Bitbucket import from external HTTPS source fails with "Unable to reach server".

Chris Twilleager January 26, 2017

Summary

I'm posting this up because a considerable amount of time was wasted running off on a wild goose chase tracking down what we believed was a network communications issue when it was actually completely unrelated to network communications. Techincally this isn't a question, but rather a bit of knowledge that will hopefully spare another systems engineer the trouble of tracking down this problem.

Problem

When attempting to import repositories from a repository over HTTPS (SSL), the error "Unable to reach server" is shown. When examining the atlassian-bitbucket.log on the server, there is no indication of any exception being thrown.

Cause

While the vague error "Unable to reach server" suggests a network problem, the actual problem is that your local Java trust store does not contain the issuing Certification Authority certificate for the SSL certificat in use on your repository server. You can verify this by using the SSLPoke Java class provided by Atlassian (where source-server-fqdn is the fully qualified domain name of your source repository server):

java SSLPoke <source-server-fqdn> 443

If Java does not trust the certificate authority that issued your source server's certificate, you'll an exception similar to the following:

java.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: 
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: 
unable to find valid certification path to requested target.

Solution

Acquire the Certification Authority's CA that issued your source server's SSL certificate and import it into the Java CA trust store.

keytool -import -alias <desired-alias> -file /path/to/certificate.crt -keystore /path/to/java/cacerts

Once the certificate is imported, retry the SSLPoke test. If it works, restart the Bitbucket server.

Notes

  • Use Base64 X509 encoded certificates.
  • The default java keystore is defined by your $JAVA_HOME variable, so the path to the default cacerts file is $JAVA_HOME/jre/lib/security/cacerts.

Additional Info:

Because this is probably a bug and I can't actually submit a report for it to Atlassian, below is some information on my Bitbucket server at the time this problem was found and resolved:

Bitbucket Version: 4.11.0

Host OS Version: CentOS 7.2.1511 (Kernel 3.10.0-327.36.3.el7.x86_64)

Java JDK Version: 1.8.0u112 x64

1 answer

0 votes
G__Sylvie_Davies__bit-booster_com_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
January 26, 2017

Brilliant report, I'm sure many people will find this helpful.

Another solution is to upgrade your Java version, since that sometimes brings in new ca authority certs.  For example, Java only started trusting "Let's Encrypt" sites as of Java 8u101 (July, 2016).

http://stackoverflow.com/questions/34110426/does-java-support-lets-encrypt-certificates

 

p.s.  I invite people to try my add-on:  Bit-Booster for Bitbucket Server

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events