Synchrony Cluster Cannot be Reached by Confluence due to PKIX Error

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Problem

When setting up a Synchrony Cluster on a Confluence Datacenter, Synchrony service cannot be reached when attempting to enable the Collaborative Editing feature.

The following appears in the atlassian-confluence.log

2017-06-02 12:00:00,000 INFO [AtlassianEvent::CustomizableThreadFactory-1] [plugins.synchrony.config.DefaultSynchronyConfigurationManager] retrievePublicKey [Collab editing plugin] Could not retrieve public key for real-time collaboration service at https://confluence-url/synchrony/jwt-key with exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Diagnosis

Environment

  • The Confluence instance is using a Load Balancer with SSL.
  • The Load Balancer is set according to our documentation: How to configure Amazon Web Service Application Load Balancer with Confluence

  • The -Dsynchrony.service.url is properly set to use the Load Balancer URL in the Synchrony startup script. Example:

    -Dsynchrony.service.url=https://confluence-url/synchrony

  • The -Dsynchrony.service.url is properly set to use the Load Balancer URL + /v1 in the setenv configuration file of each node. Example:

    -Dsynchrony.service.url=https://confluence-url/synchrony/v1

Diagnostic Steps

  • Synchrony is all properly setup
  • You can reach the Synchrony JVM by accessing confluence-url/synchrony/heartbeat URL in the browser (an OK message is returned)
  • Setting com.atlassian.confluence.plugins.synchrony class to DEBUG level under Confluence Administrator panel > Logging and Profiling shows that Synchrony cannot be reached by Confluence:
2017-05-30 21:01:02,111 DEBUG [http-nio-8090-exec-3] [plugins.synchrony.bootstrap.DefaultSynchronyMonitor] isSynchronyUp Checking Synchrony heartbeat on: https://confluence-url/synchrony/heartbeat
2017-05-30 21:01:02,119 DEBUG [http-nio-8090-exec-3] [plugins.synchrony.bootstrap.DefaultSynchronyMonitor] isSynchronyUp No response from Synchrony.

Cause

The certificate from your Load Balancer is not trusted by the application.

Resolution

To resolve this issue we have to import the public certificate into Confluence's truststore. Please, follow the instructions of this article to import the certificate: Unable to Connect to SSL Services due to PKIX Path Building Failed

 

Last modified on Nov 8, 2017

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.