I've been wrestling with this for a week now, and I now admit I'm not going to solve this without some help.
Situation: I have a licensed copy of Confluence 6.9.1. Setting it up for vanilla http was simple. I then generated a self-signed certificate and stepped through the how-tos and was able to get everything working fairly quickly using the self-signed cert.
The next logical step was getting a verified certificate, which I did through GoDaddy. The Tomcat collection of certs contains the actual certificate for my FQDN, a gd_bundle-g2-g1.crt and a gdig2.crt.pem intermediate cert.
I have fought with keytool and openssl in vain to get a workable cert configuration for my setup. I've executed how-to documents found on a dozen other websites, the instructions provided by GoDaddy, stuff on the Confluence website--and still, what I get when I attempt to use some varietal of the certs provided by GoDaddy, I get a dead site.
If there is someone out there who has successfully installed GoDaddy SSL certificates for Confluence, I would be grateful for a simple step-by-step "HOW I DID IT" a la Young Frankenstein.
There is an article here (who I have no affiliation with) that gives a not bad guide :-
https://www.mulesoft.com/tcat/tomcat-ssl
The Apache Tomcat project also has great docs on this :-
http://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html
I'd be happy to do a step by step how to, but that wouldn't be ready before you need it I imagine, so best we can do right now is try a bit more troubleshooting of your setup.
Can you tell us a bit more about 'dead site' - whats happening, any error messages. Can you locate your confluence install catalina.out file and check for any errors there?
HTH
Gav...
Thanks for the reply, Gavin. I have been through the quite detailed mulesoft how-to. Let me see if I can delineate the varied ways I've tried this.
As I mentioned above, GoDaddy sent me the actual certificate for my domain, gd_bundle-g2-g1.crt and a gdig2.crt.pem intermediate cert. First, I created a new keystore and added the certificates like this:
keytool -import -keystore ../.keystore -trustcacerts -file gd_bundle-g2-g1.crt -alias gd_bundle
keytool -import -keystore ../.keystore -trustcacerts -file gdig2.crt.pem -alias intermed
keytool -import -keystore ../.keystore -trustcacerts -file bef9983ed48f7b57.crt -alias tomcat
The Confluence server came up, and I could telnet to the port (iptables is currently OFF) but was unresponsive; connections timed out.
Tried using just a plain g2 root instead of the bundle:
keytool -import -keystore ../.keystore -trustcacerts -file gdroot-g2.crt -alias root
keytool -import -keystore ../.keystore -trustcacerts -file gdig2.crt.pem -alias intermed
keytool -import -keystore ../.keystore -trustcacerts -file bef9983ed48f7b57.crt -alias tomcat
Samesies.
I've tried a couple of other permutations using root and intermediate certs found here: https://certs.godaddy.com/repository to no avail.
For reference, here's the connect string from server.xml:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25"
protocol="org.apache.coyote.http11.Http11NioProtocol"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" SSLEnabled="true"
URIEncoding="UTF-8" keystoreFile="/home/confluence1/.keystore" keyAlias="tomcat" keystorePass="xxxxxxxxx"/>
I have also tried sslProtocol="TLS1.2" and and sslEnabledProtocols/ciphers line that leaves no stone unturned:
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"
My gut tells me there's some simple thing I'm missing, or one particular permutation of variables that I haven't tried here, but I'll be damned if I know what it is. Everything works fine with the self-signed cert I created, but it's a self-signed cert and useless in the long run.
--Richard
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Clarification:
The Confluence server came up, and I could telnet to the port (iptables is currently OFF) but was unresponsive; connections timed out.
What I meant was "Attempts to then access the server via a browser or the GoDaddy certificate checker tool result in a timeout."
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I use apache http server for my confluence - it's a simple one line on my ssl configuration file that points to my ssl cert and key ( in one single file or two different files )
Depending on how I am leveraging my application - I may also have to import it on my confluence keystore.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I am avoiding Apache altogether, and am just utilizing Tomcat. It seemed as if it would be a straightforward operation, but apparently I am missing some sorcerous knowledge.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.