The hostname used to access your Jira server (e.g. jira.acme.com in https://jira.acme.com/) must either match one of the CN
fields of the subject name or, when it doesn't, one of the Subject Alternative Name
of the cert.
This is detailed in the RFC 2818:
In some cases, the URI is specified
as an IP address rather than a
hostname. In this case, the iPAddress
subjectAltName must be present in the
certificate and must exactly match the
IP in the URI.
In your case, Java is complaining because neither the CN
("Unknown") nor a Subject Alternative Name
(since you have none) did match the hostname of your Jira server.
So, either generate a certificate with the appropriate CN
, for example using keytool
:
To create a keypair and self-signed certificate
$ keytool -genkey -alias jira_acme_com -keyalg RSA -keysize 2048 -validity 365 -keystore jira_acme_com.jks
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: jira.acme.com
What is the name of your organizational unit?
[Unknown]: Our project
What is the name of your organization?
[Unknown]: Our company
What is the name of your City or Locality?
[Unknown]: Our town
What is the name of your State or Province?
[Unknown]: NJ
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=jira.acme.com, OU=Our project, O=Our company, L=Our town, ST=NJ, C=US correct?
[no]: y
Enter key password for
(RETURN if same as keystore password):
To view the personal information
$ keytool -list -v -keystore jira_acme_com.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: jira_acme_com
Creation date: Sep 4, 2010
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=jira.acme.com, OU=Our project, O=Our company, L=Our town, ST=NJ, C=US
Issuer: CN=jira.acme.com, OU=Our project, O=Our company, L=Our town, ST=NJ, C=US
Serial number: 4c81e9a9
Valid from: Sat Sep 04 10:39:37 CEST 2010 until: Sun Sep 04 10:39:37 CEST 2011
Certificate fingerprints:
MD5: 15:6A:E3:14:E2:78:F4:95:41:E6:33:C9:F8:8B:64:23
SHA1: CD:A6:9A:84:18:E8:62:50:2C:DC:2F:89:22:F6:BA:E9:1A:63:F6:C6
Signature algorithm name: SHA1withRSA
Version: 3
And setup Tomcat to use the keystore.
Of, if you want to create a multihomed certificate, you'll have to use OpenSSL (keytool cannot add X509 extensions such as Subject Alternative Name). These links are excellent resources:
Update: Given that you can't change the certificate (you really should have mentioned that), a temporary solution could be to change the local /etc/hosts
file of the required machines to resolve Unknown
to the real IP of the machine.
123.123.123.123 Unknown
So that you could access https://Unknown/ from these machines. But obviously, this is more a dirty hack than a real solution and doesn't scale.
Contacting the admins to get a real "good" certificate is still the real good solution.
Resources
References