Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-45264

isSynchronyProxyRunning fails with javax.net.ssl.SSLHandshakeException

    XMLWordPrintable

Details

    Description

      Please note that this bug will disable the synchrony-proxy mode in 6.0.1.

      If /synchrony is being used, you won't need to be worried about this bug.

      After changing Confluence to use HTTPS configuration isSynchronyProxyRunning check fails with exception

      javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)

      Workaround

      Try importing the certificate into Confluence keystore https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html

      To convert an existing certificate key pair (e.g. configured in the Nginx configuration) to a Java keystore, please use the following commands:

      OpenSSL for converting crt/key files to P12

      openssl pkcs12 -export -name servercert -in <cert-file>.crt -inkey <cert-file>.key -out <cert-file>.p12

      Keytool for converting p12 to JKS

      keytool -importkeystore -destkeystore keystore.jks -srckeystore <cert-file>.p12 -srcstoretype pkcs12 -alias servercert

      After that, we need to put the following line into the setenv.sh file:

      CATALINA_OPTS="-Djavax.net.ssl.trustStore=<path-to-keystore-file>/keystore.jks ${CATALINA_OPTS}"

      or in the setenv.bat file:

      set CATALINA_OPTS=-Djavax.net.ssl.trustStore=<path-to-keystore-file>/keystore.jks %CATALINA_OPTS%

      Please note that the Confluence cannot detect if the proxy is running at startup. The user still needs to restart Synchrony (in the admin screen) to enable this internal proxy. (This issue will be fixed in 6.0.2)

      Solution

      In 6.0.2, http and localhost will be used as the scheme and hostname when checking the running status of the proxy. Since Tomcat cannot guarantee that it will finish starting up the synchrony-proxy before the healthcheck is executed (Therefore, this is a race condition). The synchrony-proxy will be assumed to be running always. If it is stopped for some reasons, the error will be logged out in the Confluence's log file.

      Attachments

        Issue Links

          supersedes

          Suggestion - CONFSERVER-45272 Use HTTP and localhost as the scheme and hostname when checking the proxy webapp's running state

          • Closed

          Suggestion - CONFSERVER-45273 Remove the healthcheck for the synchrony-proxy webapp when Confluence is started up and monitor the proxy's running status

          • Closed
          mentioned in

          Page Loading...

          Activity

            People

              ttranminh Tam Tran
              bmcnamara Brendan McNamara
              Votes:
              2 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: