Confluence could not run through SSL due to jsse.invalid_ssl_conf

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Symptoms

After configuring Confluence to run through HTTPS/SSL, you can't connect to secure port, and the following appears in the catalina.out:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 SEVERE: Error initializing endpoint java.io.IOException: jsse.invalid_ssl_conf at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:817) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:522) ... Caused by: javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled. at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(SSLServerSocketImpl.java:310) at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(SSLServerSocketImpl.java:255) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.checkConfig(JSSESocketFactory.java:813) ... SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]] LifecycleException: Protocol handler initialization failed: java.io.IOException: jsse.invalid_ssl_conf at org.apache.catalina.connector.Connector.initialize(Connector.java:1024) at org.apache.catalina.core.StandardService.initialize(StandardService.java:703) ...

Cause

This error might be caused of certain things such as, the keystoretype is not defined in server.xml thus the JSSE could not recognized the keystore as the keystore is not on default type which is JKS. Other thing is the certificate has not be imported to keystore that is generated by keytool as it does not let you import an existing private key for which you already have a certificate.

Resolution

  1. You need to define the keystoreType to server.xml as the default one is JKS. For example under your server.xml would become like this.

    1 2 3 4 5 6 7 <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" SSLEnabled="true" URIEncoding="UTF-8" keystorePass="<MY_CERTIFICATE_PASSWORD>" keystoreFile="<MY_CERTIFICATE_LOCATION>" keystoreType="PKCS12"/> 

  2. If it didn't help, you need to convert the current certificate and key file from the format that you have to DER format, and after that you need to import the key to keystore format, so that it will be recognized as normal JKS.

    For further reading and how-to regarding this steps you need to take, please refer to the following link. (Please take not on the format of your certificate and key)

    Import private key and certificate into Java Key Store (JKS)

    The Most Common OpenSSL Commands

Updated on April 8, 2025
Platform
Data Center only
Product
Confluence Data Center
On this pageSymptomsCauseResolution

Still need help?

The Atlassian Community is here for you.
Ask the Community