The hostnameused to access your Jira server (e.g. jira.acme.comin https://jira.acme.com/) must either match one of the CNfields of the subject name or, when it doesn't, one of the Subject Alternative Nameof the cert.

该主机名（例如，用于访问您的服务器吉拉jira.acme.com在 https://jira.acme.com/）必须要么匹配的一个CN主题名称的领域，或者当它不，的一个Subject Alternative Name的证书。

This is detailed in the RFC 2818:

这在RFC 2818 中有详细说明：

In some cases, the URI is specified as an IP address rather than a hostname. In this case, the iPAddress subjectAltName must be present in the certificate and must exactly match the IP in the URI.

在某些情况下，URI 被指定为 IP 地址而不是主机名。在这种情况下，iPAddress subjectAltName 必须存在于证书中，并且必须与 URI 中的 IP 完全匹配。

In your case, Java is complaining because neither the CN("Unknown") nor a Subject Alternative Name(since you have none) did match the hostname of your Jira server.

在您的情况下，Java 正在抱怨，因为CN("Unknown") 和 a Subject Alternative Name(因为您没有) 都不匹配您的 Jira 服务器的主机名。

So, either generate a certificate with the appropriate CN, for example using keytool:

因此，要么使用适当的 生成证书CN，例如使用keytool：

To create a keypair and self-signed certificate

创建密钥对和自签名证书

$ keytool -genkey -alias jira_acme_com -keyalg RSA -keysize 2048 -validity 365 -keystore jira_acme_com.jks
Enter keystore password:  
Re-enter new password: 
What is your first and last name?
  [Unknown]:  jira.acme.com
What is the name of your organizational unit?
  [Unknown]:  Our project
What is the name of your organization?
  [Unknown]:  Our company
What is the name of your City or Locality?
  [Unknown]:  Our town
What is the name of your State or Province?
  [Unknown]:  NJ
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=jira.acme.com, OU=Our project, O=Our company, L=Our town, ST=NJ, C=US correct?
  [no]:  y

Enter key password for 
        (RETURN if same as keystore password): 

To view the personal information

查看个人信息

$ keytool -list -v -keystore jira_acme_com.jks 
Enter keystore password:  

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: jira_acme_com
Creation date: Sep 4, 2010
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=jira.acme.com, OU=Our project, O=Our company, L=Our town, ST=NJ, C=US
Issuer: CN=jira.acme.com, OU=Our project, O=Our company, L=Our town, ST=NJ, C=US
Serial number: 4c81e9a9
Valid from: Sat Sep 04 10:39:37 CEST 2010 until: Sun Sep 04 10:39:37 CEST 2011
Certificate fingerprints:
     MD5:  15:6A:E3:14:E2:78:F4:95:41:E6:33:C9:F8:8B:64:23
     SHA1: CD:A6:9A:84:18:E8:62:50:2C:DC:2F:89:22:F6:BA:E9:1A:63:F6:C6
     Signature algorithm name: SHA1withRSA
     Version: 3

And setup Tomcatto use the keystore.

并设置 Tomcat以使用密钥库。

Of, if you want to create a multihomed certificate, you'll have to use OpenSSL (keytool cannot add X509 extensions such as Subject Alternative Name). These links are excellent resources:

当然，如果要创建多宿主证书，则必须使用 OpenSSL（keytool 不能添加 X509 扩展，例如主题备用名称）。这些链接是极好的资源：

• Creating an SSL Certificate with Multiple Hostnames
• OpenSSL - Community Ubuntu Documentation

• 创建具有多个主机名的 SSL 证书
• OpenSSL - 社区 Ubuntu 文档

Update:Given that you can't change the certificate (you really should have mentioned that), a temporary solution could be to change the local /etc/hostsfile of the required machines to resolve Unknownto the real IP of the machine.

更新：鉴于您无法更改证书（您确实应该提到），临时解决方案可能是更改/etc/hosts所需机器的本地文件以解析Unknown为机器的真实 IP。

123.123.123.123    Unknown

So that you could access https://Unknown/from these machines. But obviously, this is more a dirty hack than a real solution and doesn't scale.

这样您就可以从这些机器访问https://Unknown/。但显然，这与其说是真正的解决方案，不如说是一种肮脏的黑客攻击，并且无法扩展。

Contacting the admins to get a real "good" certificate is still the real good solution.

联系管理员以获得真正的“好”证书仍然是真正好的解决方案。

Resources

资源

• A few frequently used SSL commands(using openssl or keytool)
• Creating an SSL Certificate with Multiple Hostnames
• OpenSSL - Community Ubuntu Documentation

• 一些常用的 SSL 命令（使用 openssl 或 keytool）
• 创建具有多个主机名的 SSL 证书
• OpenSSL - 社区 Ubuntu 文档

References

参考

• RFC 2818
• keytool - Key and Certificate Management Tool
• Apache Tomcat 6.0 - SSL Configuration HOW-TO

• RFC 2818
• keytool - 密钥和证书管理工具
• Apache Tomcat 6.0 - SSL 配置操作指南

If I'm not mistaken, SSL requires that the common name of the certificate contain the hostname that you're attempting to connect to, that way the client side can validate that the certificate is not just trusted in general, but trusted for the location.

如果我没记错的话，SSL 要求证书的通用名称包含您尝试连接的主机名，这样客户端就可以验证证书不仅在一般情况下受信任，而且在位置上受信任.

I'm assuming you're generating the certificate with OpenSSL. Is there a reason you're not setting the cn=[yourserver]?

我假设您正在使用 OpenSSL 生成证书。你有什么理由不设置cn=[yourserver]吗？

It may be that when it cannot find the proper hostname in the common name, that the plug-in attempts to look for it in a subject alt name, and when that fails because there is no subjectAltName, you're getting a bad error message.

可能是当它在通用名称中找不到正确的主机名时，插件会尝试在主题替代名称中查找它，而当由于没有主题替代名称而失败时，您会收到错误的错误消息.

Anyway, if you're using this for multiple sites, you need to have the hostnames in the subjectAltName. I've found a site that documents how to create your self-signed cert properly.

无论如何，如果您将它用于多个站点，则需要在 subjectAltName 中包含主机名。我找到了一个网站，其中记录了如何正确创建自签名证书。

http://library.linode.com/ssl-guides/subject-alt-name-ssl

http://library.linode.com/ssl-guides/subject-alt-name-ssl

Hope this helps.

希望这可以帮助。

There are several possible solutions, each with its own set of pains.

有几种可能的解决方案，每个都有自己的痛点。

• Generate a new certificate for JIRA, this time specifying a CN when generating the secret key-pair for the certficate.

  I cannot see why a new certificate cannot be generated; I'm pretty sure that other client to the JIRA server are also encountering some issues, especially warnings from browsers, for the described certificate. All clients (and client applications) must therefore be re-tested, but this is not a pain, if the self-signed certificate has been issued by a local CA that is trusted by all clients.

• Edit the DNS entries to ensure that the lookup to 'Unknown' from the Hudson server, points to the server where JIRA is installed [I did remind someone that there are pains associated with some of the solutions :-) ]. This ensures that the value of the CN stored in the certificate matches with the hostname - you'll need to configure Hudson to use a URL like http://Unknown/..... And oh, use this only if you're in a really tight spot; you don't want to be explaining why you did this.

• 为 JIRA 生成一个新证书，这次在为证书生成密钥对时指定一个 CN。

  我不明白为什么不能生成新证书；对于所描述的证书，我很确定 JIRA 服务器的其他客户端也遇到了一些问题，尤其是来自浏览器的警告。因此，所有客户端（和客户端应用程序）都必须重新测试，但如果自签名证书是由所有客户端信任的本地 CA 颁发的，那么这并不难。

• 编辑 DNS 条目以确保从 Hudson 服务器查找“未知”，指向安装了 JIRA 的服务器 [我确实提醒过某人，某些解决方案会带来麻烦:-)]。这可确保证书中存储的 CN 值与主机名匹配 - 您需要将 Hudson 配置为使用类似http://Unknown/..... 哦，只有在您处于非常紧张的位置时才使用它；你不想解释你为什么这样做。