Confluence can't be accessed through the secure port - Protocol handler initialization failed

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform Notice: Server and Data Center Only - This article only applies to Atlassian products on the server and data center platforms.

Summary

After starting Confluence, the Java process is running at the OS level, but it can't be reached through the secure port (default: 8443).

The Keystore file location was correctly specified at the server.xml file, as well as the alias and password:

server.xml example
<Connector port="8443" maxHttpHeaderSize="8192"
   maxThreads="48" minSpareThreads="25"
   protocol="org.apache.coyote.http11.Http11Nio2Protocol"
   enableLookups="false" disableUploadTimeout="true"
   acceptCount="100" scheme="https" secure="true"
   clientAuth="false" sslProtocol="TLSv1.2"
   sslEnabledProtocols="TLSv1.2" SSLEnabled="true"
   URIEncoding="UTF-8" keystorePass="<MY_CERTIFICATE_PASSWORD>"/>
   keystoreFile="<MY_CERTIFICATE_LOCATION>"/>

Non-secure ports (default:8090) can be accessed without any issue.

Environment

Confluence Server or Data Center running over SSL/HTTPS

Diagnosis

After starting Confluence, check for the cause of the Protocol initialization failure in the Tomcat logs (Catalina), on the installation folder.

Examples:

catalina.out (Linux)
23-Jul-2020 02:56:55.409 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[org.apache.coyote.http11.Http11Nio2Protocol-8443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
...
 Caused by: java.lang.IllegalArgumentException: /path/to/the/keystore-file/keystore.jks (Permission denied)
...
 Caused by: java.io.FileNotFoundException: /path/to/the/keystore-file/keystore.jks (Permission denied)
catalina.log (Windows)
17-Nov-2020 11:37:51.947 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[HTTP/1.1-443]] 
org.apache.catalina.LifecycleException: Protocol handler initialization failed
Caused by: java.lang.IllegalArgumentException: Cannot obtain URL for the relative path [C:/Some/path/to/keystore.jks]. Check that catalina.base is set.
...
Caused by: java.io.IOException: Cannot obtain URL for the relative path [C:/Some/path/to/keystore.jks]. Check that catalina.base is set.
...
Caused by: java.net.MalformedURLException: unknown protocol: c

Cause

The cause will depend on the exception shown on the Catalina logs

Cause 1 - Lack of permission

The user running Confluence, at the OS level, doesn't have permission to read the Keystore file, that was specified in <confluence_install>/conf/server.xml:

server.xml
<Connector port="8443" maxHttpHeaderSize="8192"
    maxThreads="48" minSpareThreads="25"
    protocol="org.apache.coyote.http11.Http11Nio2Protocol"
    enableLookups="false" disableUploadTimeout="true"
    acceptCount="100" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2" SSLEnabled="true"
    URIEncoding="UTF-8" keystorePass="<password>"
    keystoreFile="/path/to/the/keystore-file/keystore.jks"/>

Cause 2 - Absolute path to the Keystore file was specified in server.xml (Windows)

Tomcat is interpreting the drive letter from Windows as a URL protocol when the absolute path to the Keystore file is specified:

server.xml
<Connector port="8443" maxHttpHeaderSize="8192"
    maxThreads="48" minSpareThreads="25"
    protocol="org.apache.coyote.http11.Http11Nio2Protocol"
    enableLookups="false" disableUploadTimeout="true"
    acceptCount="100" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2" SSLEnabled="true"
    URIEncoding="UTF-8" keystorePass="<password>"
    keystoreFile="C:/Some/path/to/keystore.jks"/>

Solution

Solution 1 - Granting permission

  1. Stop Confluence
  2. Check if the user that runs Confluence has permission to read the keystore file (we recommend you to use a dedicated user account to run Confluence)

    1. When running Confluence on Linux, you can change the permission by running the following commands:

      # Change the ownership of the keystore file to the user 'confluence' (not mandatory)
      $ sudo chown confluence /path/to/the/keystore-file/keystore.jks
      # Grant read permission to the owner of the file
      $ sudo chmod u=rwx,g=rx,o=rx /path/to/the/keystore-file/keystore.jks
  3. Start Confluence

Solution 2 - Modifying the Keystore path location

  1. Stop Confluence
  2. Edit the file server.xml
  3. Change the keystoreFIle parameter to include a file:/// prefix before the absolute path to the Keystore file:

    server.xml
    <Connector port="8443" maxHttpHeaderSize="8192"
        maxThreads="48" minSpareThreads="25"
        protocol="org.apache.coyote.http11.Http11Nio2Protocol"
        enableLookups="false" disableUploadTimeout="true"
        acceptCount="100" scheme="https" secure="true"
        clientAuth="false" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2" SSLEnabled="true"
        URIEncoding="UTF-8" keystorePass="<password>"
        keystoreFile="file:///C:/Some/path/to/keystore.jks"/>
  4. Start Confluence


Last modified on Nov 19, 2020

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.