Hi all,
I built a brand new Confluence server and follows the instructions here for installing an SSL wildcard cert:
In step 2, I cannot figure out what they are referring to when they specify the "<tomcatkeystorefile>". I have no idea where this is and no Google search is providing any guidance. Could anyone help me figure this one out? Everything else has been pretty straightfoward.
Thanks,
Ryan
It's so much easier to set up a reverse proxy server ahead of Confluence and manage SSL on the proxy. Atlassian has docs for apache, nginx (same procedure for Confluence) and IIS.
Any of these proxy servers have the smarts to start up as a privileged user and bind to port 443, then spawn child processes as an unprivileged user. This allows you to run Confluence as an unprivileged user and bind to 8090. This is far better from a security standpoint. It is also much easier to manage SSL certificates on any of these proxy servers than it is dealing with keytool and Java keystores. You can avoid having to restart Confluence when you update your certificates as well. They can also handle http -> https redirection so you can tell your users to point their browser to http://confluence.domain.com and they will be redirected to https automagically.
This may be an option if I have to do it. I don't really want to have to run two servers to do it though. If I can keep it all confined to one, that would be ideal. What are the security advantages?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
There is no need to run the proxy on a separate server. You can run it on the Confluence server. We commonly set Confluence up this way and configure it to connect to 127.0.0.1:8090. The biggest advantage is simple cert management. You can also do cool stuff like displaying a custom “system down” page when you perform maintenance or unexpected go down. From a security perspective, if an attacker is able to exploit a vulnerability in Java that allows them to execute arbitrary code, that code will be executed as the “confluence” user. This is an unprivileged user, so I can’t do things like reboot, access other users data, etc. it limits your exposure in the event of a hack.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
ohhh, i think i understand. so i could install apache on the confluence server and then run the proxy from there. i've managed apache servers for many years but this is my first time working with tomcat, and really my first time getting my hands real dirty with certs. i usually fumble through them well enough.
so i setup apache and setup my certs and redirects from that?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks Dave, Stephen and Shannon. I'm following now. I'll get to it and report back in a bit!
Thanks,
Ryan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You're welcome, Ryan!
As for your Linux version, most versions of Linux are supported, aside from Alpine Linux (CONFSERVER-52400).
Let us know how your tests go, and if you have any further questions.
Shannon
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ryan,
This is where you would list the path to the location of the keystore in Tomcat.
For more information on that, have a look at Running Confluence Over SSL or HTTPS > Step 3. Specify the location of your certificate:
By default, Tomcat expects the keystore file to be named
.keystore
and to be located in the user home directory under which Tomcat is running (which may or may not be the same as your own home directory). This means that, by default, Tomcat will look for your SSL certificates in the following location:
On Windows: C:\users\#CURRENT_USER#\.keystore
On OS X and UNIX-based systems: ~/.keystore
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Shannon,
Thank you for the quick response. I did read that and that's what I'm trying to understand. When I look there, I don't see the .keystore file. I'm installing a wildcard SSL cert and following these directions:
In step 2 I'm supposed to merge the tomcat keystore and the one I created in step 1. However, the tomcat keystore does not exist in the location you specified under any user. Am I missing something else?
Thanks,
Ryan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
The other thing that may or may not matter is that after following through step 3 on the guide you posted, the service is listening on port 8443. I can telnet to it to confirm. However, I cannot pull up the web page with https on port 8443. I can only pull it up with http on port 8090.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Just to rule variables out. I tried to install the self-signed certificate exactly as the directions show and I'm having the same issue where a service is listening on port 8443 but I can't pull up the webpage on it.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
What's the error you're getting when you try to access via 8443?
If you haven't installed an SSL yet, then the keystore might not exist, so you would want to go through the documentation I recommended to create it first, set it in server.xml, and then update.
The same would be for 8443, if you haven't set up Confluence to work on that port, then it won't load yet.
Otherwise, there are a few suggestions from the thread Confluence not opening port 8443 that might be able to help you.
Regards,
Shannon
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
The error I get is "ERR_TIMED_OUT". Using netstat and telnet, I have verified that the service is listening on port 8443. I installed the self-signed cert and set it up in server.xml, saved and rebooted. I changed the base URL in the admin configuration and rebooted. Still nothing.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
This is Ubuntu 18.04. Is it supported? There's some cloud config things in it that are centered around hostname and DNS and it may have an impact. I can try installing on 16.04.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello Ryan,
When you setup Confluence to use an SSL cert you will have to ensure a few things are configured to ensure Confluence starts and responds properly. Here are the items that need to configured:
<Server port="8000" shutdown="SHUTDOWN" debug="0">
<Service name="Tomcat-Standalone">
<Connector port="8090" connectionTimeout="20000" redirectPort="8443"
maxThreads="48" minSpareThreads="10"
enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11NioProtocol" />
<Engine name="Standalone" defaultHost="localhost" debug="0">
<Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false" startStopThreads="4">
<Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true">
<!-- Logger is deprecated in Tomcat 5.5. Logging configuration for Confluence is specified in confluence/WEB-INF/classes/log4j.properties -->
<Manager pathname="" />
<Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60" />
</Context>
<Context path="${confluence.context.path}/synchrony-proxy" docBase="../synchrony-proxy" debug="0" reloadable="false" useHttpOnly="true">
<Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60" />
</Context>
</Host>
</Engine>
<!--
To run Confluence via HTTPS:
* Uncomment the Connector below
* Execute:
%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA (Windows)
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA (Unix)
with a password value of "changeit" for both the certificate and the keystore itself.
* Restart and visit https://localhost:8443/
For more info, see https://confluence.atlassian.com/display/DOC/Running+Confluence+Over+SSL+or+HTTPS
-->
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25"
protocol="org.apache.coyote.http11.Http11NioProtocol"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" SSLEnabled="true"
URIEncoding="UTF-8" keystorePass="Key-Store-Password" keystoreFile="/opt/atlassian/.keystore"/>
</Service>
</Server>
Once the above is completed then move forward to this:
If Confluence is unreachable after configuring SSL, please check the following document: SSL Troubleshooting
If you have questions about which products are supported by Confluence, we would suggest you visit: Supported Platforms.
If you’re still having issues, please paste your server.xml file (please sanitize this file and remove any usernames or password).
Regards,
Stephen Sifers | Senior Community Support Engineer, Atlassian
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Stephen,
Thanks for the help. I looked through this closely and I've done this procedure multiple times, both with self-signed cert and cert authority. I am suspecting Ubuntu 18,04 may be an issue. I'm going to try on 16.04 and see if it resolves it.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.