Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Cannot get SSL configured on Bitbucket Server 5.0 Edited

Hello,

I upgraded to Bitbucket Server 5 from 4.latest and cannot get the SSL part configured in the new bitbucket.properties file which migrated from server.xml. I'm getting a SSL protocol error when trying to go to my site in Chrome, etc. Here are my configs, first the server. xml file and the new bitbucket.properties file.  I'm using Windows Server 2012 R2.

        <Connector port="80" address="209.9.229.54" protocol="HTTP/1.1"
                   connectionTimeout="20000"
                   useBodyEncodingForURI="true"
                   redirectPort="443"
                   compression="on"
                   compressableMimeType="text/html,text/xml,text/plain,text/css,application/json,application/javascript,application/x-javascript" />
        
        <Connector port="443" address="209.9.229.54" protocol="org.apache.coyote.http11.Http11NioProtocol"
                   maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
                   clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12" keystorePass="mypassword" keystoreFile="c:\certs\mycertfile.pfx" />
# Whether SSO support should be enabled or not. Regardless of this setting SSO authentication 
# will only be activated when a Crowd directory is configured in Stash that is configured 
# for SSO.
plugin.auth-crowd.sso.enabled=true

server.port=80
server.address=209.9.229.54
server.redirect-port=443
server.compression.enabled=true
server.compression.mime-types=
text/css,text/html,text/javascript,text/json,text/plain,text/xml,text/x-javascript,\
  application/javascript,application/json,application/x-javascript,application/vnd.git-lfs+json

server.additional-connector.1.port=443
server.additional-connector.1.address=209.9.229.54
server.additional-connector.1.secure=true
server.additional-connector.1.scheme=https
server.additional-connector.1.ssl.client-auth=want
server.additional-connector.1.ssl.protocol=TLSv1.2
server.additional-connector.1.ssl.key-store=c:\\certs\\mycertfile.pfx
server.additional-connector.1.ssl.key-store-password=mypassword
server.additional-connector.1.ssl.key-password=mypassword
server.additional-connector.1.ssl.key-store-type=pkcs12

Can someone please tell me how to setup the bitbucket.properties file for my former connectors?

Thank you

8 answers

1 accepted

I just resolved this issue, short story, I needed to have both ssl.key-store-password and ssl.key-password (in addition to ssl.enabled=true). While probably not necessary I also re-exported my wildcart cert from IIS to a pfx, left it as a pfx and updated my config to use pkcs12 as the type.  I used the keytool command to get the aliax from the pfx which is a guid. Here is my complete new config that now works.  Many thanks to Atlassian support for the help and Jeff above.

server.port=80
server.address=209.9.229.54
server.redirect-port=443
server.compression.enabled=true
server.compression.mime-types=
text/css,text/html,text/javascript,text/json,text/plain,text/xml,text/x-javascript,\
application/javascript,application/json,application/x-javascript,application/vnd.git-lfs+json

server.additional-connector.1.port=443
server.additional-connector.1.address=209.9.229.54
server.additional-connector.1.secure=true
server.additional-connector.1.scheme=https
server.additional-connector.1.ssl.protocol=TLSv1.2
server.additional-connector.1.ssl.enabled=true
server.additional-connector.1.ssl.key-store=c:/certs/key.jks
server.additional-connector.1.ssl.key-store-password=mypass
server.additional-connector.1.ssl.key-password=mypass
#server.additional-connector.1.ssl.key-alias=tomcat
server.additional-connector.1.proxy-port=443
server.additional-connector.1.ssl.client-auth=want
server.additional-connector.1.ssl.key-store-type=jks

It's a shame we don't have comments inline with the documentation like in the past as that's always been a huge help. There is a lot lacking in the documentation, I had to take a stab at server.address as you can see I set a port and IP address as do all my atlassian products on one server.

Full day lost on this one! :( But I'm glad it's fixed.

EDIT: I changed the config above, using the pfx / pkcs12 did not work, maybe for lack of using an alias in my config, I don't know. While it worked to connect from the web site Bamboo could not get a valid SSL connection to clone git repos. I changed to the JKS cert and added the alias and now it works for me for all endpoints.

I too have a wildcard cert that was working in Bitbucket Server 4.6.1.  How do you add an alias in Portecle?  Do I essentially have to request a new certificate, or is there an easier way?

Nevermind - I see the commented line above and added the wildcard address as the alias and it started working!

2 votes

Hi Neal,

What is the SSL error that you're seeing?

It looks like the ssl.enabled property is missing. Can you try adding the following and see if it resolves the error?

server.additional-connector.1.ssl.enabled=true

If you were following a guide for this, can you let me know which one? I want to make sure that property is included in the documentation. 

Update: Looks like you may be following Migrate server.xml customizations to bitbucket.properties which is missing this property. I'll get it updated.

Jeff Thomas Atlassian Team May 05, 2017

We should see an error in the atlassian-bitbucket.log file which indicates why it failed to start. Can you find that log in $BITBUCKET_HOME/log and see what the error is?


***************************
APPLICATION FAILED TO START
***************************

Description:

The Tomcat connector configured to listen on port 443 failed to start. The port may already be in use or the connector may be misconfigured.

Action:

Verify the connector's configuration, identify and stop any process that's listening on port 443, or configure this application to listen on another port.

2017-05-05 14:40:16,166 INFO [main] c.a.b.i.boot.log.BuildInfoLogger Bitbucket 5.0.0 has shut down

Did you ever get this fixed?  Having the same issue but on Linux. 

I'm also having the exact same same issue.   It's obviously a bitbucket.properties configuration issue but I can't at all find what's wrong.  

My keystore is in pkcs12 format and my bitbucket.properties entries are:

server.port=8888
server.ssl.enabled=true
server.ssl.key-store=/etc/pki/tls/keystore/bitbucket.jks
server.ssl.key-store-password=<keystorepassword>
server.ssl.protocol=TLSv1.2
server.ssl.key-store-type=pkcs12

And I get the exact same error as above, when I attempt to stop and restart BB 5.5.0.

Is it possible that your key alias is a custom one?

 

If that's the case, you would need to explicitly define it in the bitbucket.properties file.

 

Here is how you can check it:

- Find the correct alias: run this command against your keystore to list the keys and look at the value of the "Alias name" field

keytool -v -list -keystore <keystore> | grep Alias

Add the key alias to your config: In $BITBUCKET_HOME/shared/bitbucket.propertie, add the key alias from step 1 to your main connector configuration

server.ssl.key-alias=yourkeyalias
Like Benjamin likes this

Thank you, Caterina.  That variable is the one that I couldn't find documented.  Yes, my alias was custom so I was missing that entry. 

 

Thanks again!

Like Benjamin likes this

Thanks for the tip on the keystore alias - looks like it is mandatory even if keystore has only one cert :/

I used portecle to examine the keystore and get the alias string - then it finally started working as expected.

I have a wildcard cert that was working in Bitbucket Server 4.6.1.  How do you add an alias in Portecle?  Do I essentially have to request a new certificate, or is there an easier way?

You do not create an alias. You use portecle to obtain the alias ID for the cert loaded to a keystore. Then use it in BitBucket config to identify which cert needs to load from the keystore - even if there is only one.

Do you have that cert loaded to the keystore?

Nevermind - I see the commented line in the example above and added the wildcard address as the alias and it started working!

Here's how I did it.

server.require-ssl=true
server.additional-connector.1.port=8443
server.additional-connector.1.redirect-port=443
server.additional-connector.1.address=x.x.x.x
server.additional-connector.1.require-ssl=true
server.additional-connector.1.secure=true
server.additional-connector.1.scheme=https
server.additional-connector.1.ssl.protocol=TLSv1.2
server.additional-connector.1.ssl.enabled=true
server.additional-connector.1.ssl.key-store=/data/var/atlassian/application-data/bitbucket/shared/bitbucket.jks
server.additional-connector.1.ssl.key-store-password=XXX
server.additional-connector.1.ssl.key-password=XXX
server.additional-connector.1.ssl.key-alias=bitbucket.XXX 
server.additional-connector.1.ssl.client-auth=want
server.additional-connector.1.ssl.key-store-type=jks

 

Alias needs to match the name in the keystore

I am also having issues, please help


server.additional-connector.1.port=7991
server.additional-connector.1.address=10.123.5.187
server.additional-connector.1.secure=true
server.additional-connector.1.scheme=https
#server.additional-connector.1.proxy-port=443
server.additional-connector.1.ssl.enabled=true
#server.additional-connector.1.ssl.client-auth=want
server.additional-connector.1.ssl.protocol=TLSv1.2
server.additional-connector.1.ssl.key-store=C:\\Atlassian\\Stash\\3.10.0\\stash02.jks
server.additional-connector.1.ssl.key-store-password=password
server.additional-connector.1.ssl.key-password=

These are the errors I am getting right now? Any help would be wonderful thanks

2018-05-14 15:51:35,099 ERROR [main]  o.a.coyote.http11.Http11NioProtocol Failed to start end point associated with ProtocolHandler ["https-jsse-nio-10.196.28.114-7991"]
java.lang.IllegalArgumentException: java.io.IOException: Alias name [tomcat] does not identify a key entry

Hi @Julie Roggenbuck,

Can you try the suggestion from  this comment in this thread?

 

We also have an article here that covers how to implement this configuration:

Unable to start Tomcat due to java.io.IOException Alias name not identifying a key entry

 

Cheers,

Caterina - Atlassian

I was having the same problem on Windows, turns out I needed to supply an alias name. I've copied my properties below for anyone else struggling to set up SSL on v5 of BitBucket on Windows.

If you've forgotten your alias, like I did, you can find it by opening a CMD prompt and using the following, altering the path to your point to your ".jks" file.

"%JAVA_HOME%\bin\keytool" -list -v -keystore C:\Atlassian\ApplicationData\Bitbucket\shared\config\ssl-keystore\bitbucket.jks 
server.port=8443
server.secure=true
server.scheme=https
server.ssl.enabled=true
server.ssl.client-auth=want
server.ssl.protocol=TLSv1.2
server.ssl.key-alias=<your alias here>
server.ssl.key-store=C:/Atlassian/ApplicationData/Bitbucket/shared/config/ssl-keystore/bitbucket.jks
server.ssl.key-store-password=<your password here>
server.ssl.key-password=<your password here>

Hi Jay, 

 

Is below path correct for properties and certificate respectivly?

C:\Atlassian\ApplicationData\Bitbucket\shared\bitbucket.pproperties

C:\Atlassian\ApplicationData\Bitbucket\shared\config\ssl-keystore\ssl-keystore.jks

 

thanks,

Tshepiso

Hi Tshepiso, yup those match the files I've changed on our installation.

J.

Thank Jay,

 

I finally got the bitbucket to work on Https port 8443. 

But I am getting the warning message below. Do you know how I can fix this?

Your PC doesn’t trust this website’s security certificate.
The hostname in the website’s security certificate differs from the website you are trying to visit.

I am also having issue after upgrading from 4.12 to 5.13. Here is my server.xml

 

<Connector port="443"
                protocol="org.apache.coyote.http11.Http11NioProtocol"
                maxHttpHeaderSize="8192"
                SSLEnabled="true"
                maxThreads="150"
                minSpareThreads="25"
                maxSpareThreads="75"
                enableLookups="false"
                disableUploadTimeout="true"
                useBodyEncodingForURI="true"
                acceptCount="100"
                scheme="https"
                secure="true"
                URIEncoding="UTF-8"
                compression="on"
                compressionMinSize="2048"
                compressableMimeType="text/html,text/xml,text/csv,text/css,text/javascript"
                useCipherSuitesOrder="true"
                ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
                        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
                        TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
                        TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
                        TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
                        TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
                        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
                        TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
                        TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
                        TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
                        TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
                        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
                        TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
                        TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
                        TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
                        TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
                        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
                        TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
                        TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
                        TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
                        TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
                        TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
                        TLS_ECDH_RSA_WITH_RC4_128_SHA,
                        TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
                        TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
                        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                        TLS_RSA_WITH_AES_256_GCM_SHA384,
                        TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
                        TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
                        TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
                        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                        TLS_RSA_WITH_AES_128_GCM_SHA256,
                        TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
                        TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
                        TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
                        TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
                        TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
                        TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
                        TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
                        TLS_EMPTY_RENEGOTIATION_INFO_SCSVF"
                clientAuth="false"
                sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"
                keystoreFile="C:\path_to_jks"
                keystorePass="passwordhere"
                keyAlias="tomcat"/>

 

 

and this is what on my bitbucket.properties

server.compression.enabled=true
server.compression.mime-types=text/css,text/html,text/javascript,text/json,text/plain,text/xml,text/x-javascript,\application/javascript,application/json,application/x-javascript,application/vnd.git-lfs+json
server.context-path=/
server.displayName=Atlassian Bitbucket
server.port=443
server.secure=true
server.scheme=https
server.ssl.enabled=true
server.ssl.client-auth=want
server.ssl.protocol=TLSv1, TLSv1.1, TLSv1.2
server.ssl.key-store=C:\path_to_jks
server.ssl.key-store-password=passwordhere
server.ssl.key-password=passwordhere
server.ssl.key-alias=tomcat
server.additional-connector.1.ssl.key-store-type=jks

 

but still having the error above. please help. thanks.

For anyone still having an issue with this on a Windows installation of Bitbucket, pay close attention to the forward slashes for the key-store location:

server.ssl.key-store=C:/path/to/jks

Also, check the following issues that I've seen in several areas while looking for my own solution:

- If you set a custom key-store-password, you must also set the key-password to be the same.

- If you set a custom key-alias (mycertname), this must be in the bitbucket.properties.

- Don't use double quotes around the passwords, unless that's part of the password

- The settings are configured per interface (with the default interface being "server"). For example, with the following three lines, "additional-connector.1" does not have "ssl.enabled=true" applied to it:

server.port=443

server.ssl.enabled=true

server.additional-connector.1.port=8443

- The settings you choose simply override the default settings. If you only choose a port, for example, you will still have ssl enabled with the defualt protocols with the default keystore, assuming everything is configured as expected in that keystore. Keep this in mind while troubleshooting, it will come in handy.

- Check that your certs are in the proper key-store. I inherited my installation of Bitbucket, where the previous admin had imported the Java version to keep it stationary, but the upgrade changed to use the system default version of Java, where I had to import the certificates needed. You can check this with:

%JAVA_HOME%\bin\keytool -list -keystore C:\path\to\keystore.jks
- For trusted certs, you need to import them into the cacerts for the version of Java in use. This can typically be found by going to Control Panel > (View by Large Icons) Java > "Java" tab > "View..."

The cacerts keystore is in the jre > lib > security folder.

If you are :

  1. Using a reverse ARR proxy in IIS
  2. Running BitBucket Server locally
  3. Using Jira Cloud remotely

    aka... jira server is unacceptable due to lack of updates by Atlassian, and bitbucket server must run on a private system...

  4. Your bitbucket runs without SSL for speed on localhost 127.0.0.1 
    aka default install on windows..

  5. Your external DNS domain runs on 443 SSL pointing to the ARR iis binding
    (see reverse proxy web.config down below) 

  6. I presume you sorted out your SSL cert for the DNS item, using letsencrypt or whatever.
    aka you can reach your website in your browser...
    It could be php, it could be asp.net, it could be html.
    IN this case... it's a reverse proxy to another port --- for bitbucket.
    Point is, it's an IIS binding you can reach on SSL.....

  7. And your application links fail to connect ("Network error" on jira cloud)

Then you have my exact situation, and the proper config is like so:

server.port=8443
server.scheme=https
server.proxy-name=git.MyDomainWebsite.com
server.proxy-port=443

I do not know why.
I have tried EVERYTHING listed above, and bitbucket server refuses to boot up and/or Jira cloud refuses to process the OAUTH token ("Network error").
But the above works for me 100%.
Nothing more. Nothing less. bitbucket.properties
--> You don't NEED a self-signed ssl cert... IIS can proxy that sh*t. And you can avoid all the mayhem above which in my case solved absolutely nothing whatsoever.. 


P.s. extra.... And your web.config ARR should look like:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" redirectType="Permanent" url="https://{HTTP_HOST}/{R:1}" />
</rule>
<rule name="ReverseProxyInboundRule1" stopProcessing="true">
<match url="(.*)" />
<action type="Rewrite" url="http://127.0.0.1:8443/{R:1}" />
<serverVariables>
<set name="HTTP_USER_AGENT" value="whatever" />
<!--<set name="X_ATLASSIAN_TOKEN" value="nocheck" />-->
</serverVariables>
</rule>
</rules>
</rewrite>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
<add name="Content-Security-Policy" value="upgrade-insecure-requests" />
</customHeaders>
</httpProtocol>
<security>
<requestFiltering allowDoubleEscaping="true" />
</security>
<caching enabled="false" enableKernelCache="false" />
</system.webServer>
<system.web>
<httpRuntime executionTimeout="20" maxRequestLength="207151" requestPathInvalidCharacters="" requestValidationMode="2.0" />
<pages validateRequest="false" />
</system.web>
</configuration>

  

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Bitbucket

Powering DevOps with Bitbucket Server & Data Center

Hi everyone, The Cloud team recently announced 12 new DevOps features that help developers ship better code, faster   ! While we’re all excited about the new improvements to Bitbucket ...

1,880 views 0 7
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you