Hi Edvin,

thank you for your response and sorry for the delay. Got it working so far - i had to import the cert in pkcs12 format on the windows box to get the private key also imported.

Currently i din't add an Alias to the server.xml because i don't see any alias in my official certificate? Is this the fqdn of my site / cn in the certificate? In addition it all seems to work very unstrable with the official certificate (long response times accessing the confluence sites, timeout copying a simple confluence site). This all all is working smoothly, when i use my previous selfsigned certificate or doing it without ssl.

Here a snipit of my server.xml:

        <Connector port="443" connectionTimeout="20000" maxHttpHeaderSize="8192"
                maxThreads="150" minSpareThreads="25"
                protocol="org.apache.coyote.http11.Http11NioProtocol"
                enableLookups="false" disableUploadTimeout="true"
                acceptCount="10" scheme="https" secure="true"
                clientAuth="false" sslProtocols="TLSv1,TLSv1.1,TLSv1.2"      
                    sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" SSLEnabled="true"
                URIEncoding="UTF-8" keystorePass="MyPassword" />

Currently i get only this one warning in the catalina.out log which does not to be specific?!

20-Aug-2018 08:38:34.010 WARNUNG [https-jsse-nio-443-exec-19] com.sun.jersey.spi.container.servlet.WebComponent.filterFormParameters A servlet request, to the URI https://wiki.myDomain.de/rest/table-filter/1.0/service/license?_=1534747113123, contains form parameters in the request body but the request body has been consumed by the servlet or a servlet filter accessing the request parameters. Only resource methods using @FormParam will work as expected. Resource methods consuming the request body by other means will not work as expected.

Any ideas?

No ideas? Any missing information i shoult provide?

Hi @David Thielheim,

The alias is the one given when importing the cert in the JVM running Confluence

How to import an existing SSL certificate for use in Tomcat

Is this how you imported the pkcs12 cert on the Windows box?

Also - the log message is a warning. Please check if there is other SSL related errors or grep for ERROR in the log.

Hi Edwin,

damn it! Dealt with the wrong wrong help-articles. The import worked so far. Doing the 2. step (keystore import on the windows box) brought a warning, that the 'JKS-Keystore ist using a proprietary format' and that i should migrate to PKCS12...

Using this config and accessing the site using the short url https://wiki, i get a certificate warning as expected but i can work with all the content without any problems.

Using this config and accassing the site using the FQDN https://wiki.mydomain...(which is the CN in the certificate --> the green padlock), i get a timeout trying to copy a site and this message is shown again in the catalina-log '23-Aug-2018 07:40:36.406 WARNUNG [https-jsse-nio-443-exec-20] com.sun.jersey.spi.container.servlet.WebComponent.filterFormParameters A servlet request, to the URI https://wiki.MyDomain.../rest/table-filter/1.0/service/license?_=1535002836392, contains form parameters in the request body but the request body has been consumed by the servlet or a servlet filter accessing the request parameters. Only resource methods using @FormParam will work as expected. Resource methods consuming the request body by other means will not work as expected.'

Maybe this is another problem i should investigate in another direction?!...

Other SSL related warnings in the catalina-log:

23-Aug-2018 03:42:56.657 WARNUNG [main] org.apache.catalina.startup.SetAllPropertiesRule.begin [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'sslProtocols' to 'TLSv1,TLSv1.1,TLSv1.2' did not find a matching property.
23-Aug-2018 03:42:56.673 WARNUNG [main] org.apache.tomcat.util.net.SSLHostConfig.setProtocols The protocol [TLSv1.1] was added to the list of protocols on the SSLHostConfig named [_default_]. Check if a +/- prefix is missing.
23-Aug-2018 03:42:56.673 WARNUNG [main] org.apache.tomcat.util.net.SSLHostConfig.setProtocols The protocol [TLSv1.2] was added to the list of protocols on the SSLHostConfig named [_default_]. Check if a +/- prefix is missing.

Thanks for all the help and patience!

Hello Edwin,

any final conclusion for me regarding this topic?

Hi David,

Please run the diagnosis on this page.

Unable to Connect to SSL Services due to PKIX Path Building Failed

It'll also help if you'd paste some configurations or screenshots.

Hi Edvin,

ok, now it's fixed. Followed the instructions on your suggested page. I didn't realize, that it isn't enough to create the Window Keystore and a second one for the JRE in confluence (cacerts). Trying to point only to JRE keystore in server.xml didn't work. But the two keystore are ok for me now.

Thanks in advance!

David