Summary

Sometimes the JCMA migration may get stuck with 0% completion during the App migration phase.

From the application logs there will be an error similar to the below.

2024-06-18 11:26:30,983-0400 pool-107-thread-1 ERROR      [c.a.m.a.upload.consumers.MultipartUploadConsumer] upload for transferId=(...redacted...), s3key=(...redacted...) failed
com.atlassian.jira.migration.httpclient.exceptions.HttpCommunicationException: An error occurred when requesting against resource https://(...redacted...).s3.amazonaws.com/(...redacted...): Certificate for <(...redacted...).s3.amazonaws.com> doesn't match any of the subject alternative names: [*.s3.amazonaws.com, s3.amazonaws.com]
	at com.atlassian.jira.migration.httpclient.exceptions.ExceptionsKt.communicationError(Exceptions.kt:13)
	at com.atlassian.jira.migration.httpclient.AbstractPluginHttpClient.getResponse(AbstractPluginHttpClient.kt:166)
	at com.atlassian.jira.migration.amsclient.DefaultAppMigrationServiceClient.getS3UploadHeaders(DefaultAppMigrationServiceClient.kt:564)
	at com.atlassian.jira.migration.amsclient.DefaultAppMigrationServiceClient.uploadToS3(DefaultAppMigrationServiceClient.kt:384)
	at com.atlassian.migration.app.upload.consumers.MultipartUploadConsumer.perform(MultipartUploadConsumer.kt:33)
	at com.atlassian.migration.app.upload.consumers.MultipartUploadConsumer.run(MultipartUploadConsumer.kt:69)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
	at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.base/java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLPeerUnverifiedException: Certificate for <(...redacted...).s3.amazonaws.com> doesn't match any of the subject alternative names: [*.s3.amazonaws.com, s3.amazonaws.com]
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:507)
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:437)
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
	at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
	at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
	at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
	at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
	at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
	at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
	at org.apache.http.impl.execchain.ServiceUnavailableRetryExec.execute(ServiceUnavailableRetryExec.java:85)
	at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
	at com.atlassian.jira.migration.httpclient.AbstractPluginHttpClient.getResponse(AbstractPluginHttpClient.kt:162)
	... 9 more

This doesn't affect every migration and is triggered by a still unknown problem with the Apache HTTP Client .

Environment

Jira Server or Data Center (JSW or JSM) – no specific version .
Jira Cloud Migration Assistant (JCMA) – no specific version .

Diagnosis

JCMA project migration is stuck on the App (plugin) migration phase.
On the application logs ( atlassian-jira.log ) there's an entry similar to the below.

2024-06-18 11:26:30,983-0400 pool-107-thread-1 ERROR      [c.a.m.a.upload.consumers.MultipartUploadConsumer] upload for transferId=(...redacted...), s3key=(...redacted...) failed
com.atlassian.jira.migration.httpclient.exceptions.HttpCommunicationException: An error occurred when requesting against resource https://(...redacted...).s3.amazonaws.com/(...redacted...): Certificate for <(...redacted...).s3.amazonaws.com> doesn't match any of the subject alternative names: [*.s3.amazonaws.com, s3.amazonaws.com]
	at com.atlassian.jira.migration.httpclient.exceptions.ExceptionsKt.communicationError(Exceptions.kt:13)
	at com.atlassian.jira.migration.httpclient.AbstractPluginHttpClient.getResponse(AbstractPluginHttpClient.kt:166)
	at com.atlassian.jira.migration.amsclient.DefaultAppMigrationServiceClient.getS3UploadHeaders(DefaultAppMigrationServiceClient.kt:564)
	at com.atlassian.jira.migration.amsclient.DefaultAppMigrationServiceClient.uploadToS3(DefaultAppMigrationServiceClient.kt:384)
	at com.atlassian.migration.app.upload.consumers.MultipartUploadConsumer.perform(MultipartUploadConsumer.kt:33)
	at com.atlassian.migration.app.upload.consumers.MultipartUploadConsumer.run(MultipartUploadConsumer.kt:69)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
	at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.base/java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLPeerUnverifiedException: Certificate for <(...redacted...).s3.amazonaws.com> doesn't match any of the subject alternative names: [*.s3.amazonaws.com, s3.amazonaws.com]
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:507)
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:437)
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
	at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
	at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
	at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
	at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
	at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
	at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
	at org.apache.http.impl.execchain.ServiceUnavailableRetryExec.execute(ServiceUnavailableRetryExec.java:85)
	at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
	at com.atlassian.jira.migration.httpclient.AbstractPluginHttpClient.getResponse(AbstractPluginHttpClient.kt:162)
	... 9 more

Looking at the <jira-install-dir>/atlassian-jira/WEB-INF/lib directory, the Apache HTTP Client is on a version higher than 4.5.10 .

<jira-install-dir>/atlassian-jira/WEB-INF/lib/httpclient-cache-4.5.14.jar
<jira-install-dir>/atlassian-jira/WEB-INF/lib/httpclient-4.5.14.jar

Cause

Apache HTTP Client on versions higher than 4.5.10 started to throw SSLPeerUnverifiedException errors on specific cases when trying to establish a connection to AWS S3 buckets, which are used by JCMA to temporarily upload Cloud migration data.

The edge case to trigger the error is still unknown.

Workaround

As a workaround to complete the Cloud migration, Jira administrators are advised to temporarily use version 4.5.10 of the library.

On a clustered Data Center instance one should apply the steps on each node of the cluster.

Once the Cloud migration is complete, you are recommended to rollback the changes.

Take a backup of the following files.

<jira-install-dir>/atlassian-jira/WEB-INF/lib/httpclient-cache-<library-version>.jar
<jira-install-dir>/atlassian-jira/WEB-INF/lib/httpclient-<library-version>.jar
<jira-install-dir>/atlassian-jira/WEB-INF/atlassian-bundled-plugins/httpclient-osgi-<library-version>.jar

Upload the following files to a temporary location within the Jira server.

httpclient-4.5.10.jar httpclient-cache-4.5.10.jar httpclient-osgi-4.5.10.jar

These files were extracted from Jira Software 8.13.0, which had the Apache HTTP Client on version 4.5.10 .

File names are as follows:

httpclient-4.5.10.jar
httpclient-cache-4.5.10.jar
httpclient-osgi-4.5.10.jar

Stop Jira following your standard procedure.
Delete the files from their original location.

<jira-install-dir>/atlassian-jira/WEB-INF/lib/httpclient-cache-<library-version>.jar
<jira-install-dir>/atlassian-jira/WEB-INF/lib/httpclient-<library-version>.jar
<jira-install-dir>/atlassian-jira/WEB-INF/atlassian-bundled-plugins/httpclient-osgi-<library-version>.jar

Move the 4.5.10 files to the following locations.

<jira-install-dir>/atlassian-jira/WEB-INF/lib/httpclient-cache-4.5.10.jar
<jira-install-dir>/atlassian-jira/WEB-INF/lib/httpclient-4.5.10.jar
<jira-install-dir>/atlassian-jira/WEB-INF/atlassian-bundled-plugins/httpclient-osgi-4.5.10.jar

Clear plugins cache .

Delete the following directories.
1. <jira-local-home>/plugins/.bundled-plugins
2. <jira-local-home>/plugins/.osgi-plugins
Delete the contents of the following directories.
1. <jira-install-dir>/work (just the contents, NOT the directory itself)
2. <jira-install-dir>/temp (just the contents, NOT the directory itself)

Start Jira following your standard procedure.