Migrating Jira projects to Cloud with JCMA fails with SSLPeerUnverifiedException

Platform Notice: Cloud and Data Center - This article applies equally to both cloud and data center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Sometimes the JCMA migration may get stuck with 0% completion during the App migration phase.

This doesn't affect every migration and is triggered by a still unknown problem with the Apache HTTP Client.

Environment

  • Jira Data Center (JSW or JSM) – no specific version.

  • Jira Cloud Migration Assistant (JCMA) – no specific version.

Diagnosis

  • JCMA project migration is stuck on the App (plugin) migration phase.

  • On the application logs (atlassian-jira.log) there's an entry similar to the one below.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 2024-06-18 11:26:30,983-0400 pool-107-thread-1 ERROR [c.a.m.a.upload.consumers.MultipartUploadConsumer] upload for transferId=(...redacted...), s3key=(...redacted...) failed com.atlassian.jira.migration.httpclient.exceptions.HttpCommunicationException: An error occurred when requesting against resource https://(...redacted...).s3.amazonaws.com/(...redacted...): Certificate for <(...redacted...).s3.amazonaws.com> doesn't match any of the subject alternative names: [*.s3.amazonaws.com, s3.amazonaws.com] at com.atlassian.jira.migration.httpclient.exceptions.ExceptionsKt.communicationError(Exceptions.kt:13) at com.atlassian.jira.migration.httpclient.AbstractPluginHttpClient.getResponse(AbstractPluginHttpClient.kt:166) at com.atlassian.jira.migration.amsclient.DefaultAppMigrationServiceClient.getS3UploadHeaders(DefaultAppMigrationServiceClient.kt:564) at com.atlassian.jira.migration.amsclient.DefaultAppMigrationServiceClient.uploadToS3(DefaultAppMigrationServiceClient.kt:384) at com.atlassian.migration.app.upload.consumers.MultipartUploadConsumer.perform(MultipartUploadConsumer.kt:33) at com.atlassian.migration.app.upload.consumers.MultipartUploadConsumer.run(MultipartUploadConsumer.kt:69) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) at java.base/java.util.concurrent.FutureTask.run(Unknown Source) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.base/java.lang.Thread.run(Unknown Source) Caused by: javax.net.ssl.SSLPeerUnverifiedException: Certificate for <(...redacted...).s3.amazonaws.com> doesn't match any of the subject alternative names: [*.s3.amazonaws.com, s3.amazonaws.com] at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:507) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:437) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) at org.apache.http.impl.execchain.ServiceUnavailableRetryExec.execute(ServiceUnavailableRetryExec.java:85) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108) at com.atlassian.jira.migration.httpclient.AbstractPluginHttpClient.getResponse(AbstractPluginHttpClient.kt:162) ... 9 more

  • Looking at the <jira-install-dir>/atlassian-jira/WEB-INF/lib directory, the Apache HTTP Client is on a version higher than 4.5.10.

1 2 <jira-install-dir>/atlassian-jira/WEB-INF/lib/httpclient-cache-4.5.14.jar <jira-install-dir>/atlassian-jira/WEB-INF/lib/httpclient-4.5.14.jar

Cause

Apache HTTP Client on versions higher than 4.5.10 started to throw SSLPeerUnverifiedException errors on specific cases when trying to establish a connection to AWS S3 buckets, which are used by JCMA to temporarily upload Cloud migration data.

The edge case to trigger the error is still unknown.

Solution

Workaround

As a workaround to complete the Cloud migration, Jira administrators are advised to temporarily use version 4.5.10 of the library.

On a clustered Data Center instance one should apply the steps on each node of the cluster.

Once the Cloud migration is complete, you are recommended to rollback the changes.

  • Take a backup of the following files.

1 2 3 <jira-install-dir>/atlassian-jira/WEB-INF/lib/httpclient-cache-<library-version>.jar <jira-install-dir>/atlassian-jira/WEB-INF/lib/httpclient-<library-version>.jar <jira-install-dir>/atlassian-jira/WEB-INF/atlassian-bundled-plugins/httpclient-osgi-<library-version>.jar

  • Reach out to Atlassian Support to get the following .jar files so you can upload them to a temporary location within the Jira server.

1 2 3 httpclient-4.5.10.jar httpclient-cache-4.5.10.jar httpclient-osgi-4.5.10.jar

  • The files were extracted from Jira Software 8.13.0, which had the Apache HTTP Client on version 4.5.10.

  • Stop Jira following your standard procedure.

  • Delete the files from their original location.

1 2 3 <jira-install-dir>/atlassian-jira/WEB-INF/lib/httpclient-cache-<library-version>.jar <jira-install-dir>/atlassian-jira/WEB-INF/lib/httpclient-<library-version>.jar <jira-install-dir>/atlassian-jira/WEB-INF/atlassian-bundled-plugins/httpclient-osgi-<library-version>.jar

  • Move the 4.5.10 files to the following locations.

1 2 3 <jira-install-dir>/atlassian-jira/WEB-INF/lib/httpclient-cache-4.5.10.jar <jira-install-dir>/atlassian-jira/WEB-INF/lib/httpclient-4.5.10.jar <jira-install-dir>/atlassian-jira/WEB-INF/atlassian-bundled-plugins/httpclient-osgi-4.5.10.jar

Click here for instructions on clearing plugins cache...

  1. Delete the following directories.

    1. <jira-local-home>/plugins/.bundled-plugins

    2. <jira-local-home>/plugins/.osgi-plugins

  2. Delete the contents of the following directories.

    1. <jira-install-dir>/work (just the contents, NOT the directory itself)

    2. <jira-install-dir>/temp (just the contents, NOT the directory itself)

  • Start Jira following your standard procedure.

Updated on April 2, 2025
Platform
Cloud and Data Center
Products
Jira Software Cloud
Jira Software Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community