Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Problem configuring SSL for Confluence

Leslie Fleming
Leslie Fleming
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
August 23, 2018

Hello Atlassian Support,

Let me start by saying what a great product 'confluence' is :). I recently purchased a license for a self-hosted server, which I have spun up from scratch. I have a need to enable all authentication to be encrypted (TLS). I have followed the configuration example as outlined here (https://confluence.atlassian.com/doc/running-confluence-over-ssl-or-https-161203.html) but cannot get it to work. I can reach the site when I hit it up over http schema and receive a URL miss-match notification which I expect, as I have set the base url to be https.

Your URL doesn't match
Confluence's base URL is set to https://go-wiki:8443 but you are accessing Confluence from http://go-wiki:8090.

Update base URL.

 

As part of my troubleshooting effort, I disabled IPv6 to verify if this might be causing an issue, but the outcome is the same. I cannot even curl http://localhost:8443 or connect via the shell browser 'Lynx' to the port.

Any help you can offer up, will be much appreciated as I seem to be missing the root cause.

Looking forward to your reply.

Les

----------------- CURRENT CONFIGURATION ----------------- 

[BASE URL]

https://go-wiki:8443

[OS]

CentOS 7.5.1804 x64

[SELINUX]

Disabled

[FIREWALL]

Disabled

[SERVER.XML]

<Connector port="8443" maxHttpHeaderSize="8192"
    maxThreads="150" minSpareThreads="25"
    protocol="org.apache.coyote.http11.Http11NioProtocol"
    enableLookups="false" disableUploadTimeout="true"
    acceptCount="100" scheme="https" secure="true" address="0.0.0.0"
    clientAuth="false" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2" SSLEnabled="true"
    URIEncoding="UTF-8" keystorePass="gh10ByHgFYinRjEBqcGfmgpxczRo9Xxy"
    keystoreFile="/root/.keystore" keyAlias="tomcat2" />

 

[KEYSTORE]

*******************************************
Alias name: tomcat2
Creation date: 21-Aug-2018
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Leslie Fleming, OU=Cloud Infrastructure, O=Elbicon, L=Naul, ST=Dublin, C=IE
Issuer: CN=Leslie Fleming, OU=Cloud Infrastructure, O=Elbicon, L=Naul, ST=Dublin, C=IE
Serial number: 85810df
Valid from: Tue Aug 21 12:21:38 IST 2018 until: Mon Nov 19 11:21:38 GMT 2018
Certificate fingerprints:
         MD5:  8D:5E:B8:52:04:54:4F:1D:6A:BA:F4:D7:37:DB:56:75
         SHA1: 2D:93:71:C2:AC:B5:26:71:A1:FB:6A:06:0C:78:6B:9E:83:11:8E:B8
         SHA256: 8F:3B:11:A6:DD:0D:A1:F5:99:F3:6F:5A:8D:A2:C1:15:3B:0A:02:41:FB:01:3D:73:39:A6:3A:76:94:5B:E7:80
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 12 34 31 59 1B 41 6A 9D   8B 63 75 0C BE 8B 69 49  .41Y.Aj..cu...iI
0010: 75 60 4C 19                                        u`L.
]
]
*******************************************
*******************************************
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /root/.keystore -destkeystore /root/.keystore -deststoretype pkcs12".

[IP CONFIG]

[root@ie-dub-pl-wiki-001 ~]# netstat -an | grep -i 8090
tcp        0      0 0.0.0.0:8090            0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:41582         127.0.0.1:8090          TIME_WAIT
tcp        0      0 127.0.0.1:41654         127.0.0.1:8090          TIME_WAIT
[root@ie-dub-pl-wiki-001 ~]# netstat -an | grep -i 8443
tcp        9      0 0.0.0.0:8443            0.0.0.0:*               LISTEN

Answer
Watch
Like Be the first to like this
1005 views

1 answer

0 votes
Alexis Robert
Alexis Robert
Community Champion
August 23, 2018

Hi @Leslie Fleming

 

I'm not sure if you required end-to-end encryption for your instance but for all my Atlassian instances I'm now using Apache as a proxy to handle SSL certificates, port redirection, etc as I had too many issues with dealing directly with Tomcat.

If that's a possibility to you, the setup is much simpler in this case: you have Apache running in front of Jira and just need to add in your connector block in server.xml:

  • scheme="https"
  • proxyName="jira.mycompany.com"
  • proxyPort="443"

 

No need to use the "keytool" for Tomcat or deal with its keystore etc. You just configure Apache to point to your certificates location and that's it.

 

All of this setup is explained in this documentation.

 

Le tme know if this helps, 

 

--Alexis

View More Comments
Leslie Fleming
Leslie Fleming
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
August 24, 2018

Alexis,

Thanks very much for your reply. I will certainly give that a try today and ping back the outcome.

Thanks again for  your response.

Les

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security