Bitbucket import from external HTTPS source fails with "Unable to reach server".

Summary

I'm posting this up because a considerable amount of time was wasted running off on a wild goose chase tracking down what we believed was a network communications issue when it was actually completely unrelated to network communications. Techincally this isn't a question, but rather a bit of knowledge that will hopefully spare another systems engineer the trouble of tracking down this problem.

Problem

When attempting to import repositories from a repository over HTTPS (SSL), the error "Unable to reach server" is shown. When examining the atlassian-bitbucket.log on the server, there is no indication of any exception being thrown.

Cause

While the vague error "Unable to reach server" suggests a network problem, the actual problem is that your local Java trust store does not contain the issuing Certification Authority certificate for the SSL certificat in use on your repository server. You can verify this by using the SSLPoke Java class provided by Atlassian (where source-server-fqdn is the fully qualified domain name of your source repository server):

java SSLPoke <source-server-fqdn> 443

If Java does not trust the certificate authority that issued your source server's certificate, you'll an exception similar to the following:

java.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: 
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: 
unable to find valid certification path to requested target.

Solution

Acquire the Certification Authority's CA that issued your source server's SSL certificate and import it into the Java CA trust store.

keytool -import -alias <desired-alias> -file /path/to/certificate.crt -keystore /path/to/java/cacerts

Once the certificate is imported, retry the SSLPoke test. If it works, restart the Bitbucket server.

Notes

  • Use Base64 X509 encoded certificates.
  • The default java keystore is defined by your $JAVA_HOME variable, so the path to the default cacerts file is $JAVA_HOME/jre/lib/security/cacerts.

Additional Info:

Because this is probably a bug and I can't actually submit a report for it to Atlassian, below is some information on my Bitbucket server at the time this problem was found and resolved:

Bitbucket Version: 4.11.0

Host OS Version: CentOS 7.2.1511 (Kernel 3.10.0-327.36.3.el7.x86_64)

Java JDK Version: 1.8.0u112 x64

1 answer

Brilliant report, I'm sure many people will find this helpful.

Another solution is to upgrade your Java version, since that sometimes brings in new ca authority certs.  For example, Java only started trusting "Let's Encrypt" sites as of Java 8u101 (July, 2016).

http://stackoverflow.com/questions/34110426/does-java-support-lets-encrypt-certificates

 

p.s.  I invite people to try my add-on:  Bit-Booster for Bitbucket Server

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Nov 06, 2018 in Bitbucket

Upgrade Best Practices

Hello! My name is Mark Askew and I am a Premier Support Engineer for products Bitbucket Server/Data Center, Fisheye & Crucible. Today, I want to bring the discussion that Jennifer, Matt, and ...

216 views 3 7
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you