-
Bug
-
Resolution: Fixed
-
Highest
-
6.0.1
-
6
-
Severity 2 - Major
-
Please note that this bug will disable the synchrony-proxy mode in 6.0.1.
If /synchrony is being used, you won't need to be worried about this bug.
After changing Confluence to use HTTPS configuration isSynchronyProxyRunning check fails with exception
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
Workaround
Try importing the certificate into Confluence keystore https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html
To convert an existing certificate key pair (e.g. configured in the Nginx configuration) to a Java keystore, please use the following commands:
OpenSSL for converting crt/key files to P12
openssl pkcs12 -export -name servercert -in <cert-file>.crt -inkey <cert-file>.key -out <cert-file>.p12
Keytool for converting p12 to JKS
keytool -importkeystore -destkeystore keystore.jks -srckeystore <cert-file>.p12 -srcstoretype pkcs12 -alias servercert
After that, we need to put the following line into the setenv.sh file:
CATALINA_OPTS="-Djavax.net.ssl.trustStore=<path-to-keystore-file>/keystore.jks ${CATALINA_OPTS}"
or in the setenv.bat file:
set CATALINA_OPTS=-Djavax.net.ssl.trustStore=<path-to-keystore-file>/keystore.jks %CATALINA_OPTS%
Please note that the Confluence cannot detect if the proxy is running at startup. The user still needs to restart Synchrony (in the admin screen) to enable this internal proxy. (This issue will be fixed in 6.0.2)
Solution
In 6.0.2, http and localhost will be used as the scheme and hostname when checking the running status of the proxy. Since Tomcat cannot guarantee that it will finish starting up the synchrony-proxy before the healthcheck is executed (Therefore, this is a race condition). The synchrony-proxy will be assumed to be running always. If it is stopped for some reasons, the error will be logged out in the Confluence's log file.
- supersedes
-
CONFSERVER-45272 Use HTTP and localhost as the scheme and hostname when checking the proxy webapp's running state
- Closed
-
CONFSERVER-45273 Remove the healthcheck for the synchrony-proxy webapp when Confluence is started up and monitor the proxy's running status
- Closed
- mentioned in
-
Page Loading...