Overview
You might receive the following error in FogBugz On-Premise for some filters after you Configure FogBugz On-Premises to Use HTTPS or you update the SSL/TLS certificate used by your FogBugz On-Premise:
Unexpected Search Response
Prerequisites
- Administrator rights on the IIS server hosting FogBugz On-Premise
- Administrator rights on the server that is hosting ElasticSearch
Diagnosis
Similarly to how browsers check the validity of the SSL certificates provided by servers when connecting using HTTPS, also ElasticSearch checks the certificate provided by your FogBugz server.
ElasticSearch is written in Java language. As such it uses the certificate information available in Java Trust Store.
If you recently changed your FogBugz On-Premise to use SSL/TLS certificate, or you are using a certificate signed by a Certificate Authority that is not automatically trusted by the Java Trust Store, or your certificate has expired, ElasticSearch might not be able to connect to your FogBugz.
Note: Self-signed certificates are also considered not-trusted by default by the Java Trust Store.
Solution
To resolve this issue, you need to import into the Java Trust Store the same certificate that is used by the FB GEN ALL site on your IIS Server.
Note: These steps are not about changing how ElasticSearch is accessed, but changing how ElasticSearch accesses FogBugz. After executing these steps, ElasticSearch will be available on localhost in the same way as before executing these steps.
You will need the certificate in Base-64 encoded X.509 format.
This can be achieved using the following steps:
- Export the certificate from IIS - you can skip this step if you already have the certificate in Base-64 encoded X.509 format
- Import your certificate into the Java Trust Store
Exporting the SSL Certificate from IIS
The surest way to ensure that your FogBugz On-Premise and ElasticSearch use the same certificate is to export the certificate from IIS and import it into the Java Trust Store.
- Go to your IIS Manager.
- Collapse Server > Sites.
- Right-click on FB GEN ALL and select Edit Bindings.
- Under Site Bindings, select the domain that is using port 443 and click Edit.
- Click View.
- Select the Details tab and click on the Copy to File button.
- Under Export File Format, select Base-64 encoded X.509 (.CER).
IMPORTANT: Do NOT export the private key. - Under File to Export specify the file name and location where to export the file.
- Click Finish to export the certificate file.
Importing the Certificate to the Java Trust Store
- Run Windows PowerShell as Administrator.
- Run the following command.
keytool -import -v -alias <friendly_name_of_your_certificate> -keystore $Env:JAVA_HOME\jre\lib\security\cacerts -file <full_path_to_the_exported_certificate_file>.cer
- Replace the following values in the command above:
<friendly_name_of_your_certificate>
<full_path_to_the_exported_certificate_file>.cer
- Enter the password for the Trust Store.
The default password for the Trust Store ischangeit
. - When the system asks to trust the key, type
YES
and hit Enter for the Java Trust Store to accept the certificate. - Restart the FogBugz ElasticSearch service.
- Restart Internet Services.
Testing
- After restarting IIS and Elastic Search, check that Elastic Search is up and running by accessing its health status URL:
http://localhost:9200/_cluster/health
- Repeat the same search the was giving you Unexpected Search Response. It should give you the correct results.
- If you experience that your search results are incomplete you might also need to reset ElasticSearch Indexer Backfill.