Synchrony Cluster Cannot be Reached by Confluence due to PKIX Error
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Problem
When setting up a Synchrony Cluster on a Confluence Datacenter, Synchrony service cannot be reached when attempting to enable the Collaborative Editing feature.
The following appears in the atlassian-confluence.log
2017-06-02 12:00:00,000 INFO [AtlassianEvent::CustomizableThreadFactory-1] [plugins.synchrony.config.DefaultSynchronyConfigurationManager] retrievePublicKey [Collab editing plugin] Could not retrieve public key for real-time collaboration service at https://confluence-url/synchrony/jwt-key with exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Diagnosis
Environment
- The Confluence instance is using a Load Balancer with SSL.
- The Load Balancer is set according to our documentation: How to configure Amazon Web Service Application Load Balancer with Confluence
The -Dsynchrony.service.url is properly set to use the Load Balancer URL in the Synchrony startup script. Example:
-Dsynchrony.service.url=https://confluence-url/synchrony
The -Dsynchrony.service.url is properly set to use the Load Balancer URL + /v1 in the setenv configuration file of each node. Example:
-Dsynchrony.service.url=https://confluence-url/synchrony/v1
Diagnostic Steps
- Synchrony is all properly setup
- You can reach the Synchrony JVM by accessing confluence-url/synchrony/heartbeat URL in the browser (an OK message is returned)
- Setting com.atlassian.confluence.plugins.synchrony class to DEBUG level under Confluence Administrator panel > Logging and Profiling shows that Synchrony cannot be reached by Confluence:
2017-05-30 21:01:02,111 DEBUG [http-nio-8090-exec-3] [plugins.synchrony.bootstrap.DefaultSynchronyMonitor] isSynchronyUp Checking Synchrony heartbeat on: https://confluence-url/synchrony/heartbeat
2017-05-30 21:01:02,119 DEBUG [http-nio-8090-exec-3] [plugins.synchrony.bootstrap.DefaultSynchronyMonitor] isSynchronyUp No response from Synchrony.
Cause
The certificate from your Load Balancer is not trusted by the application.
Resolution
To resolve this issue we have to import the public certificate into Confluence's truststore. Please, follow the instructions of this article to import the certificate: Unable to Connect to SSL Services due to PKIX Path Building Failed