Missed Team ’24? Catch up on announcements here.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Confluence 6.9.1, Tomcat, GoDaddy certificates

Richard Byrd
Richard Byrd June 15, 2018

I've been wrestling with this for a week now, and I now admit I'm not going to solve this without some help.

Situation:  I have a licensed copy of Confluence 6.9.1.  Setting it up for vanilla http was simple.  I then generated a self-signed certificate and stepped through the how-tos and was able to get everything working fairly quickly using the self-signed cert.

The next logical step was getting a verified certificate, which I did through GoDaddy.  The Tomcat collection of certs contains the actual certificate for my FQDN, a gd_bundle-g2-g1.crt and a gdig2.crt.pem intermediate cert.

I have fought with keytool and openssl in vain to get a workable cert configuration for my setup.  I've executed how-to documents found on a dozen other websites, the instructions provided by GoDaddy, stuff on the Confluence website--and still, what I get when I attempt to use some varietal of the certs provided by GoDaddy, I get a dead site.

If there is someone out there who has successfully installed GoDaddy SSL certificates for Confluence, I would be grateful for a simple step-by-step "HOW I DID IT" a la Young Frankenstein.

 

Answer
Watch
Like Ispace-Inc likes this
1525 views

2 answers

1 vote
Gavin McDonald
Gavin McDonald June 16, 2018

There is an article here (who I have no affiliation with) that gives a not bad guide :-

 

https://www.mulesoft.com/tcat/tomcat-ssl

 

The Apache Tomcat project also has great docs on this :-

 

http://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html

 

I'd be happy to do a step by step how to, but that wouldn't be ready before you need it I imagine, so best we can do right now is try a bit more troubleshooting of your setup.

Can you tell us a bit more about 'dead site' - whats happening, any error messages. Can you locate your confluence install catalina.out file and check for any errors there?

 

HTH

 

Gav...

View More Comments
Richard L. Byrd
Richard L. Byrd June 18, 2018

Thanks for the reply, Gavin.  I have been through the quite detailed mulesoft how-to.  Let me see if I can delineate the varied ways I've tried this.

As I mentioned above, GoDaddy sent me the actual certificate for my domain, gd_bundle-g2-g1.crt and a gdig2.crt.pem intermediate cert.  First, I created a new keystore and added the certificates like this:

keytool -import -keystore ../.keystore -trustcacerts -file gd_bundle-g2-g1.crt -alias gd_bundle
keytool -import -keystore ../.keystore -trustcacerts -file gdig2.crt.pem -alias intermed
keytool -import -keystore ../.keystore -trustcacerts -file bef9983ed48f7b57.crt -alias tomcat

The Confluence server came up, and I could telnet to the port (iptables is currently OFF) but was unresponsive; connections timed out.

Tried using just a plain g2 root instead of the bundle:

keytool -import -keystore ../.keystore -trustcacerts -file gdroot-g2.crt -alias root
keytool -import -keystore ../.keystore -trustcacerts -file gdig2.crt.pem -alias intermed
keytool -import -keystore ../.keystore -trustcacerts -file bef9983ed48f7b57.crt -alias tomcat

Samesies.

I've tried a couple of other permutations using root and intermediate certs found here: https://certs.godaddy.com/repository to no avail.

For reference, here's the connect string from server.xml:

       <Connector port="8443" maxHttpHeaderSize="8192"
                   maxThreads="150" minSpareThreads="25"
                   protocol="org.apache.coyote.http11.Http11NioProtocol"
                   enableLookups="false" disableUploadTimeout="true"
                   acceptCount="100" scheme="https" secure="true"
                   clientAuth="false" sslProtocol="TLS" SSLEnabled="true"
                   URIEncoding="UTF-8" keystoreFile="/home/confluence1/.keystore" keyAlias="tomcat" keystorePass="xxxxxxxxx"/>

I have also tried sslProtocol="TLS1.2" and and sslEnabledProtocols/ciphers line that leaves no stone unturned:

sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"

 My gut tells me there's some simple thing I'm missing, or one particular permutation of variables that I haven't tried here, but I'll be damned if I know what it is.  Everything works fine with the self-signed cert I created, but it's a self-signed cert and useless in the long run.

 

--Richard

Like
Richard Byrd
Richard Byrd June 18, 2018

Clarification: 

The Confluence server came up, and I could telnet to the port (iptables is currently OFF) but was unresponsive; connections timed out.

What I meant was "Attempts to then access the server via a browser or the GoDaddy certificate checker tool result in a timeout."

Like
Reply
0 votes
Vickey Palzor Lepcha
Vickey Palzor Lepcha
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
June 15, 2018

I use apache http server for my confluence - it's a simple one line on my ssl configuration file that points to my ssl cert and key ( in one single file or two different files )

 

Depending on how I am leveraging my application - I may also have to import it on my confluence keystore.

View More Comments
Richard Byrd
Richard Byrd June 15, 2018

I am avoiding Apache altogether, and am just utilizing Tomcat.  It seemed as if it would be a straightforward operation, but apparently I am missing some sorcerous knowledge.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events