Upgraded Confluence DataCenter with Microsoft SQL Server fails to start due to PKIX path building failed error
Platform Notice: Data Center - This article applies to Atlassian products on the Data Center platform.
Note that this knowledge base article was created for the Data Center version of the product. Data Center knowledge base articles for non-Data Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Confluence does not start after having completed an upgrade due to enforced Microsoft SQL Server encryption.
Environment
Confluence 7.19, 8.X
Diagnosis
After upgrading Confluence, in the catalina.out log files you will find this error:
2024-02-03 08:38:15,669 INFO [Catalina-utility-1] [atlassian.confluence.cluster.DefaultClusterConfigurationHelper] lambda$populateExistingClusterSetupConfig$5 Populating setup configuration if running with Cluster mode...
2024-02-03 08:38:16,337 ERROR [Catalina-utility-1] [confluence.impl.setup.DefaultBootstrapDatabaseAccessor] getBootstrapData Unable to open database connection during bootstrap.
com.microsoft.sqlserver.jdbc.SQLServerException: "encrypt" property is set to "true" and "trustServerCertificate" property is set to "false" but the driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption: Error: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. ClientConnectionId:62759952-040e-4fbf-8119-dd2679a3e1e7
at com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:4026)
at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:1954)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:3552)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:3172)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:3014)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:1836)
at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:1246)
at java.sql/java.sql.DriverManager.getConnection(Unknown Source)
at java.sql/java.sql.DriverManager.getConnection(Unknown Source)
at com.atlassian.confluence.impl.util.db.SingleConnectionDatabaseHelper.getConnection(SingleConnec
...
...
Besides, check the version of Microsoft SQL Server driver being used in Confluence by looking for file com.microsoft.sqlserver_mssql-jdbc-**x.x.x**.jar in the folder <confluence-installation-directory>/confluence/WEB-INF/lib/
Cause
A breaking change was introduced in version 10.2 and above of the Microsoft JDBC Driver SQL Server where encryption (encrypt=true) is now enabled by default. This may be noticeable while upgrading to Confluence LTS 8.5.15 or later versions, where the MSQL Driver has been upgraded from version 7.4.1 to 12.6.3. To connect to the database now with encryption enabled (encrypt=true), it is mandatory that the Public SSL certificate for the SQL Server be added to the JDK trust store used by Confluence.
This issue can be triggered not only when a Confluence is upgraded (which, consequently, will upgrade the MSQL driver), but after having upgraded the JDK version if the custom certificates were not imported again.
Solution
If encryption is enforced then users have to deploy the respective Root CA certificate and, optionally, an Intermediate CA certificate(s) to a Java truststore.
You can make use of our KB How to import a public SSL certificate into a JVM with the steps to achieve this.
Workaround
As an alternative, you have the option not to verify the hostname specified with the certificate and ensure that Confluence is up and running. This undermines security.
The trustServerCertificate=true query parameter can be used in the JDBC URL defined in confluence.cfg.xml to suppress verification:
...
<property name="hibernate.connection.url">jdbc:sqlserver://;serverName=THE_SERVER_NAME;portNumber=THE_PORT_NUMBER;databaseName=THE_DATABASE_NAME;trustServerCertificate=true</property>.
...