Confluence fails to start with SSL with PFX file - failed to decrypt safe contents entry

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform Notice: Server and Data Center Only - This article only applies to Atlassian products on the server and data center platforms.

Summary

Confluence fails to start when the PFX keystorePass password is correctly entered.

Diagnosis

The following is reported in catalina.out when Confluence starts up:


02-Jun-2021 10:01:33.435 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[org.apache.coyote.http11.Http11Nio2Protocol-443]]
	org.apache.catalina.LifecycleException: Protocol handler initialization failed
		at org.apache.catalina.connector.Connector.initInternal(Connector.java:1042)
		at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
		at org.apache.catalina.core.StandardService.initInternal(StandardService.java:533)
		at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
		at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1057)
		at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
		at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
		at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
		at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
		at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
		at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
		at java.base/java.lang.reflect.Method.invoke(Unknown Source)
		at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302)
		at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:472)
	Caused by: java.lang.IllegalArgumentException: keystore password was incorrect
		at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
		at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
		at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:142)
		at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1141)
		at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1154)
		at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:592)
		at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:80)
		at org.apache.catalina.connector.Connector.initInternal(Connector.java:1039)
		... 13 more
	Caused by: java.io.IOException: keystore password was incorrect
		at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(Unknown Source)
		at java.base/sun.security.util.KeyStoreDelegator.engineLoad(Unknown Source)
		at java.base/java.security.KeyStore.load(Unknown Source)
		at org.apache.tomcat.util.security.KeyStoreUtil.load(KeyStoreUtil.java:69)
		at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:216)
		at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:207)
		at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:282)
		at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:246)
		at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
		... 20 more
	Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: java.io.IOException: Sequence tag error
		... 29 more

Cause

The PFX keystoreFile  referenced in <confluence-install>\conf\server.xml is using an encryption cipher that Tomcat/Java cannot decipher.

Solution

1. Regenerate the PFX keystore file using TripeDES as the encryption cypher.

3. Confluence should now startup.


Last modified on Jun 9, 2021

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.