Jira fails to start with SSL - Cannot recover key
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Jira fails to start when the keystore password has been changed or doesn't match to the keystore password.
Diagnosis
The following is reported in catalina.out when Jira starts up:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
10-May-2023 09:37:13.341 SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1114)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:571)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:874)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:646)
at org.apache.catalina.startup.Catalina.load(Catalina.java:669)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
Caused by: java.lang.IllegalArgumentException: Cannot recover keyCause
The certificate key has a password that is different than keystore password. Normally the certificate key password isn't set and it defaults to the keystore password.
Solution
1. Update both the keystore password and certificate key password to the same value.
1
2
3
4
5
6
7
8
9
10
$ keytool -keypasswd -keystore jira.jks -alias jira
Enter keystore password: (enter OLDPASSWD)
New key password for <jira>: (enter NEWPASSWD)
Re-enter new key password for <jira>: (enter NEWPASSWD)
$ keytool -storepasswd -keystore jira.jks
Enter keystore password: (enter OLDPASSWD)
New keystore password: (enter NEWPASSWD)
Re-enter new keystore password: (enter NEWPASSWD)2. Update the <jira-install-directory>/conf/server.xml with the new keystore password:
1
2
3
4
5
6
7
8
9
<Connector relaxedPathChars="[]|"
relaxedQueryChars="[]|{}^\`"<>" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxHttpHeaderSize="8192" SSLEnabled="true"
maxThreads="150" minSpareThreads="25"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
sslEnabledProtocols="TLSv1.2,TLSv1.3"
clientAuth="false" useBodyEncodingForURI="true"
keyAlias="jira" keystoreFile="<Jira_HOME>/jira.jks" keystorePass="NEWPASSWORD" keystoreType="JKS"/>3. Jira should now startup.
Was this helpful?