Changing confluence to SSL

Robert Nadon
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
July 20, 2015

Hi Atlassian experts,

I am trying to move my trial Confluence 5.8.5 Cent OS 7 installation to https. After I do localhost:8090 and it-confluence01:8090 just time out.    I looked through the log files (Catalina.out and atlassian-confluence.log) and after correcting any error in those (My /root/.keystore was not readable by confluence) it still did the same thing.

I also read this https://confluence.atlassian.com/display/DOC/Running+Confluence+Over+SSL+or+HTTPS and changed my web.xml.  Still exact same behavior.  I change back to http everything work, I move to https and nothing.

Here is my server.xml:  (yes I know changeit is a terrible password but I first have to get it to work then I'll worry about security)

<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25"
protocol="org.apache.coyote.http11.Http11NioProtocol"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true" keystoreFile="/root/.keystore"
clientAuth="false" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" SSLEnabled="true"
URIEncoding="UTF-8" keystorePass="changeit"/>

Thanks in advance for any help on this one.

Robert

3 answers

1 accepted

0 votes
Answer accepted
Robert G. Nadon
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 5, 2015

Turns out the problem was that confluence was using the ID confluence1 with home directory of /home/confluence1 and I needed to place .keystore there.    Would be nice if confluence saw an ID of confluence as asked (you already have a confluence ID do you want to use that?)  but once I placed the .keystore in the correct place everything worked.  I have up to /home/jira7/ on my JIRA box lol

1 vote
Jason Plumhoff
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
July 21, 2015

Something else to consider... I'm not sure if you are thinking of putting a reverse proxy on the same server at some point, but I found it easier to configure SSL to terminate at the proxy and then just use the standard web.xml for Confluence.  I was using IIS, but I imagine it would work just as well with Apache or nginx...

Daniel Eads _unmonitored account_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
July 21, 2015

Second on this. We use nginx in our environment (and Apache before that) and the setup is pretty straightforward.

Robert Nadon
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
July 22, 2015

I third that, that is how we did it at the place I just left. Unfortunately that is item 192 on today hot items list and I need to make sure passwords are not visible immediately and then I can set up a proxy et al.

1 vote
Daniel Eads _unmonitored account_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
July 21, 2015

Hi Robert,

Looks like you might have a typo. The option for sslProtocol can't have an 's' at the end. See https://tomcat.apache.org/tomcat-7.0-doc/config/http.html for confirmation of valid options.

Additionally, the all option is a shortcut for "TLSv1+TLSv1.1+TLSv1.2". Looks like you could swap out your TLS versions with "all" to simplify the config.

Robert Nadon
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
July 21, 2015

Thanks, interestingly I did not type that, I simply uncommented it from what was given by Atlassian?!? I tried that, and exact same problem. But now with the extra warning of: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslProtocols' to 'TLSv1,TLSv1.1,TLSv1.2' did not find a matching property.

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events