Upgraded Confluence instance fails to start due to enforced SQL Server encryption
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Confluence does not start after having completed an upgrade due to enforced SQL Server encryption
Environment
Confluence 8.X
Diagnosis
After upgrading Confluence, in the catalina.out
log files you will find a message such the following one:
2024-02-03 08:38:15,669 INFO [Catalina-utility-1] [atlassian.confluence.cluster.DefaultClusterConfigurationHelper] lambda$populateExistingClusterSetupConfig$5 Populating setup configuration if running with Cluster mode...
2024-02-03 08:38:16,337 ERROR [Catalina-utility-1] [confluence.impl.setup.DefaultBootstrapDatabaseAccessor] getBootstrapData Unable to open database connection during bootstrap.
com.microsoft.sqlserver.jdbc.SQLServerException: "encrypt" property is set to "true" and "trustServerCertificate" property is set to "false" but the driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption: Error: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. ClientConnectionId:62759952-040e-4fbf-8119-dd2679a3e1e7
at com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:4026)
at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:1954)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:3552)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:3172)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:3014)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:1836)
at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:1246)
at java.sql/java.sql.DriverManager.getConnection(Unknown Source)
at java.sql/java.sql.DriverManager.getConnection(Unknown Source)
at com.atlassian.confluence.impl.util.db.SingleConnectionDatabaseHelper.getConnection(SingleConnec
...
...
Also, Check the version of the Microsoft SQL Server being used in Confluence by checking the file:
<confluence-installation-directory>/confluence/WEB-INF/lib/com.microsoft.sqlserver_mssql-jdbc-**x.x.x**.jar
Cause
As per the error mentions, SQL Server encryption is enforced (encrypt=true
), to prevent users to use unencrypted connections and ensure the connections are secure.
Such a breaking change has been introduced especially in version 10.2 and above of the Microsoft JDBC Driver SQL Server where encryption is now enabled by default. This has been noticed whilst upgrading to Confluence LTS 8.5.15 where the Driver has changed from version 7.4.1 used in 8.5.14 to 12.6.3 used in version 8.5.15.
Hence, to connect to the database now with encryption enabled, it is mandatory that the Public SSL certificate for the SQL Server is added to the JDK trust store used by Confluence. As mentioned above, this might be related to having upgraded the JDK as part of the Confluence upgrade, and the custom certificates were not imported again, or having the new version of the JDBC Driver being used.
Solution
If encryption is enforced then users have to deploy the respective Root CA certificate and optionally Intermediate CA certificate(s) to a Java truststore. You can make use of our KB How to import a public SSL certificate into a JVM with the steps to achieve this.
Workaround
As an alternative, you have the option not to verify the hostname specified with the certificate and ensure that Confluence is up and running. This undermines security.
The trustServerCertificate=true
query parameter can be used in the JDBC URL defined in confluence.cfg.xml
to suppress verification.
...
<property name="hibernate.connection.url">jdbc:sqlserver://;serverName=DATABASE_NAME;portNumber=1234;databaseName=confluence;trustServerCertificate=true</property>.
...