Uploaded image for project: 'Confluence Server'
  1. Confluence Server
  2. CONFSERVER-45264

isSynchronyProxyRunning fails with javax.net.ssl.SSLHandshakeException



    • Symptom Severity:
    • Support reference count:
    • QA Demo Status:
      Not Done
    • QA Kickoff Status:
      Not Done


      Please note that this bug will disable the synchrony-proxy mode in 6.0.1.

      If /synchrony is being used, you won't need to be worried about this bug.

      After changing Confluence to use HTTPS configuration isSynchronyProxyRunning check fails with exception

      javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)


      Try importing the certificate into Confluence keystore https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html

      To convert an existing certificate key pair (e.g. configured in the Nginx configuration) to a Java keystore, please use the following commands:

      OpenSSL for converting crt/key files to P12

      openssl pkcs12 -export -name servercert -in <cert-file>.crt -inkey <cert-file>.key -out <cert-file>.p12

      Keytool for converting p12 to JKS

      keytool -importkeystore -destkeystore keystore.jks -srckeystore <cert-file>.p12 -srcstoretype pkcs12 -alias servercert 

      After that, we need to put the following line into the setenv.sh file:

      CATALINA_OPTS="-Djavax.net.ssl.trustStore=<path-to-keystore-file>/keystore.jks ${CATALINA_OPTS}"

      or in the setenv.bat file:

      set CATALINA_OPTS=-Djavax.net.ssl.trustStore=<path-to-keystore-file>/keystore.jks %CATALINA_OPTS%

      Please note that the Confluence cannot detect if the proxy is running at startup. The user still needs to restart Synchrony (in the admin screen) to enable this internal proxy. (This issue will be fixed in 6.0.2)


      In 6.0.2, http and localhost will be used as the scheme and hostname when checking the running status of the proxy. Since Tomcat cannot guarantee that it will finish starting up the synchrony-proxy before the healthcheck is executed (Therefore, this is a race condition). The synchrony-proxy will be assumed to be running always. If it is stopped for some reasons, the error will be logged out in the Confluence's log file.


          Issue Links



              • Votes:
                2 Vote for this issue
                10 Start watching this issue


                • Created:
                  Last commented:
                  1 year, 29 weeks, 3 days ago