This is probably better as an article, but here's my experience of setting up a free Let's Encrypt certificate on a Windows server running BitBucket 4 or 5. Lots of moving parts, so take your time. This is based on my set up so your mileage may vary depending on your own setup/environment.
This is using Atlassian's built-in server on port 8443 to function, but this is easily adapted for your own port/proxy/forwarder set up. If you're forwarding SSL via IIS, I highly recommend "win-acme" (used to be called lets-encrypt-win-simple) which can automate renewals; https://github.com/PKISharp/win-acme/releases
Things go wrong, and you're sensible, right? You're a good server admin and you're going to back up any changes first, right? Well done.
A Let's Encrypt certificate needs to be renewed every 3 months - this takes around 10 minutes each time so 40 minutes a year to renew a "free" certificate is pretty good.
Pre-requisites
Create / Renew Cert
Convert to P12 format
private.key
certificate.cer
ca_bundle.cer
Import into keystore
Server Config / Properties
The first time you set up SSL, you'll need to alter the v4 server.xml file or in v5 the BitBucket.properties file, both found here: "C:\Atlassian\ApplicationData\Bitbucket\shared".
For version 4:
<Connector
port="8443"
maxHttpHeaderSize="8192"
SSLEnabled="true"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false"
disableUploadTimeout="true"
useBodyEncodingForURI="true"
acceptCount="100"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLSv1.2"
keystoreFile="file:///C:/Atlassian/ApplicationData/Bitbucket/shared/config/ssl-keystore/bitbucket.jks"
keystorePass="yourpassword"
/>
For version 5:
server.port=8443
server.secure=true
server.scheme=https
server.ssl.enabled=true
server.ssl.client-auth=want
server.ssl.protocol=TLSv1.2
server.ssl.key-alias=1
server.ssl.key-store=C:/Atlassian/ApplicationData/Bitbucket/shared/config/ssl-keystore/bitbucket.jks
server.ssl.key-store-password=w1llywonka
server.ssl.key-password=w1llywonka
I've made no other changes to these files.
Restart BitBucket Service
Restart the BitBucket server and head off to your domain but instead of ":7990" in the end (if you're running in the default Windows set up of BitBucket), change the port to 8443 (or whatever port you set up in the config file).
Optional: Export for JIRA
If you're also self-hosting JIRA, you're likely going to want to export the certificate so that you can import it into JIRA's keystore.
That's it, so we now have BitBucket running on a quarterly renewable Let's Encrypt certificate with the same cert imported into JIRA to authenticate access to BitBucket from within JIRA. If you want to secure JIRA with SSL, not that I've done that yet, I'm sure you could repeat these steps and adapt them for JIRA's installation paths and config files.
Following this guide got me over the last hurdle in setting up jira and bitbucket Application Links using a LetsEncrypt wildcard cert!
Thanks!