SSL サービスに接続する

プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Fisheye および Crucible は除く

このページの内容はサポート対象外のプラットフォームに関連しています。したがって、アトラシアン サポートではこのページの記載内容のサポートの提供は保証されません。この資料は情報提供のみを目的として提供されています。内容はお客様自身の責任でご利用ください。

問題

本ページでは、Jira、Confluence等のウェブアプリケーションを SSL ラッピングされた多種プロトコル経由の SSL 上で外部サーバーに接続して取得する手順について説明します。 SSL サービスは以下の作業を実行する場合に必要です。

  • Refer to an https://... URL in a Confluence macro
  • Use an IMAPS server to retrieve mail in Jira
  • Use SMTP over SSL (SMTPS) to send mail in Jira
  • Connect to an LDAP directory over SSL
  • Set up Application Links over SSL

This does not cover running your application over SSL. Please see your product's documentation to run it over SSL:

診断

Attempting to access URLs that are encrypted with SSL (for example HTTPS, LDAPS, IMAPS) throws an exception and your application refuses to connect to it. For example:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:441)
 at javax.mail.Service.connect(Service.java:233)
 at javax.mail.Service.connect(Service.java:134)

これは自己署名で暗号化されたページにアクセスする際に Chrome で発生する以下のエラーと同じですが、Java は「とにかく続行」することができないため、証明書を拒否します。

原因

Whenever your application attempts to connect to another application over SSL (e.g.: HTTPS, IMAPS, LDAPS), it will only be able to connect to that application if it can trust it. The way trust is handled in the Java world (this is what your application is written in) is that you have a "truststore" file (typically $JAVA_HOME/lib/security/cacerts). This trust store file contains trusted certificates and Java uses this to determine if the SSL certificate used by another application can be trusted.  Java will only trust certificates that are signed by a Certificate Authority (CA) whose certificate is in the trust store, or public certificates that are added to the trust store. For example, if we look at the certificate for Atlassian:

We can see the *.atlassian.com certificate has been signed by the intermediate certificates, DigiCert High Assurance EV Root CA and DigiCert High Assurance CA-3. These intermediate certificates have been signed by the root Entrust.net Secure Server CA. Those three certificates combined are referred to as the certificate chain. Because the three CA certificates are within the Java trust store file (cacerts), Java will trust any certificates signed by them (in this case, *.atlassian.com). Alternatively, if the *.atlassian.com certificate was in the trust store, Java would also trust that site.

This problem comes from a certificate that is either self-signed (a CA did not sign it) or the certificate chain does not exist within the Java trust store. Subsequently, your application doesn't trust the certificate and fails to connect to the application.

ソリューション

In order to resolve this, the public certificate needs to be imported in the Java trust store that your application uses. In the example above, this is *.atlassian.com and we cover how to install it below.

JVM にパブリック SSL 証明書をインポートする方法



最終更新日 2022 年 9 月 2 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.