Private CA certificates / OAuth login

Question

Private CA certificates / OAuth login

Closed this issue a year ago · 5 comments

I am just trying out JiraOne to see if I can use it, connecting to a Jira Datacenter air-gapped installation for a client, and they have their own CA with certificates signed by that CA, but which JiraOne considers as self-signed and refuses to go further. Thus I’m stuck at the first step. I’ve had a look at the documentation, but can see no mention of certificates.

I’ve also followed Atlassian’s instructions to create an Application Link (generating an RSA key pair and supplying the key to Jira to create the application link) to use OAuth 1.0a, but don’t see how to use it with JiraOne or if it is possible.

I’d be grateful if you could advise me at all? Many thanks :-)

Answer 1 · 2022-10-10T15:10:03.000Z

Hey @69baud

OAuth 1.0a isn't supported, only OAuth 2.0 and it's for cloud platforms. If you want to connect to Jira DC and use a self-signed CA. You can use the argument verify=False on any of the HTTP requests or you can use the path to the self-signed CA and make the request persistent.

# previous login statement
LOGIN.session.verify = "/path/to/certfile"
# OR
LOGIN.session.verify = False

Using the false value, jiraone won't validate the SSL certificate during connection. Let me know if that helps.

Answer 2 · 2022-10-12T11:39:52.000Z

Thanks. I was following an Atlassian document on OAuth for Data Center. I guess it is out of date.

I've tried both options and it still complains about the SSL Self-Signed Cert. I ran the debugger and can't see where in JiraOne it actually passes session.verify (or cert_file) anywhere to requests.post or requests.get etc

I've also tried setting environment variables such as SSL_CERT_FILE pointing to the Root CA and Intermediate CA bundle (file in pem format) but still no joy.

Any other ideas?

Thanks :-)

Answer 3 · 2022-10-12T20:39:54.000Z

Here are the two options:

I would suggest forking this repo and adding the HTTP methods you need with the option verify=False for each HTTP request. As jiraone has the ability to accept that option as a keyword argument. Basically, jiraone's HTTP request ability is the same object as the requests library. However, this is not recommended but if you're on a secured network and know what you're doing then you can attempt it.
A typical request e.g.

# previous login statement
LOGIN.get(endpoint.myself(), verify=False)
# OR
LOGIN.post(endpoint.jira_group(), verify=False)

OR

If you're still getting the cert error and want to verify the cert. You can know how the cert requests use and what it is like.

import requests
import os
cert = requests.certs.where()
# The above should tell you where's the CA pem requests uses
# since this is self-signed probably the chain might be incomplete
# I would suggest verifying if the chain is completed before doing below
your_cert_path = "direct_absolute_path/to/cert"
os.environ["REQUESTS_CA_BUNDLE"] = your_cert_path
# before calling jiraone statements

Answer 4 · 2022-10-12T20:43:14.000Z

Let me know how it goes.

Answer 5 · 2022-10-13T12:36:56.000Z

Thanks you :-)

your_cert_path = "direct_absolute_path/to/cert"
os.environ["REQUESTS_CA_BUNDLE"] = your_cert_path

Fixed it 👍