Failing to download or update any plugins from UPM due to missing certificates

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

When UPM uses the proxy settings of the host application to connect to the Marketplace, Atlassian application uses HTTPS but UPM needs to connect http://api.media.atlassian.com:443. (plugin file server – api.media.atlassian.com:443)

However, because of missing certificates, the SSL connection to api.media.atlassian.com over port 443 becomes closed. Proxy is able to reach api.media.atlassian.com:443 but is not able to establish the secure connection

As a result, The user is getting an error message "Problem accessing the file Atlassian Troubleshooting and Support Tools." but no more specific or explicit error is shown either on the UI or logs.

Environment

Jira 8.x

Diagnosis

The below error has been seen during the plugin download/update attempts:

1 2 3 4 5 2023-03-02 11:54:30,933+0100 UpmAsynchronousTaskManager:thread-1 ERROR admin 845x41535x4 s33k3z 1.1.11.131,11.1.111.11 /rest/plugins/1.0/available/featured [c.a.u.c.r.resources.install.InstallFromUriTask] Error downloading plugin from https://marketplace.atlassian.com/download/apps/1217696/version/14400001 2023-03-02 11:54:57,485+0100 http-nio-8080-exec-13 WARN admin 714x175763x2 dgpkke 1.1.11.131,11.1.111.11 /rest/plugins/1.0/installed-marketplace [c.a.upm.pac.PacClientImpl] The request to check for app updates may take longer than expected because 200 apps are installed that could have updates. This may impact the performance of loading the Manage Apps page.

HTTP-HTTPS mismatch can be caught from diagnostics controls

1 2 2022-12-13 14:31:09,275+0100 UpmAsynchronousTaskManager:thread-3 ERROR admin 871x1074x2 1uytbha 1.1.11.131,11.1.111.11 /rest/plugins/1.0/ [c.a.u.c.r.resources.install.InstallFromUriTask] Error downloading plugin from https://marketplace.atlassian.com/download/apps/1217696/version/14301001

Cause

The connection between the proxy and plugin file server – api.media.atlassian.com:443 is getting shut down. If previous SSL certificates are imported with problematic arguments then It might be possible that the SSL connection to api.media.atlassian.com over port 443 is closed because of missing/faulty certificates.

It is understood that the following trusted certificate is missing:

1 2 3 4 5 6 7 8 9 10 javax.net.ssl|DEBUG|01|main|2023-03-22 13:03:30.876 CET|null:-1|Found trusted certificate (   "certificate" : {     "version"            : "v3",     "serial number"      : "",     "signature algorithm": "SHA1withRSA",     "issuer"             : "CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US",     "not before"         : "2006-11-10 01:00:00.000 CET",     "not  after"         : "2031-11-10 01:00:00.000 CET",     "subject"            : "CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US",     "subject public key" : "RSA",

Solution

Before proceeding, it can help to ensure that Atlassian hostnames are on the allow list:

Please see Configuring the allowlist

Warning

Only applicable to the Jira environment that has the outbound or forward proxy configured. For more details refer to Configure an outbound proxy for use in Jira server.

  • Review all the certificates in the Cacerts.

1 keytool -list -keystore cacerts

For Windows

1 keytool -list -v -keystore <JAVA_HOME>\jre\lib\security\cacerts -alias <api_media_alias>

For Linux

1 keytool -list -v -keystore <jira-install>\lib\security\cacerts -alias <api_media_alias>

  • Run httpclienttest tool as described in the readme of the repository and upload the result:

  • Run the tool with the following command: Please check your custom trust store path inside of the "-Djavax.net.ssl.trustStore" parameter if you do use not the default path

For Windows

1 java -Dhttp.proxyHost=“Host of Proxy” -Dhttp.proxyPort=8080 -Dhttps.proxyHost=“Host of Proxy” -Dhttps.proxyPort=8080 -Dhttp.nonProxyHosts=localhost|“Host of Proxy” -Djavax.net.ssl.trustStore="D:\Program Files\Atlassian\Jira\jre\lib\security\cacerts" -jar httpclienttest-1.0.2.jar https://api.media.atlassian.com:443

For Linux

1 java -Dhttp.proxyHost=“Host of Proxy” -Dhttp.proxyPort=8080 -Dhttps.proxyHost=“Host of Proxy” -Dhttps.proxyPort=8080 -Dhttp.nonProxyHosts=localhost|“Host of Proxy” -Djavax.net.ssl.trustStore="<jira-install>\lib\security\cacerts" -jar httpclienttest-1.0.2.jar https://api.media.atlassian.com:443

  • Test the trust between the server and the outbound proxy

1 2 java -jar httpclienttest-1.0.2.jar http://YOUR_PROXY_URL:8080 java -jar httpclienttest-1.0.2.jar https://YOUR_PROXY_URL:443

  • Get the certificate of proxy as well

1 2 openssl s_client -showcerts  -connect YOUR_PROXY_URL:8080 openssl s_client -showcerts  -connect YOUR_PROXY_URL:443

  • Compare the results and check if “digicertglobalrootca” trusted certificate is missing

  • Import it to the non-working instance with the below or equivalent command

1 keytool -import -alias digicertglobalrootca -keystore <your_keystore_filename> -trustcacerts -file <filename_of_the_root>

  • Test the marketplace again

Updated on March 13, 2025
Platform
Data Center only
Product
Jira Software Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community