Confluence could not run through SSL due to jsse.invalid_ssl_conf

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

症状

After configuring Confluence to run through HTTPS/SSL, you can't connect to secure port, and the following appears in the catalina.out:

SEVERE: Error initializing endpoint
java.io.IOException: jsse.invalid_ssl_conf
	at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:817)
	at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:522)
	...
Caused by: javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
	at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:310)
	at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:255)
	at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:813)
	...
SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]]
LifecycleException:  Protocol handler initialization failed: java.io.IOException: jsse.invalid_ssl_conf
	at org.apache.catalina.connector.Connector.initialize(Connector.java:1024)
	at org.apache.catalina.core.StandardService.initialize(StandardService.java:703)
	...

原因

This error might be caused of certain things such as, the keystoretype is not defined in server.xml thus the JSSE could not recognized the keystore as the keystore is not on default type which is JKS. Other thing is the certificate has not be imported to keystore that is generated by  keytool as it does not let you import an existing private key for which you already have a certificate.

ソリューション

  1. You need to define the keystoreType to server.xml as the default one is JKS. For example under your server.xml would become like this.

    <Connector port="8443" maxHttpHeaderSize="8192"
                       maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
                       enableLookups="false" disableUploadTimeout="true"
                       acceptCount="100" scheme="https" secure="true"
                       clientAuth="false" sslProtocol="TLS" SSLEnabled="true"
                       URIEncoding="UTF-8" keystorePass="<MY_CERTIFICATE_PASSWORD>"
                       keystoreFile="<MY_CERTIFICATE_LOCATION>" keystoreType="PKCS12"/> 
  2. If it didn't help, you need to convert the current certificate and key file from the format that you have to DER format, and after that you need to import the key to keystore format, so that it will be recognized as normal JKS.

    For further reading and how-to regarding this steps you need to take, please refer to the following link. (Please take not on the format of your certificate and key)

    Import private key and certificate into Java Key Store (JKS)

    The Most Common OpenSSL Commands

Last modified on Mar 30, 2016

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.