Synchrony Cluster Cannot be Reached by Confluence due to PKIX Error

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Problem

When setting up a Synchrony Cluster on a Confluence Datacenter, Synchrony service cannot be reached when attempting to enable the Collaborative Editing feature.

The following appears in the atlassian-confluence.log

1 2017-06-02 12:00:00,000 INFO [AtlassianEvent::CustomizableThreadFactory-1] [plugins.synchrony.config.DefaultSynchronyConfigurationManager] retrievePublicKey [Collab editing plugin] Could not retrieve public key for real-time collaboration service at https://confluence-url/synchrony/jwt-key with exception: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Diagnosis

Environment

  • The Confluence instance is using a Load Balancer with SSL.

  • The Load Balancer is set according to our documentation: How to configure Amazon Web Service Application Load Balancer with Confluence

  • The -Dsynchrony.service.url is properly set to use the Load Balancer URL in the Synchrony startup script. Example:

    1 -Dsynchrony.service.url=https://confluence-url/synchrony

  • The -Dsynchrony.service.url is properly set to use the Load Balancer URL + /v1 in the setenv configuration file of each node. Example:

    1 -Dsynchrony.service.url=https://confluence-url/synchrony/v1

Diagnostic Steps

  • Synchrony is all properly setup

  • You can reach the Synchrony JVM by accessing confluence-url/synchrony/heartbeat URL in the browser (an OK message is returned)

  • Setting com.atlassian.confluence.plugins.synchrony class to DEBUG level under Confluence Administrator panel > Logging and Profiling shows that Synchrony cannot be reached by Confluence:

1 2 2017-05-30 21:01:02,111 DEBUG [http-nio-8090-exec-3] [plugins.synchrony.bootstrap.DefaultSynchronyMonitor] isSynchronyUp Checking Synchrony heartbeat on: https://confluence-url/synchrony/heartbeat 2017-05-30 21:01:02,119 DEBUG [http-nio-8090-exec-3] [plugins.synchrony.bootstrap.DefaultSynchronyMonitor] isSynchronyUp No response from Synchrony.

Cause

The certificate from your Load Balancer is not trusted by the application.

Solution

Resolution

To resolve this issue we have to import the public certificate into Confluence's truststore. Please, follow the instructions of this article to import the certificate: Unable to Connect to SSL Services due to PKIX Path Building Failed

Updated on April 8, 2025
Platform
Data Center only
Product
Confluence Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community