Uploaded image for project: 'Confluence Server'
  1. Confluence Server
  2. CONFSERVER-45264

isSynchronyProxyRunning fails with javax.net.ssl.SSLHandshakeException

    Details

    • Symptom Severity:
      Major
    • UIS:
      3
    • Support reference count:
      6
    • QA Demo Status:
      Not Done
    • QA Kickoff Status:
      Not Done

      Description

      Please note that this bug will disable the synchrony-proxy mode in 6.0.1.

      If /synchrony is being used, you won't need to be worried about this bug.

      After changing Confluence to use HTTPS configuration isSynchronyProxyRunning check fails with exception

      javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)

      Workaround

      Try importing the certificate into Confluence keystore https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html

      To convert an existing certificate key pair (e.g. configured in the Nginx configuration) to a Java keystore, please use the following commands:

      OpenSSL for converting crt/key files to P12

      openssl pkcs12 -export -name servercert -in <cert-file>.crt -inkey <cert-file>.key -out <cert-file>.p12
      

      Keytool for converting p12 to JKS

      keytool -importkeystore -destkeystore keystore.jks -srckeystore <cert-file>.p12 -srcstoretype pkcs12 -alias servercert 
      

      After that, we need to put the following line into the setenv.sh file:

      CATALINA_OPTS="-Djavax.net.ssl.trustStore=<path-to-keystore-file>/keystore.jks ${CATALINA_OPTS}"
      

      or in the setenv.bat file:

      set CATALINA_OPTS=-Djavax.net.ssl.trustStore=<path-to-keystore-file>/keystore.jks %CATALINA_OPTS%
      

      Please note that the Confluence cannot detect if the proxy is running at startup. The user still needs to restart Synchrony (in the admin screen) to enable this internal proxy. (This issue will be fixed in 6.0.2)

      Solution

      In 6.0.2, http and localhost will be used as the scheme and hostname when checking the running status of the proxy. Since Tomcat cannot guarantee that it will finish starting up the synchrony-proxy before the healthcheck is executed (Therefore, this is a race condition). The synchrony-proxy will be assumed to be running always. If it is stopped for some reasons, the error will be logged out in the Confluence's log file.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                2 Vote for this issue
                Watchers:
                10 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Last commented:
                  21 weeks, 1 day ago