a connection/session to Marketplace during the application startup, in this scenario, Jira is able to access the Marketplace successfully, but eventually fails. As reported by some customers there are firewall appliances that set a default lifetime for TCP sessions. Some of these default to 15 minutes, and could compromise the connection to the marketplace.
ソリューション #2
increase the TTL for outgoing internet traffic from the Jira machine, and verify if the issue persists. Alternatively, allow the Jira host to bypass the outgoing connection proxy/firewall and verify.
Cause #3
Jira is configured with an outbound proxy server and the outbound proxy server is blocking outgoing requests sent from Jira to the Atlassian Marketplace.
To verify if this root cause applies:
Look into the Jira application logs for an error similar to the one below. If you see that the error shows that Jira can't reach the Marketplace because it is failing to reach some IP address some hostname that is not the Marketplace, then it is an indicator that this root cause is relevant:
2022-07-22 10:14:31,899-0400 pool-26-thread-2 WARN someuser 613x2051x1 k5zsja XXX.XX.XXX.X /rest/plugins/1.0/pac-status [c.a.upm.pac.MpacApplicationCacheManager] Error when querying application info from MPAC: com.atlassian.marketplace.client.MpacException: org.apache.http.conn.ConnectTimeoutException: Connect to <SOME_IP_ADDRESS>/<SOME_HOSTNAME>:8080 [<SOME_IP_ADDRESS>/<SOME_HOSTNAME>] failed: connect timed out
Check the JVM startup used by the Jira application to see if Jira is configured with an outbound proxy. If you see parameters as in the example below, then it's an evidence that Jira is configured with an outbound proxy
-Dhttp.proxyPort=8080 -Dhttp.proxyHost=<SOME_IP_ADDRESS> OR <SOME_HOSTNAME> -Dhttps.proxyHost=<SOME_IP_ADDRESS> OR <SOME_HOSTNAME> -Dhttps.proxyPort=8080
ソリューション #3
Bypass any Atlassian URL in the outbound proxy configuration:
- Add the Jira's JVM startup parameters below in order to bypass any atlassian.com URL:
-Dhttp.nonProxyHosts=*.atlassian.com
- Restart each Jira nodes, for this change to be effective
If the -Dhttp.nonProxyHosts is already used but with a different hostname, you can simply add *.atlassian.com to it, by using the pipe character as shown in the example below:
-Dhttp.nonProxyHosts=somehostname.com|*.atlassian.com
詳細については、Atlassian Answers の質問と「Atlassian Marketplace への接続の問題」をご確認ください。