Can't install SSL Wildcard Cert on Confluence Server

This may be an option if I have to do it. I don't really want to have to run two servers to do it though. If I can keep it all confined to one, that would be ideal. What are the security advantages?

There is no need to run the proxy on a separate server. You can run it on the Confluence server. We commonly set Confluence up this way and configure it to connect to 127.0.0.1:8090. The biggest advantage is simple cert management. You can also do cool stuff like displaying a custom “system down” page when you perform maintenance or unexpected go down. From a security perspective, if an attacker is able to exploit a vulnerability in Java that allows them to execute arbitrary code, that code will be executed as the “confluence” user. This is an unprivileged user, so I can’t do things like reboot, access other users data, etc. it limits your exposure in the event of a hack. 

ohhh, i think i understand. so i could install apache on the confluence server and then run the proxy from there. i've managed apache servers for many years but this is my first time working with tomcat, and really my first time getting my hands real dirty with certs. i usually fumble through them well enough.

so i setup apache and setup my certs and redirects from that?

Thanks Dave, Stephen and Shannon. I'm following now. I'll get to it and report back in a bit!

Thanks,

Ryan

You're welcome, Ryan!

As for your Linux version, most versions of Linux are supported, aside from Alpine Linux (CONFSERVER-52400).

Let us know how your tests go, and if you have any further questions.

Shannon

Hi Shannon,

Thank you for the quick response. I did read that and that's what I'm trying to understand. When I look there, I don't see the .keystore file. I'm installing a wildcard SSL cert and following these directions:

https://confluence.atlassian.com/kb/how-to-import-an-existing-ssl-certificate-for-use-in-tomcat-838412853.html

In step 2 I'm supposed to merge the tomcat keystore and the one I created in step 1. However, the tomcat keystore does not exist in the location you specified under any user. Am I missing something else?

Thanks,

Ryan

The other thing that may or may not matter is that after following through step 3 on the guide you posted, the service is listening on port 8443. I can telnet to it to confirm. However, I cannot pull up the web page with https on port 8443. I can only pull it up with http on port 8090.

Just to rule variables out. I tried to install the self-signed certificate exactly as the directions show and I'm having the same issue where a service is listening on port 8443 but I can't pull up the webpage on it.

What's the error you're getting when you try to access via 8443? 

If you haven't installed an SSL yet, then the keystore might not exist, so you would want to go through the documentation I recommended to create it first, set it in server.xml, and then update.

The same would be for 8443, if you haven't set up Confluence to work on that port, then it won't load yet.

Otherwise, there are a few suggestions from the thread Confluence not opening port 8443 that might be able to help you.

Regards,

Shannon

The error I get is "ERR_TIMED_OUT". Using netstat and telnet, I have verified that the service is listening on port 8443. I installed the self-signed cert and set it up in server.xml, saved and rebooted. I changed the base URL in the admin configuration and rebooted. Still nothing.

This is Ubuntu 18.04. Is it supported? There's some cloud config things in it that are centered around hostname and DNS and it may have an impact. I can try installing on 16.04.

Hello Ryan,

When you setup Confluence to use an SSL cert you will have to ensure a few things are configured to ensure Confluence starts and responds properly. Here are the items that need to configured:

1. Setup your own SSL keystore.
1. Create a self-signed certificate
2. Use a certificate issued by a Certificate Authority (recommended)
2. Configure the server.xml file to contain the new keystore and the ports you wish to use.
1. By default it will use 8443 when configured for SSL
2. Example: www.Confluence.com:8443
3. Example Server.xml file (Confluence 6.13):

 <Server port="8000" shutdown="SHUTDOWN" debug="0">
 <Service name="Tomcat-Standalone">
 <Connector port="8090" connectionTimeout="20000" redirectPort="8443"
 maxThreads="48" minSpareThreads="10"
 enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
 protocol="org.apache.coyote.http11.Http11NioProtocol" />
 
 <Engine name="Standalone" defaultHost="localhost" debug="0">
 
 <Host name="localhost" debug="0" appBase="webapps" unpackWARs="true" autoDeploy="false" startStopThreads="4">
 <Context path="" docBase="../confluence" debug="0" reloadable="false" useHttpOnly="true">
 <!-- Logger is deprecated in Tomcat 5.5. Logging configuration for Confluence is specified in confluence/WEB-INF/classes/log4j.properties -->
 <Manager pathname="" />
 <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60" />
 </Context>
 
 <Context path="${confluence.context.path}/synchrony-proxy" docBase="../synchrony-proxy" debug="0" reloadable="false" useHttpOnly="true">
 <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="60" />
 </Context>
 </Host>
 
 </Engine>
 
 <!--
 To run Confluence via HTTPS:
 * Uncomment the Connector below
 * Execute:
 %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA (Windows)
 $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA (Unix)
 with a password value of "changeit" for both the certificate and the keystore itself.
 * Restart and visit https://localhost:8443/
 
 For more info, see https://confluence.atlassian.com/display/DOC/Running+Confluence+Over+SSL+or+HTTPS
 -->
 
 <Connector port="8443" maxHttpHeaderSize="8192"
 maxThreads="150" minSpareThreads="25"
 protocol="org.apache.coyote.http11.Http11NioProtocol"
 enableLookups="false" disableUploadTimeout="true"
 acceptCount="100" scheme="https" secure="true"
 clientAuth="false" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" SSLEnabled="true"
 URIEncoding="UTF-8" keystorePass="Key-Store-Password" keystoreFile="/opt/atlassian/.keystore"/>
 
 </Service>
</Server>

Once the above is completed then move forward to this:

1. Update your base URL within Confluence to mirror the new URL with the port
2. Stop then Start Confluence once these changes have been made.

If Confluence is unreachable after configuring SSL, please check the following document: SSL Troubleshooting

If you have questions about which products are supported by Confluence, we would suggest you visit: Supported Platforms.

If you’re still having issues, please paste your server.xml file (please sanitize this file and remove any usernames or password).

Regards,
Stephen Sifers | Senior Community Support Engineer, Atlassian

Hi Stephen,

Thanks for the help. I looked through this closely and I've done this procedure multiple times, both with self-signed cert and cert authority. I am suspecting Ubuntu 18,04 may be an issue. I'm going to try on 16.04 and see if it resolves it.