Assets - Azure import integration connection test fails with SSLHandshakeException

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

When configuring Azure import and testing the connection, the connection test can fail with "SSLHandshakeException". The user is not able to finish the configuration and save the import.

Environment

  • JSM 5.x, 10.x

  • Assets standalone application

Diagnosis

The following error is logged to atlassian-jira.log:

1 2 3 4 5 6 7 8 9 2024-03-04 10:48:36,142+0100 pool-105-thread-1 ERROR admin 648x1398359x1 p2sddi 10.210.110.18,10.208.5.56 /rest/insight/1.0/import/module/test/insight-azure-import [c.m.aad.adal4j.AuthenticationContext] [Correlation ID: a4c1d8ec-4d04-40e1-a688-fb6a91e64fca] Execution of class com.microsoft.aad.adal4j.AcquireTokenCallable failed. javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source) at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source) at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source) at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(Unknown Source) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(Unknown Source) at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(Unknown Source)

Cause

Outgoing connections from Jira use the same principle of trusting the remote applications when connecting to remote SSL services. Whilst establishing trust, Jira is looking into certificate trust store (typically $JAVA_HOME/lib/security/cacerts path) to check if the remote SSL connection's CA chain is located in the Java trust store. If the CA chain is not in the trust store, the error gets logged, meaning Jira is not able to establish trust with the remote service.

More information is available here: Connecting to SSL services

Solution

The solution is to import the relevant CA certificate chains into the Java trust store:

  1. Fetch and export certificate chains from the following domains:

    1. graph.microsoft.com

    2. login.microsoftonline.com

    3. login.live.com

    4. management.azure.com

  2. Follow How to import a public SSL certificate into a JVM to import those certificate chains into Java's trust store

  3. After restarting Jira, configure the Azure integration again.

Updated on March 13, 2025
Platform
Data Center only
Product
Jira Service Management Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community