It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

SSL Confluence & letsencrypt

Having some difficulties with getting SSL setup on our Windows instance of Confluence using Letsencrypt. Has anyone run through this before using letsencrypt? Would appreciate any help or guidance!

1 answer

1 accepted

2 votes
Answer accepted
Davin Studer Community Leader Feb 02, 2018

Are you using IIS as a reverse proxy and doing the SSL termination at IIS or are you doing the SSL termination with Tomcat?

We’re utilizing Tomcat Davin

Davin Studer Community Leader Feb 02, 2018

I think you are going to have the best success if you set it up to reverse proxy through IIS. We are on Windows in our organization as well and we saw about 15%-20% performance boost when we switched where we terminate the SSL connection. I think IIS is just better about handling SSL than Tomcat is. Plus there is lots of information on how to setup Let's Encrypt with IIS. I don't really have any gems for you with regards to Tomcat, but maybe consider using IIS for that. It's actually pretty easy to setup and it took me less than an hour to do.

That’s interesting, I think I’m going to look at going that route, didn’t even think about doing it that way. You didn’t happen to follow https://confluence.atlassian.com/kb/proxying-atlassian-server-applications-with-microsoft-internet-information-services-iis-833931378.html did you? 

Davin Studer Community Leader Feb 02, 2018

Sure did. Honestly, I think it makes doing SSL with Confluence a bit easier anyway. I'm not fond of having to go to the command line to create java keystores and generating CSRs. If you are on Confluence 6.5 or above this web.config works. If you are below 6.5 there are some changes that need to be made due to a bug that causes synchrony to stop working when large amounts of text are pasted into the editor window.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
 <system.webServer>
  <rewrite>
   <rules>
    <clear />
    <rule name="Force HTTPS" enabled="true" stopProcessing="true">
     <match url="(.*)" />
     <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
      <add input="{HTTPS}" pattern="off" />
     </conditions>
     <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" appendQueryString="true" redirectType="Permanent" />
    </rule>
    <rule name="Synchrony HTTP" stopProcessing="true">
     <match url="synchrony/(.*)" />
     <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
     <action type="Rewrite" url="http://localhost:8091/synchrony/{R:1}" />
    </rule>
    <rule name="Synchrony Web Sockets Reverse Proxy" stopProcessing="true">
     <match url="ws://(.*)" />
     <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
     <action type="Rewrite" url="ws://localhost:8091/{R:1}" />
    </rule>
    <rule name="Confluence Reverse Proxy" stopProcessing="true">
     <match url="(.*)" />
     <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
     <action type="Rewrite" url="http://localhost:8090/{R:1}" />
    </rule>
   </rules>
  </rewrite>
  <security>
   <requestFiltering allowDoubleEscaping="true">
    <!-- This value must be in bytes. Set it a little higher than what Confluence's max upload size is. -->
    <requestLimits maxAllowedContentLength="62914560" />
   </requestFiltering>
  </security>
 </system.webServer>
 <system.web>
  <!-- The attribute "requestPathInvalidCharacters" keeps IIS from complaining about special characters in the url. The attribute "maxRequestLength" controls the max upload size. Set to the equivalent of the above, but in kilobytes instead of bytes. -->
  <httpRuntime executionTimeout="20" maxRequestLength="61440" requestPathInvalidCharacters="" requestValidationMode="2.0" />
  <pages validateRequest="false" />
 </system.web>
</configuration>
Like patrickcage likes this

Thanks Davin, I'm going through that process now with adding the site into IIS, what would you enter into the Physical Path area? And I'm assuming with the SSL Certificate portion you would have to add the certificate in somewhere in order for it to show up. Also, I've been looking for the web.config but can't seem to locate it, unless you have to create it? Thanks for the help & guidance I really appreciate it!iis2.PNGiis1.PNG

Davin Studer Community Leader Feb 02, 2018

You will need to setup the Let's Encrypt stuff first to get the cert on your server and then you will be able to select it in the first screenshot. As for the second that is the physical path of the website on the server that will respond to port 80 and 443 requests. By default there is already a site in IIS that is bound to 80 and 443 and its default directory is C:\inetpub\wwwroot. As for the web.config file you will need to create it in the root of your IIS website.

Just hung up here on the physical path portion - I'd have to create a folder/directory for the path? 

Davin Studer Community Leader Feb 02, 2018

If you have IIS on the system you should already have a default site setup in IS and the path for that default site is C:\inetpub\wwwroot. That's the default. If that default site was removed, then you will need to create a new site and point it to a physical path that will be the site's root folder. That can be wherever you want it to be, but IIS will need the appropriate NTFS permissions to read the files in the folder and execute serverside code.

Is Confluence the only application running on this server?

Hi Davin - yes this is the only application that would be running on the server, in looking at the documentation Atlassian is going through creating a new site instead of using the default. 

Davin Studer Community Leader Feb 05, 2018

Yeah, I think they are just covering the bases in case you are already running a site on the default site or you deleted the default site. If you have the default site and you are not using it there is no reason you can't use that site.

Gents,

I have just managed to setup my Jira & Confluence instances with HTTPS using the details discussed here.

Many, many thanks to @Davin Studer for the invaluable help and to @Kevin Decker for treading the path before me and of course the link to the page on Proxying with IIS.

Couldn't have done it without you both, much appreciated.

Like # people like this

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Posted in Confluence

Lessons and Learnings: Six Months of Working Remote [Discussion]

Hey there, folks! For most of us, the past six months- yes, you read that right- have been a journey. More people than ever before have pivoted to working remotely, and navigating being on-scre...

4,117 views 4 6
Join discussion

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you