Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

ERR_CONNECTION_CLOSED after installing new SSL certificate

Preet Dhillon
Preet Dhillon
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
July 22, 2020

Hello everyone,

My organisation runs an intranet confluence Wiki site. The site is hosted on an AWS EC2 Linux host and is secured by an SSL certificate issued by my organisation.

The SSL certificate for the Wiki site recently expired and a new one was issued in .pfx format. I uploaded the new .pfx certificate to the EC2 instance where the site is hosted. In the confluence conf directory I could see two keystores configured in the HTTPS connector block in the server.xml file. One keystore contained CA certificates and the other contained the certificate chain for the site itself, including the expired certificate.

I installed my new SSL certificate as follows:

(1) Stopped the confluence service;

(2) Renamed the old keystore file containing the expired certificate chain;

(3) Created a new keystore with the same name as the original renamed in step (2);

(4) Imported the new .pfx certificate into the new keystore created in step (3);

(5) Restarted the confluence service. 

After doing this, I could not browse the Wiki site any more. My browser reported ERR_CONNECTION_CLOSED.

When I tried a curl command on the host where confluence was installed, I got this:

$ curl -vvv https://localhost:8443
* About to connect() to localhost port 8443 (#0)
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none

This hung for 5 minutes and then timed out.

I stopped the confluence service, restored the old keystore file and restarted the confluence service. I could then access the Wiki (albeit with a warning that the certificate had expired). The curl command above also completed and confirmed the expired certificate.

There is one CA cert in the CA keystore which expired in 2018 but the site continued to work in secure mode thereafter so I do not believe that to be significant. The other CA certs in the keystore have not expired and their names match those in the new keystore I created and imported my new .pfx certificate into.

Appreciate any help to find out why I get ERR_CONNECTION_CLOSED (usually indicative of some proxy/network connectivity issue) and cannot curl to port 8443 after installing my new SSL certificate.

Answer
Watch
Like Be the first to like this
1646 views

1 answer

0 votes
Daniel Eads
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 23, 2020

Hi Preet,

It sounds like you're serving HTTPS directly from Confluence/Tomcat. I'm curious if you're working through the documentation on doing that - Running Confluence over SSL or HTTPS. Using the Java keytool is more complicated than other methods of getting HTTPS configured, and I find that there's a lot of room to inadvertently overlook a step in the setup. Going through the document (or going through it a second time) step by step might yield different results.

If you're able, I'd recommend using a reverse proxy in front of Confluence to offload the SSL termination. Since you're in EC2 on Linux, there's a couple easy options:

  1. You could use the AWS elastic load balancer (ELB) service. If you were provided a wildcard certificate, it might already already be halfway configured somewhere in your AWS account. Documentation for using ELB with Confluence is available here.
  2. On the EC2 instance itself, you could use nginx - I find the configuration much simpler to understand and troubleshoot. Documentation for using nginx with Confluence is available here.

Cheers,
Daniel

View More Comments
Preet Dhillon
Preet Dhillon
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
July 29, 2020

Hi Daniel,

Many thanks for replying to my post. The error came due to the passwords assigned to the private keys and keystore of the new SSL certificate differing from the passwords in the server.xml file. We used a GUI called Keystore Explorer to import our new SSL certificate and set the passwords to be the same as those in the server.xml file. After uploading the modified certificate to the host instance and restarting the Confluence service, the site was secure. You can download the Keystore Explorer GUI tool here.

Kind regards,

Preet

Like Daniel Eads likes this
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
STANDARD
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.