Manage apps page throws Marketplace server not reachable error in Jira
When going to manage/add new add-ons page, this error is displayed:
The Atlassian Marketplace server is not reachable. To avoid problems when loading this page, you can disable the connection to the Marketplace server
atlassian-jira.log contain the following errors:
2013-10-29 14:30:17,194 WARN [http-bio-7990-exec-5] user 870x497x1 1lzkc13 XXX.XXX.XXX.XXX,127.0.0.1 "GET /plugins/servlet/upm/marketplace HTTP/1.0" com.atlassian.upm.pac.PacClientImpl Error when querying application info from MPAC: com.atlassian.marketplace.client.MpacException: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
When Java establishes an outbound connection, it needs to establish trust when it reads the server certificate of the Marketplace. In order to do this, it checks the Java trust store for a certificate chain that indicates the certificate served by the Atlassian Marketplace can be trusted. This trust store is located at
JAVA_HOME/jre/lib/security/cacerts by default, but a customized location can be defined by the startup parameter
If Jira is unable to establish trust when accessing the marketplace, the connection will be refused and your admins will not be able to use the Marketplace within JIRA.
This occurs because the default Java trust store has been modified, and therefore is missing a valid trust chain, or, the certificate presented by Marketplace has been tampered with by a local proxy, and therefore is not trusted.
If using Windows we recommend using the tool specified in Connecting to SSL services to do this as it is easier.
Download the Atlassian Marketplace certificates with the commands below:
openssl s_client -connect marketplace.atlassian.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > marketplace.atlassian.com.crt openssl s_client -connect plugins.atlassian.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > plugins.atlassian.com.crt openssl s_client -connect marketplace-cdn.atlassian.com:443 -servername marketplace-cdn.atlassian.com < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > marketplace-cdn.atlassian.com.crt
openssl s_client -connect marketplace.atlassian.com:443 < NUL > marketplace.atlassian.com.cert openssl s_client -connect plugins.atlassian.com:443 < NUL > plugins.atlassian.com.cert openssl s_client -connect marketplace-cdn.atlassian.com:443 -servername marketplace-cdn.atlassian.com < NUL > marketplace-cdn.atlassian.com.cert
After saving the certificates in Windows, edit them and delete everything before the "BEGIN CERTIFICATE" line and everything after the "END CERTIFICATE" line. This step is not required for Linux.
Import the certificates into the Java trust store:
keytool -import -alias marketplace.atlassian.com:443 -keystore /path/to/keystore -file /path/to/marketplace.atlassian.com.cert keytool -import -alias plugins.atlassian.com:443 -keystore /path/to/keystore -file /path/to/plugins.atlassian.com.cert keytool -import -alias marketplace-cdn.atlassian.com:443 -keystore /path/to/keystore -file /path/to/marketplace-cdn.atlassian.com.cert
The trust store is located in the following directories:
- Mac OS (not supported):
- If customised: Check the value of the startup parameter
If keytool prompts for a password, the default is
- Restart the Jira application. Certificates are loaded into the JVM on startup and such changes need a restart to take effect.