Confluence SSL Firefox SSL_ERROR_RX_RECORD_TOO_LONG

Good day all,

I have a JIRA Service Desk 3.4.1 (Core 7.3.1), and Confluence 6.1.1. Both are running on-premise, on the same server (Windows Server 2016).

I have configured "ticketing" and "support" DNS entries to point to separate IP addresses on the same physical network interface card on this server.  This was working before attempting to configure SSL.

I have gone through the necessary steps to configure JIRA Service desk for SSL, and ensured SSL was working before attempting to configure Confluence. Once I had configured Confluence for SSL, I can not connect to it via SSL. only with the "http" URL. When I look at the logs I only see this error:

2017-06-12 14:17:08,466 WARN [synchrony-interop-executor:thread-1] [plugins.synchrony.bootstrap.DefaultSynchronyProxyMonitor] pollHealthcheck Could not ping the synchrony-proxy [http://127.0.0.1:80/synchrony-proxy/healthcheck]: {}
org.apache.http.conn.HttpHostConnectException: Connect to 127.0.0.1:80 [/127.0.0.1] failed: Connection refused: connect
    at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:151)
    at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
    at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
    at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
    at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
    at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
    at com.atlassian.confluence.plugins.synchrony.bootstrap.DefaultSynchronyProxyMonitor.pollHealthcheck(DefaultSynchronyProxyMonitor.java:76)
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
    at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
    at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
    at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)
Caused by: java.net.ConnectException: Connection refused: connect
    at java.net.DualStackPlainSocketImpl.waitForConnect(Native Method)
    at java.net.DualStackPlainSocketImpl.socketConnect(DualStackPlainSocketImpl.java:85)
    at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
    at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
    at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
    at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172)
    at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
    at java.net.Socket.connect(Socket.java:589)
    at org.apache.http.conn.socket.PlainConnectionSocketFactory.connectSocket(PlainConnectionSocketFactory.java:74)
    at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)
    ... 15 more

I have even gone as far as to modify my sentenv.bat file to add the option to disable the synchony from running but it doesnt appear to be working. Ive exhausted a lot of articles already. Here is the output from the SSLPoke,class when I point it at my SSL address for confluence:

javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
        at sun.security.ssl.InputRecord.handleUnknownRecord(InputRecord.java:710)
        at sun.security.ssl.InputRecord.read(InputRecord.java:527)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
        at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)
        at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
        at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:138)
        at SSLPoke.main(SSLPoke.java:31)

2 answers

1 accepted

Ensure that you have both IPv4 and IPv6 loopbacks included in the configuration for JIRA User server.

::1

127.0.0.1

Once those were configured the Confluence could log in users and the SSO was working as well.

Ann Worley Atlassian Team Jul 05, 2017

Thrilled to hear you got it working! Thanks for circling back with the community so others can benefit.

0 vote
Ann Worley Atlassian Team Jun 14, 2017

The SSL poke results are similar to what you would expect connecting over the wrong port or protocol for the port selected:

Unrecognized SSL message, plaintext connection? Exception

If you are running Windows as a service it will ignore parameters in setenv.bat. Please see Configuring System Properties-Windows Service to get an idea how to disable Synchrony if you still need to.

Please see the diagrams and info from Administering Collaborative Editing. One of the relevant paragraphs reads:

"Synchrony runs in a seperate JVM, and does not support direct HTTPS connections. If you are not using a reverse proxy, SSL should be terminated at Tomcat. If you are using a reverse proxy or load balancer, SSL should be terminated at your reverse proxy or load balancer. "

I was able to make this work by removing TLS1, TLS1.1 and just have TLS1.2 in the connector config key for the confluence instance and got it all to work.

Still slightly confused on how the "shared" user directory works for Confluence. If I chance the application links to HTTPS does that disable the ability for JIRA to share login information with Confluence?

Thanks for your assistance.

Ann Worley Atlassian Team Jun 26, 2017

The User Directory configuration is not dependent on the application links. The User Directories are configured on the Confluence Admin>User Directories page.

If you change the base URL for JIRA to an HTTPS URL, it will need to be changed in the User Directory configuration as well as the application links. The Java truststore in Confluence has to contain the JIRA certificate; if the JIRA SSL cert is self signed it will need to be added to the truststore for Confluence. Please see Connecting to LDAP or JIRA applications or Other Services via SSL.

User Directory had "plain ssl" for its Pool Protocol. And I had already updated the application links to be HTTPS for both JIRA and confluence, and use OAUTH(Impersonation). However Im not able to login to confluence with same user/pass used in JIRA. Ive tried to find a log file where the login errors are captured but can not find it.

When I attempt to "Test" my JIRA "Crowd" server used in confluence I get this error,

Test basic connection : Failed

com.atlassian.crowd.exception.ApplicationPermissionException: � �Wmo�6 ��_��K7�
Ann Worley Atlassian Team Jun 26, 2017

The login errors should be in the <Confluence_Home>/logs/atlassian-confluence.log. The <confluence_home> directory is the path defined in the following file: <confluence_install>/confluence/WEB-INF/classes/confluence-init.properties

When you choose JIRA for a User Direectory, Confuence always calls it a "Crowd" server, because JIRA uses embedded Crowd.

Based on the applicationpermission exception you are seeing, please make sure the username and password in the User Directory configuration match the application name and password configured in JIRA under "JIRA User Server".

Im attempting to follow the instructions in  this link integrating crowd with atlassian confluence to confirm I have this all setup correctly.


Im not able to access the crowd server now that SSL is enabled.

http://localhost:8095/crowd
http://localhost:8095/crowd/console

Ann Worley Atlassian Team Jun 26, 2017

My understanding was that you were using JIRA to manage the users for Confluence as described in Allowing connections to JIRA for user management.

If you changed the Crowd URL to https, you must follow this: How to change the Crowd Base URL. However, if the JIRA server was working fine to manage Confluence users before SSL was enabled, you shouldn't need to install Crowd.

Ann Worley Atlassian Team Jun 26, 2017

RJ, I noticed you created a support ticket for this issue at https://getsupport.atlassian.com. I hope that you can update this thread with the solution when you find it, so the Community can benefit from your experience.

I will most definitey. This is not an easy task to accomplish, and with very little prior knowledge I throught it would be best to get help so I didnt mess anything up.

 

Suggest an answer

Log in or Sign up to answer
Atlassian Community Anniversary

Happy Anniversary, Atlassian Community!

This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.

Read more
Community showcase
Kesha Thillainayagam
Posted Friday in Confluence

We want to hear how your non-technical teams are using Confluence!

Hi Community! Kesha (kay-sha) from the Confluence marketing team here! Can you share stories with us on how your non-technical (think Marketing, Sales, HR, legal, etc.) teams are using Confluen...

301 views 11 10
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you