Symptoms

When going to manage/add new add-ons page, this error is displayed:

The Atlassian Marketplace server is not reachable. To avoid problems when loading this page, you can disable the connection to the Marketplace server

Cause #1

When Java establishes an outbound connection, it needs to establish trust when it reads the server certificate of the Marketplace. In order to do this, it checks the Java trust store for a certificate chain that indicates the certificate served by the Atlassian Marketplace can be trusted. This trust store is located at JAVA_HOME/jre/lib/security/cacerts by default, but a customized location can be defined by the startup parameter -Djavax.net.ssl.trustStore

The atlassian-confluence.log contain the following errors:

2013-10-29 14:30:17,194 WARN  [http-bio-7990-exec-5] user 870x497x1 1lzkc13 XXX.XXX.XXX.XXX,127.0.0.1 "GET /plugins/servlet/upm/marketplace HTTP/1.0" com.atlassian.upm.pac.PacClientImpl Error when querying application info from MPAC: com.atlassian.marketplace.client.MpacException: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

If Confluence is unable to establish trust when accessing the marketplace, the connection will be refused and your admins will not be able to use the Marketplace within Confluence. This occurs because the default Java trust store has been modified, and therefore is missing a valid trust chain, or, the certificate presented by Marketplace has been tampered with by a local proxy, and therefore is not trusted.

Resolution #1

1. Download the Atlassian Marketplace certificates with the commands below

   keytool -printcert -sslserver marketplace.atlassian.com:443 -rfc >> marketplace.atlassian.com.crt
   keytool -printcert -sslserver marketplace-cdn.atlassian.com:443 -rfc >> marketplace-cdn.atlassian.com.crt
   keytool -printcert -sslserver api.media.atlassian.com:443 -rfc >> api.media.atlassian.com.crt
   

2. Import the certificates into the Java trust store:

Java 8

keytool -importcert -alias marketplace.atlassian.com -keystore <JAVA_HOME>/jre/lib/security/cacerts -storepass changeit -noprompt -file marketplace.atlassian.com.crt
keytool -importcert -alias marketplace-cdn.atlassian.com -keystore <JAVA_HOME>/jre/lib/security/cacerts -storepass changeit -noprompt -file marketplace-cdn.atlassian.com.crt
keytool -importcert -alias api.media.atlassian.com -keystore <JAVA_HOME>/jre/lib/security/cacerts -storepass changeit -noprompt -file api.media.atlassian.com.crt

Java 11

keytool -importcert -alias marketplace.atlassian.com -cacerts -storepass changeit -noprompt -file marketplace.atlassian.com.crt
keytool -importcert -alias marketplace-cdn.atlassian.com -cacerts -storepass changeit -noprompt -file marketplace-cdn.atlassian.com.crt
keytool -importcert -alias api.media.atlassian.com -cacerts -storepass changeit -noprompt -file api.media.atlassian.com.crt

3. Restart the Confluence application. Certificates are loaded into the JVM on startup and such changes need a restart to take effect.

Cause #2

Confluence establishes a connection/session to Marketplace during the application startup, in this scenario, Confluence is able to access the Marketplace successfully, but eventually fails. As reported by some customers there are firewall appliances that set a default lifetime for TCP sessions. Some of these default to 15 minutes, and could compromise the connection to the marketplace.

Resolution #2

increase the TTL for outgoing internet traffic from the Confluence machine, and verify if the issue persists. Alternatively, allow the Confluence host to bypass the outgoing connection proxy/firewall and verify.

Cause #3

Confluence is configured with an outbound proxy server and the outbound proxy server is blocking outgoing requests sent from Confluence to the Atlassian Marketplace.

To verify if this root cause applies:

• Look into the Confluence application logs for an error similar to the one below. If you see that the error shows that Confluence can't reach the Marketplace because it is failing to reach some IP address some hostname that is not the Marketplace, then it is an indicator that this root cause is relevant:

  2022-07-22 10:14:31,899-0400 pool-26-thread-2 WARN someuser 613x2051x1 k5zsja XXX.XX.XXX.X /rest/plugins/1.0/pac-status [c.a.upm.pac.MpacApplicationCacheManager] Error when querying application info from MPAC: com.atlassian.marketplace.client.MpacException: org.apache.http.conn.ConnectTimeoutException: Connect to <SOME_IP_ADDRESS>/<SOME_HOSTNAME>:8080 [<SOME_IP_ADDRESS>/<SOME_HOSTNAME>] failed: connect timed out

• Check the JVM startup used by the Confluence application to see if Confluence is configured with an outbound proxy. If you see parameters as in the example below, then it's an evidence that Confluence is configured with an outbound proxy

  -Dhttp.proxyPort=8080
  -Dhttp.proxyHost=<SOME_IP_ADDRESS> OR <SOME_HOSTNAME>
  -Dhttps.proxyHost=<SOME_IP_ADDRESS> OR <SOME_HOSTNAME>
  -Dhttps.proxyPort=8080

Resolution #3

Bypass any Atlassian URL in the outbound proxy configuration:

• Add the Confluence JVM startup parameters below in order to bypass any atlassian.com URL:
  

  -Dhttp.nonProxyHosts=*.atlassian.com

  
  

• Restart each Confluence nodes, for this change to be effective

If the -Dhttp.nonProxyHosts is already used but with a different hostname, you can simply add *.atlassian.com to it, by using the pipe character as shown in the example below:

-Dhttp.nonProxyHosts=somehostname.com|*.atlassian.com

In some cases, UMP ignores the application outbound proxy settings (http.proxyHost and http.proxyPort) unless http.pac.proxyHost and http.pac.proxyPort are also defined. So the final configuration needed is as in the following example:

-Dhttp.proxyHost=somehostname-proxy.mydomain.com -Dhttp.proxyPort=8080 -Dhttp.nonProxyHosts="localhost|somehostname.com|*.atlassian.com" -Dhttp.pac.proxyHost=somehostname-proxy.mydomain.com -Dhttp.pac.proxyPort=8080

Please see the following question on Atlassian Answers and Problems Connecting to the Atlassian Marketplace for further information.