Summary

This article covers communication issues between the Confluence Cloud Migration Assistant (CCMA) and Atlassian Cloud infrastructure.

Environment

This problem impacts Confluence Server and Data Center.

Diagnosis

When using CCMA for migration, you might encounter error messages in the migration logs related to TLS communication with Atlassian Cloud infrastructure. These error messages might include:

com.atlassian.migration.agent.okhttp.IOHttpException: An IO exception occurred when communicating with a downstream service
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

The issue arises when the certificates on the Java TrustStore that Confluence uses are out-of-date and don't match the current certificates on Atlassian Cloud infrastructure.

Solution

To fix the issue, you need to manually import the current certificates used by Atlassian Cloud infrastructure into Confluence's Java TrustStore. Here's how to do it:

1. First, identify the URLs that CCMA needs to communicate with. You can find the current URLs in the CCMA communications section of IP addresses and domains for Atlassian cloud products documentation page. Create a dedicated public certificate file for each URL using the following commands:

   keytool -printcert -sslserver [URL] -rfc > [filename].crt

2. Next, import the saved public certificates into Confluence's Java TrustStore using the following commands:

   keytool -import -keystore [absolute_path_to_truststore] -storepass <password> -alias [alias] -file [filename].crt

3. Finally, restart Confluence and rerun the CCMA.

By following these steps, you should be able to resolve the communication failure between CCMA and Confluence Cloud infrastructure.