Internal gadgets displaying titles as __MSG
Problem
After upgrading Confluence, moving to another server or just updating the JDK/JRE, gadget titles appear as __MSG_gadget.xxxxxx.
The following appears in the atlassian-confluence.log
2017-08-04 10:12:34,771 ERROR [http-nio-443-exec-2] [renderer.internal.http.HttpClientFetcher] fetch Unable to perform a request to: https://localhost:443/rest/gadgets/1.0/g/messagebundle/en_GB/gadget.common%2Cgadget.activity.stream%2Cstreams.comment.action%2Cstream.error.unexpected
-- url:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
Diagnosis
Environment
- SSL is enabled
Cause
The error message is caused by failed SSL connection due to missing certificate in the truststore.
During the upgrade, moving to another server or just updating the JDK/JRE, all SSL certificates will be overwritten if you are using the default cacerts truststore.
Resolution
Extract Confluence's certificate and import into the trust store. Commonly, the trust store is inside of the $JAVA_HOME variable:
Extract the certificate from Confluence:
openssl s_client -connect <confluence.url-or-confluence.ip>:<secure-port> < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt
Replace the <confluence.url-or-confluence.ip>:<secure-port> for the correct information, like confluence.example.com:443.
Import the certificate into Confluence's cacert:
$JAVA_HOME/bin/keytool -import -alias cert -keystore $JAVA_HOME/jre/lib/security/cacerts -file public.crt
- Restart Confluence