Confluence could not run through SSL due to jsse.invalid_ssl_conf
Symptoms
After configuring Confluence to run through HTTPS/SSL, you can't connect to secure port, and the following appears in the catalina.out
:
SEVERE: Error initializing endpoint
java.io.IOException: jsse.invalid_ssl_conf
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:817)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:522)
...
Caused by: javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:310)
at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:255)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:813)
...
SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]]
LifecycleException: Protocol handler initialization failed: java.io.IOException: jsse.invalid_ssl_conf
at org.apache.catalina.connector.Connector.initialize(Connector.java:1024)
at org.apache.catalina.core.StandardService.initialize(StandardService.java:703)
...
Cause
This error might be caused of certain things such as, the keystoretype is not defined in server.xml thus the JSSE could not recognized the keystore as the keystore is not on default type which is JKS. Other thing is the certificate has not be imported to keystore that is generated by keytool as it does not let you import an existing private key for which you already have a certificate.
Resolution
You need to define the keystoreType to server.xml as the default one is JKS. For example under your server.xml would become like this.
<Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" SSLEnabled="true" URIEncoding="UTF-8" keystorePass="<MY_CERTIFICATE_PASSWORD>" keystoreFile="<MY_CERTIFICATE_LOCATION>" keystoreType="PKCS12"/>
If it didn't help, you need to convert the current certificate and key file from the format that you have to DER format, and after that you need to import the key to keystore format, so that it will be recognized as normal JKS.
For further reading and how-to regarding this steps you need to take, please refer to the following link. (Please take not on the format of your certificate and key)
- Import private key and certificate into Java Key Store (JKS)