Getting "Protocol handler initialization failed" error when accessing Confluence through the secure SSL port

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

After starting Confluence, the Java process is running at the OS level, but it can't be reached through the secure port (default: 8443).

The Keystore file location was correctly specified at the server.xml file , as well as the alias and password:

server.xml example 
<Connector port="8443" maxHttpHeaderSize="8192"
   maxThreads="48" minSpareThreads="25"
   protocol="org.apache.coyote.http11.Http11Nio2Protocol"
   enableLookups="false" disableUploadTimeout="true"
   acceptCount="100" scheme="https" secure="true"
   clientAuth="false" sslProtocol="TLSv1.2"
   sslEnabledProtocols="TLSv1.2" SSLEnabled="true"
   URIEncoding="UTF-8" keystorePass="<MY_CERTIFICATE_PASSWORD>"/>
   keystoreFile="<MY_CERTIFICATE_LOCATION>"/>


handlerNon-secure ports (default:8090) can be accessed without any issue.

Environment

Confluence Server or Data Center running over SSL/HTTPS

Diagnosis

After starting Confluence, check for the cause of the Protocol initialisation failure in the Tomcat logs (Catalina), on the CONFLUENCE_INSTALL_HOME directory.

Examples:

catalina.out (Linux) 
23-Jul-2020 02:56:55.409 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[org.apache.coyote.http11.Http11Nio2Protocol-8443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
...
 Caused by: java.lang.IllegalArgumentException: /path/to/the/keystore-file/keystore.jks (Permission denied)
...
 Caused by: java.io.FileNotFoundException: /path/to/the/keystore-file/keystore.jks (Permission denied)
...
 Caused by: java.lang.IllegalArgumentException: /opt/atlassian/confluence/conf/<file_name>.com.kst (No such file or directory)
catalina.log (Windows) 
17-Nov-2020 11:37:51.947 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[HTTP/1.1-443]] 
org.apache.catalina.LifecycleException: Protocol handler initialization failed
Caused by: java.lang.IllegalArgumentException: Cannot obtain URL for the relative path [C:/Some/path/to/keystore.jks]. Check that catalina.base is set.
...
Caused by: java.io.IOException: Cannot obtain URL for the relative path [C:/Some/path/to/keystore.jks]. Check that catalina.base is set.
...
Caused by: java.net.MalformedURLException: unknown protocol: c
Caused by: java.lang.IllegalArgumentException: Cannot obtain resource for specified location [E:\Some\path\to\cacert*]: no readable file, classloader resource, or this is not a resolvable URI
		at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107)
		at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
		at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:236)
		at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1326)

Cause

The cause will depend on the exception shown on the Catalina logs, indicated above. 

Cause 1) Lack of permission

The user running Confluence, at the OS level, doesn't have permission to read the Keystore file, that was specified in CONFLUENCE_INSTALL_HOME/conf/server.xml 

server.xml 
<Connector port="8443" maxHttpHeaderSize="8192"
    maxThreads="48" minSpareThreads="25"
    protocol="org.apache.coyote.http11.Http11Nio2Protocol"
    enableLookups="false" disableUploadTimeout="true"
    acceptCount="100" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2" SSLEnabled="true"
    URIEncoding="UTF-8" keystorePass="<password>"
    keystoreFile="/path/to/the/keystore-file/keystore.jks"/>

Cause 2) Absolute path to the Keystore file was specified in server.xml (Windows)

Tomcat is interpreting the drive letter from Windows as a URL protocol when the absolute path to the Keystore file is specified:

server.xml 
<Connector port="8443" maxHttpHeaderSize="8192"
    maxThreads="48" minSpareThreads="25"
    protocol="org.apache.coyote.http11.Http11Nio2Protocol"
    enableLookups="false" disableUploadTimeout="true"
    acceptCount="100" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2" SSLEnabled="true"
    URIEncoding="UTF-8" keystorePass="<password>"
    keystoreFile="C:/Some/path/to/keystore.jks"/>

Cause 3) The file was deleted from the path during a Confluence upgrade

The user performed an upgrade in Confluence during and the file was deleted. However, the customer copied the customizations (server.xml) after the upgrade (from the previous installation) but did not restore the keystore file on the correct path

Solution

Solution 1) Granting permission

  1. Stop Confluence

  2. Check if the user that runs Confluence has permission to read the keystore file (we recommend you to use a dedicated user account to run Confluence)

    1. When running Confluence on Linux, you can change the permission by running the following commands:

      # Change the ownership of the keystore file to the user 'confluence' (not mandatory)
$ sudo chown confluence /path/to/the/keystore-file/keystore.jks
# Grant read permission to the owner of the file
$ sudo chmod u=rwx,g=rx,o=rx /path/to/the/keystore-file/keystore.jks

  3. Start Confluence

Solution 2) Modifying the Keystore path location

  1. Stop Confluence
  2. Edit the file server.xml

  3. Change the keystoreFIle parameter to include a file:/// prefix before the absolute path to the Keystore file:

    server.xml 
    <Connector port="8443" maxHttpHeaderSize="8192"
    maxThreads="48" minSpareThreads="25"
    protocol="org.apache.coyote.http11.Http11Nio2Protocol"
    enableLookups="false" disableUploadTimeout="true"
    acceptCount="100" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLSv1.2" sslEnabledProtocols="TLSv1.2" SSLEnabled="true"
    URIEncoding="UTF-8" keystorePass="<password>"
    keystoreFile="file:///C:/Some/path/to/keystore.jks"/>

  4. Start Confluence

Solution 3) Modifying the Keystore path location

  1. Stop Confluence
  2. Restore the keystore file on the path defined in the server.xml file

  3. Ensure the permissions on the file are correct as described in Solution 1

  4. Start Confluence




Last modified on Mar 12, 2024

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.