Have problems setting up SSL self signed certificate on our hosted environment

Hi Daniel

We follow these articles to setup Confluence over ssl

https://confluence.atlassian.com/bitbucketserver/if-you-use-self-signed-certificates-938028692.html#Ifyouuseself-signedcertificates-commandlineinstallation

https://confluence.atlassian.com/doc/running-confluence-over-ssl-or-https-161203.html

Keystore explore indicates certificate installed correctly

We have uncommented lines & updated password in server.xml as advised in the second article and after the restart of confluence service we getting below error in catalinalogs. Could you please help why we getting this illegal character error. We didnt created the keystore file its been created by the Java Keytool.

.keystore file exist under user profile. Appreciate if you please help.

17-Sep-2018 14:12:50.535 SEVERE [main] org.apache.tomcat.util.net.SSLUtilBase.getStore Failed to load keystore type [JKS] with path [C:\WINDOWS\system32\config\systemprofile/.keystore] due to [Illegal character in opaque part at index 2: C:\WINDOWS\system32\config\systemprofile/.keystore]
java.lang.IllegalArgumentException: Illegal character in opaque part at index 2: C:\WINDOWS\system32\config\systemprofile/.keystore
at java.net.URI.create(URI.java:852)
at java.net.URI.resolve(URI.java:1036)
at org.apache.tomcat.util.file.ConfigFileLoader.getInputStream(ConfigFileLoader.java:88)
at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:132)
at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:204)
at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:184)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:216)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1043)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:540)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:932)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:530)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:852)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:633)
at org.apache.catalina.startup.Catalina.load(Catalina.java:656)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
Caused by: java.net.URISyntaxException: Illegal character in opaque part at index 2: C:\WINDOWS\system32\config\systemprofile/.keystore
at java.net.URI$Parser.fail(URI.java:2848)
at java.net.URI$Parser.checkChars(URI.java:3021)
at java.net.URI$Parser.parse(URI.java:3058)
at java.net.URI.<init>(URI.java:588)
at java.net.URI.create(URI.java:850)
... 25 more

17-Sep-2018 14:12:50.536 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:935)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:530)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:852)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:633)
at org.apache.catalina.startup.Catalina.load(Catalina.java:656)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
Caused by: java.lang.IllegalArgumentException: Failed to load keystore type [JKS] with path [C:\WINDOWS\system32\config\systemprofile/.keystore] due to [Illegal character in opaque part at index 2: C:\WINDOWS\system32\config\systemprofile/.keystore]
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:216)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1043)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:540)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:932)
... 13 more
Caused by: java.io.IOException: Failed to load keystore type [JKS] with path [C:\WINDOWS\system32\config\systemprofile/.keystore] due to [Illegal character in opaque part at index 2: C:\WINDOWS\system32\config\systemprofile/.keystore]
at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:150)
at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:204)
at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:184)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
... 19 more

Hai Daniel

Can we please have an update on this ticket?

Thanks

Carson

Hi Daniel

We moved on now and we getting below error ( I have modified the Alias name in below for security reason)

Caused by: java.lang.IllegalArgumentException: Alias name [servername.im] does not identify a key entry
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:216)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1043)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:540)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:932)
... 13 more
Caused by: java.io.IOException: Alias name [servername.im] does not identify a key entry
at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:229)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)

and keyAlias in server.xml set to the certificate name. Please be advised we trying to make it working using selfsigned certificate, which we created by following below article

https://confluence.atlassian.com/bitbucketserver/if-you-use-self-signed-certificates-938028692.html#Ifyouuseself-signedcertificates-commandlineinstallation

Please help

Hi Carson,

Working with the Java keytool can be pretty fiddly. Here are a couple thoughts to check:

1. Determine which JRE Confluence is trying to use. System java (the one installed in Program Files) or the JRE that comes bundled with Confluence (<confluence home>/jre). Instructions for determining/changing that are here.
2. Once you know which Java that Confluence is trying to use, double-check that the keytool for that Java contains both the private and public key for the certificate you're trying to import.

Basically the error you're seeing now amounts to Java believing it doesn't have both the public and private key for the certificate you're trying to use. Since it's very easy to have some confusion on Windows over which Java Runtime Environment is in use, I'd try that path first.

But more in general, if you can use a reverse proxy such as IIS or Apache, I'd recommend going that route instead. Certificates are significantly easier to manage in a reverse proxy - as you've already seen, the Java keytool is not a great experience. If you're familiar with either web server, I think you may have better luck going this route:

• Instructions for IIS
• Instructions for Apache

Let me know if you need more help either continuing with the keytool or with a reverse proxy.

Cheers,
Daniel

Thanks for the late update, but we were sorted. Also, Keytool explorer is the very handy tool to play around with Java keystore, helped a lot. 

Also for some reason confluence tomcat not able to read the keystore file from the user profile location. it has to be on a location outside such as c:\certs

In step 3 on the below article it says the property need to be added in order for tomcat to pickup keystoreFile location

https://confluence.atlassian.com/doc/running-confluence-over-ssl-or-https-161203.html

keystoreFile="<MY_CERTIFICATE_LOCATION>"/>

where the correct syntax is 

keystoreFile="file:///C:/certs/<certificate filename>"

file:/// helps to avoid the error below on windows machine

Failed to load keystore type [JKS] with path [C:\WINDOWS\system32\config\systemprofile/.keystore] due to [Illegal character in opaque part at index 2: C:\WINDOWS\system32\config\systemprofile/.keystore]
java.lang.IllegalArgumentException: Illegal character in opaque part at index 2: C:\WINDOWS\system32\config\systemprofile/.keystore

Thanks for your help.