問題

Confluence is unable to connect to the Atlassian Marketplace, and the logs show the following error:

WARN [UpmScheduler:thread-1] [atlassian.upm.pac.PacClientImpl] get Error when querying application info from MPAC: com.atlassian.marketplace.client.MpacException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

When viewing the Manage Apps page, you see the following:

診断

環境

• This article only applies in environments where Confluence is using an outbound proxy.

Diagnostic Steps

To understand why the SSL handshake is failing, we need to use a tool to connect to the Atlassian Marketplace so we can see the certificate chain presented by https://marketplace.atlassian.com

1. Download httpclienttest-1.0.2.jar to the Confluence instance. An easy way to get this from a Linux host is to run:

   wget https://bitbucket.org/atlassianlabs/httpclienttest/downloads/httpclienttest-1.0.2.jar

2. While in the same directory as httpclienttest-1.0.2.jar, run the following command if Java is not configured to use an outbound proxy:

   java -Djavax.net.debug=all -jar httpclienttest-1.0.2.jar https://marketplace.atlassian.com 2>&1 |grep -s -A 13 "Certificate chain"

   If Confluence has Java options that configure an outbound proxy, we need to modify the command to include the outbound proxy settings to ensure that the tool is using the same network path as Confluence:

   java -Djavax.net.debug=all -Dhttps.proxyHost=proxy.example.org -Dhttps.proxyPort=8080 -jar httpclienttest-1.0.2.jar https://marketplace.atlassian.com 2>&1 |grep -s -A 13 "Certificate chain"

   Note: On a Linux host you can check in <confluence-install>/bin/setenv.sh to see if there are any Java options for configuring the outbound proxy. If present, copy the Java options and use them in the command above.

When this command is run from a working Confluence instance that is able to successfully connect to the Atlassian Marketplace, there are two potential expected results:

*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=*.atlassian.io
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 30234748804327560602316261425403865730397374683516831384688696353766036794525522695375652473452809682252688739192121964232220794597194373270104942635210833305665568589459989494837425961138237227380665305653191937600658101312650579549935017618613380279793444558883512248734111496113322379280536896099015585583069049175947391527559846245850660296754570767369507365116811547450831917412770311039303550825131915846122468900578508908980887164892823419606813875095024708203104528430286076692813844918431747722858346021827881341647325123149182252534119083121525552047215308293718733367034866259792650843053408987312251080437
  public exponent: 65537
  Validity: [From: Sun Aug 11 19:00:00 CDT 2019,
               To: Sat Sep 12 07:00:00 CDT 2020]
  Issuer: CN=Amazon, OU=Server CA 1B, O=Amazon, C=US
  SerialNumber: [    0b94d4b0 588e827a 9143075f bc6eaadb]

*** Certificate chain

chain [0] = [

[

  Version: V3

  Subject: CN=*.atlassian.com, O=Atlassian Pty Ltd, L=Sydney, ST=New South Wales, C=AU

  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11




  Key:  Sun RSA public key, 2048 bits

  modulus: 26291734432785281489141499481813189725889082015075414203162005104997976364866332994326591855423326814355411825562201092851453676602042728023677951752392500424033196430036705596201719493819135951730008563389480463643026345170663524390307732928685211026027440022217909709487810190396009078759628607641695783361427907006339092784628018162696573895014839129946993154848802998220800044497172146645579553226429020582909036051858376325136596785741178968303260584223017362087260224860720972947057525360171874390252486162527295020775750350272764798962617524777316201776936683863695784197796678590387205179977306558229221697639

  public exponent: 65537

  Validity: [From: Sun Oct 21 19:00:00 CDT 2018,

               To: Wed May 06 07:00:00 CDT 2020]

  Issuer: CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

  SerialNumber: [    0253a1d0 8b789d6b b22f83bf 2b9c9bbd]

Note the issuer of the certificate:

Issuer: CN=Amazon, OU=Server CA 1B, O=Amazon, C=US

または

Issuer: CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US

If you see a different issuer than the two noted above, this article applies to you.

原因

Some outbound proxies implement a feature called SSL Interception or SSL Impersonation. This feature enables inspection of encrypted data that moves through the proxy. When SSL Interception/Impersonation is used, the proxy generates an SSL server certificate for the target. In the case of the Atlassian Marketplace, the proxy has created its own certificate for https://marketplace.atlassian.com, and the issuer of the certificate will not be "Issuer: CN=Amazon, OU=Server CA 1B, O=Amazon, C=US". Instead, the issuer will have a different name and may include the company name. The issuer is a self-signed root certificate, and this root certificate will need to be added to the Java TrustStore that Confluence is using.

ソリューション

Use the following steps to add the root certificate to the Java TrustStore:

• Acquire the root certificate, and copy it to the Confluence host. The name of the certificate will be the same as the "Issuer" from the steps above. Check with your proxy admin if you aren't sure where to get this certificate.

• Use the keytool command to add the root to the Confluence TrustStore, making sure to use the actual path to the root certificate file.

  keytool -import -trustcacerts -alias proxy_root -file /path/to/root.pem -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit

  Note: This command assumes that you have set the $JAVA_HOME variable, and that it is configured to use the path of the actual Java binary that Confluence is using. You can substitute the full path to the cacerts file if $JAVA_HOME is not configured, or if it points to a different Java version than what Confluence is actually using. The command also assumes the default cacerts password (changeit) is being used.

• Restart Confluence and test to see if the Atlassian Marketplace is now displayed properly.