Configure Built-in TLS in Command Line
Configuring TLS in your current YouTrack installation
Using the command line, you can switch between the following secure mode configurations:
HTTP — default HTTP mode. TLS is disabled
HTTPS(keystore) — secure HTTPS mode. TLS is enabled. The private key/certificate data is stored in a keystore file.
HTTPS(privateKeyAndCert) — secure HTTPS mode. TLS is enabled. The private key, certificate, and certificate chain(optional) are stored in separate files in the PEM format.
To switch to a desired mode, you need to stop YouTrack and run the configure
command defining all the properties required for the configuration of your choice. See below for detailed instructions and a complete list of the properties for each configuration.
To switch to the HTTP mode:
-
Stop YouTrack:
<youtrack_home>/bin/youtrack.sh stop
-
Enter the following command:
<youtrack_home>/bin/youtrack.sh configure --listen-port=8080 --secure-mode=disable
-
Start YouTrack:
<youtrack_home>/bin/youtrack.sh start
To switch to the HTTPS (keystore) mode:
-
Create a temporary folder and place the file
keystore.jks
containing the server's private key and certificate in that folder. -
Stop YouTrack:
<youtrack_home>/bin/youtrack.sh stop
-
Run the following command:
<youtrack_home>/bin/youtrack.sh configure --listen-port=443 --secure-mode=tls --tls-server-cert-storage-type=keystore --tls-server-cert-folder=<folder with file keystore.jks> --tls-server-cert-keystore-password=<keystore password> --tls-server-cert-keystore-key-alias=<private key entry alias> --tls-server-cert-private-key-passphrase=<private key entry password> --tls-redirect-from-http=<[true|false]> [--tls-redirect-from-http-listen-port=8080]
-
Start YouTrack:
<youtrack_home>/bin/youtrack.sh start
To switch to the HTTPS (privateKeyAndCert) mode:
-
Create a temporary folder (let's call it
<certificates_folder>
) to store the files with private key, certificate, and certificate chain (if any). -
Place the private key (in the PEM format) into file
<certificates_folder>/privateKey.pem
. -
Place the server certificate (in the PEM format) associated with the private key into the file
<certificates_folder>/certificate.crt
. -
If you have a certificate chain for signing the server's certificate (in the PEM format), place it into the file
<certificates_folder>/certificateChain.crt
. -
Stop YouTrack:
<youtrack_home>/bin/youtrack.sh stop
Run the following command:
If the private key is encrypted, also add the<youtrack_home>/bin/youtrack.sh configure --listen-port=443 --secure-mode=tls \ --tls-server-cert-storage-type=privateKeyAndCert --tls-server-cert-folder=<certificates_folder> \ --tls-redirect-from-http=<[true|false]> [--tls-redirect-from-http-listen-port=8080]
tls-server-cert-private-key-passphrase
property to provide the passphrase for the key.-
Start YouTrack:
<youtrack_home>/bin/youtrack.sh start
Redirecting HTTP traffic
If you are going to use a secure HTTPS mode, you can optionally set up a Redirect listen port — a non-secure port that will receive all HTTP requests and redirect them to the secure listen port. To do so, add the parameters tls-redirect-from-http=true
and tls-redirect-from-http-listen-port=<your redirect port number>
to the configure
command.
Configuration Parameters
HTTP
Property | Value | Description |
---|---|---|
secure-mode | disable | The default value of the property. TLS is disabled by default. |
listen-port | The port on which YouTrack listens to the HTTP traffic. |
HTTPS (common properties)
Property | Value | Description |
---|---|---|
secure-mode | tls | TLS is enabled |
tls-server-cert-storage-type | | Defines the format (storage type) of a server certificate. See descriptions of each storage type below. |
tls-redirect-from-http | | Set to true, to enable an additional port (defined by property |
tls-redirect-from-http-listen-port | Specify an additional port to accept unencrypted HTTP traffic and redirect it to a secure port defined by the property | |
tls-server-cert-folder | Specify the directory that contains server certificate files to be applied to YouTrack. The directory should contain the file |
HTTPS (keystore - additional settings)
Property | Value | Description |
---|---|---|
tls-server-cert-storage-type | keystore | Use this property if your private key/certificate data is stored in a generated keystore file. In this mode, the server's private key/certificate pair will be derived from the file |
tls-server-cert-keystore-password | Keystore integrity password | |
tls-server-cert-keystore-key-alias | Alias that is associated with the private key/certificate entry in the keystore. | |
tls-server-cert-private-key-passphrase | Password that protects your server's private key entry in the keystore. |
HTTPS (privateKeyAndCert - additional settings)
Property | Value | Description |
---|---|---|
tls-server-cert-storage-type | privateKeyAndCert | In this mode the server's private key/certificate pair is taken from the files |
tls-server-cert-private-key-passphrase | string | If you use an encrypted private key, then use this property to provide the passphrase that was used for encryption. Supported for both PKCS#8 and PKCS#1 formats. |