Bitbucket import from external HTTPS source fails with "Unable to reach server".

Summary

I'm posting this up because a considerable amount of time was wasted running off on a wild goose chase tracking down what we believed was a network communications issue when it was actually completely unrelated to network communications. Techincally this isn't a question, but rather a bit of knowledge that will hopefully spare another systems engineer the trouble of tracking down this problem.

Problem

When attempting to import repositories from a repository over HTTPS (SSL), the error "Unable to reach server" is shown. When examining the atlassian-bitbucket.log on the server, there is no indication of any exception being thrown.

Cause

While the vague error "Unable to reach server" suggests a network problem, the actual problem is that your local Java trust store does not contain the issuing Certification Authority certificate for the SSL certificat in use on your repository server. You can verify this by using the SSLPoke Java class provided by Atlassian (where source-server-fqdn is the fully qualified domain name of your source repository server):

java SSLPoke <source-server-fqdn> 443

If Java does not trust the certificate authority that issued your source server's certificate, you'll an exception similar to the following:

java.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: 
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: 
unable to find valid certification path to requested target.

Solution

Acquire the Certification Authority's CA that issued your source server's SSL certificate and import it into the Java CA trust store.

keytool -import -alias <desired-alias> -file /path/to/certificate.crt -keystore /path/to/java/cacerts

Once the certificate is imported, retry the SSLPoke test. If it works, restart the Bitbucket server.

Notes

  • Use Base64 X509 encoded certificates.
  • The default java keystore is defined by your $JAVA_HOME variable, so the path to the default cacerts file is $JAVA_HOME/jre/lib/security/cacerts.

Additional Info:

Because this is probably a bug and I can't actually submit a report for it to Atlassian, below is some information on my Bitbucket server at the time this problem was found and resolved:

Bitbucket Version: 4.11.0

Host OS Version: CentOS 7.2.1511 (Kernel 3.10.0-327.36.3.el7.x86_64)

Java JDK Version: 1.8.0u112 x64

1 answer

Brilliant report, I'm sure many people will find this helpful.

Another solution is to upgrade your Java version, since that sometimes brings in new ca authority certs.  For example, Java only started trusting "Let's Encrypt" sites as of Java 8u101 (July, 2016).

http://stackoverflow.com/questions/34110426/does-java-support-lets-encrypt-certificates

 

p.s.  I invite people to try my add-on:  Bit-Booster for Bitbucket Server

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Posted Jun 12, 2018 in Bitbucket

Do you use any Atlassian products for your personal projects?

After spinning my wheels trying to get organized enough to write a book for National Novel Writing Month (NaNoWriMo) I took my affinity for Atlassian products from my work life and decided to tr...

23,237 views 26 12
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you