Confluence 10 can't read encrypted certificate password on server.xml

XMLWordPrintable

    • 3
    • Severity 2 - Major
    • 40

      Problem

      Confluence cannot read encrypted values like the keystore password in the Tomcat v10 Connector. 

      The problem caused by wrong versions of atlassian-secrets-* files that are stored in <confluence-installation-folder>/lib and <confluence-installation-folder>/bin folders. Confluence 10.2.2 is using atlassian-secrets 6.0.6, but jars that are places in the folders have version 5.0.14 (same as used in most recent 9.2.x versions).

      Environment

      Confluence 10+

      Steps to Reproduce

      1. Install Confluence 10.2
      2. Terminate SSL at Tomcat
      3. Encrypt the keystore password in server.xml 

      Expected Results

      Confluence will be able to read the encrypted password.

      Actual Results

      Confluence fails to read the encrypted password with the following error:

      DD-MM-YYY HH:MM:SS SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector["https-jsse-nio2-8443"]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1073)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122)
 ...
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
at java.base/sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:804)
...
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at java.base/sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:802)
... 26 more

      Workaround

      Some of the files could be copied from Confluence installation folder, but one file is not included (atlassian-secrets-cli.jar). This file could be downloaded from mvn repository directly.

      1. Find correct version of the files used in your current Confluence version. Files could be found in <CONFLUENCE_INSTALL_PATH>/confluence/WEB-INF/lib/ folder and file names will look like this atlassian-secrets-store-x.x.x.jar where x.x.x is version used by Confluence.

      For e.g. Confluence 10.2.2 it will be atlassian-secrets-store-6.0.6.jar

      2. Copy file <CONFLUENCE_INSTALL_PATH>/confluence/WEB-INF/lib/atlassian-secrets-store-x.x.x.jar to <CONFLUENCE_INSTALL_PATH>/lib/ folder

      3. Copy file <CONFLUENCE_INSTALL_PATH>/confluence/WEB-INF/lib/atlassian-secrets-api-x.x.x.jar to <CONFLUENCE_INSTALL_PATH>/lib/ folder

      4. Find correct version of atlassian-secrets-cli.jar at mvn repository - https://mvnrepository.com/artifact/com.atlassian.secrets/atlassian-secrets-cli

      5. Download atlassian-secrets-cli-x.x.x.jar from mvn repository and place this file to <CONFLUENCE_INSTALL_PATH>/bin/ folder.

      NOTE: If you upgrade to another version before the issue is fixed, you may need to repeat this action again after upgrade.

       

              Assignee:
              Jeffery Xie
              Reporter:
              Diego Patrignani
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: