Synchrony Cluster Cannot be Reached by Confluence due to PKIX Error
プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Fisheye および Crucible は除く
問題
When setting up a Synchrony Cluster on a Confluence Datacenter, Synchrony service cannot be reached when attempting to enable the Collaborative Editing feature.
The following appears in the atlassian-confluence.log
2017-06-02 12:00:00,000 INFO [AtlassianEvent::CustomizableThreadFactory-1] [plugins.synchrony.config.DefaultSynchronyConfigurationManager] retrievePublicKey [Collab editing plugin] Could not retrieve public key for real-time collaboration service at https://confluence-url/synchrony/jwt-key with exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
診断
環境
- The Confluence instance is using a Load Balancer with SSL.
- The Load Balancer is set according to our documentation: How to configure Amazon Web Service Application Load Balancer with Confluence
The -Dsynchrony.service.url is properly set to use the Load Balancer URL in the Synchrony startup script. Example:
-Dsynchrony.service.url=https://confluence-url/synchrony
The -Dsynchrony.service.url is properly set to use the Load Balancer URL + /v1 in the setenv configuration file of each node. Example:
-Dsynchrony.service.url=https://confluence-url/synchrony/v1
Diagnostic Steps
- Synchrony is all properly setup
- You can reach the Synchrony JVM by accessing confluence-url/synchrony/heartbeat URL in the browser (an OK message is returned)
- Setting com.atlassian.confluence.plugins.synchrony class to DEBUG level under Confluence Administrator panel > Logging and Profiling shows that Synchrony cannot be reached by Confluence:
2017-05-30 21:01:02,111 DEBUG [http-nio-8090-exec-3] [plugins.synchrony.bootstrap.DefaultSynchronyMonitor] isSynchronyUp Checking Synchrony heartbeat on: https://confluence-url/synchrony/heartbeat
2017-05-30 21:01:02,119 DEBUG [http-nio-8090-exec-3] [plugins.synchrony.bootstrap.DefaultSynchronyMonitor] isSynchronyUp No response from Synchrony.
原因
The certificate from your Load Balancer is not trusted by the application.
ソリューション
To resolve this issue we have to import the public certificate into Confluence's truststore. Please, follow the instructions of this article to import the certificate: Unable to Connect to SSL Services due to PKIX Path Building Failed