Cannot get SSL configured on Bitbucket Server 5.0

Neal Culiner
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 5, 2017

Hello,

I upgraded to Bitbucket Server 5 from 4.latest and cannot get the SSL part configured in the new bitbucket.properties file which migrated from server.xml. I'm getting a SSL protocol error when trying to go to my site in Chrome, etc. Here are my configs, first the server. xml file and the new bitbucket.properties file.  I'm using Windows Server 2012 R2.

        <Connector port="80" address="209.9.229.54" protocol="HTTP/1.1"
                   connectionTimeout="20000"
                   useBodyEncodingForURI="true"
                   redirectPort="443"
                   compression="on"
                   compressableMimeType="text/html,text/xml,text/plain,text/css,application/json,application/javascript,application/x-javascript" />
        
        <Connector port="443" address="209.9.229.54" protocol="org.apache.coyote.http11.Http11NioProtocol"
                   maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
                   clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12" keystorePass="mypassword" keystoreFile="c:\certs\mycertfile.pfx" />
# Whether SSO support should be enabled or not. Regardless of this setting SSO authentication 
# will only be activated when a Crowd directory is configured in Stash that is configured 
# for SSO.
plugin.auth-crowd.sso.enabled=true

server.port=80
server.address=209.9.229.54
server.redirect-port=443
server.compression.enabled=true
server.compression.mime-types=
text/css,text/html,text/javascript,text/json,text/plain,text/xml,text/x-javascript,\
  application/javascript,application/json,application/x-javascript,application/vnd.git-lfs+json

server.additional-connector.1.port=443
server.additional-connector.1.address=209.9.229.54
server.additional-connector.1.secure=true
server.additional-connector.1.scheme=https
server.additional-connector.1.ssl.client-auth=want
server.additional-connector.1.ssl.protocol=TLSv1.2
server.additional-connector.1.ssl.key-store=c:\\certs\\mycertfile.pfx
server.additional-connector.1.ssl.key-store-password=mypassword
server.additional-connector.1.ssl.key-password=mypassword
server.additional-connector.1.ssl.key-store-type=pkcs12

Can someone please tell me how to setup the bitbucket.properties file for my former connectors?

Thank you

8 answers

1 accepted

1 vote
Answer accepted
Neal Culiner
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 5, 2017

I just resolved this issue, short story, I needed to have both ssl.key-store-password and ssl.key-password (in addition to ssl.enabled=true). While probably not necessary I also re-exported my wildcart cert from IIS to a pfx, left it as a pfx and updated my config to use pkcs12 as the type.  I used the keytool command to get the aliax from the pfx which is a guid. Here is my complete new config that now works.  Many thanks to Atlassian support for the help and Jeff above.

server.port=80
server.address=209.9.229.54
server.redirect-port=443
server.compression.enabled=true
server.compression.mime-types=
text/css,text/html,text/javascript,text/json,text/plain,text/xml,text/x-javascript,\
application/javascript,application/json,application/x-javascript,application/vnd.git-lfs+json

server.additional-connector.1.port=443
server.additional-connector.1.address=209.9.229.54
server.additional-connector.1.secure=true
server.additional-connector.1.scheme=https
server.additional-connector.1.ssl.protocol=TLSv1.2
server.additional-connector.1.ssl.enabled=true
server.additional-connector.1.ssl.key-store=c:/certs/key.jks
server.additional-connector.1.ssl.key-store-password=mypass
server.additional-connector.1.ssl.key-password=mypass
#server.additional-connector.1.ssl.key-alias=tomcat
server.additional-connector.1.proxy-port=443
server.additional-connector.1.ssl.client-auth=want
server.additional-connector.1.ssl.key-store-type=jks

It's a shame we don't have comments inline with the documentation like in the past as that's always been a huge help. There is a lot lacking in the documentation, I had to take a stab at server.address as you can see I set a port and IP address as do all my atlassian products on one server.

Full day lost on this one! :( But I'm glad it's fixed.

EDIT: I changed the config above, using the pfx / pkcs12 did not work, maybe for lack of using an alias in my config, I don't know. While it worked to connect from the web site Bamboo could not get a valid SSL connection to clone git repos. I changed to the JKS cert and added the alias and now it works for me for all endpoints.

rooksoftware August 24, 2017

I too have a wildcard cert that was working in Bitbucket Server 4.6.1.  How do you add an alias in Portecle?  Do I essentially have to request a new certificate, or is there an easier way?

rooksoftware August 24, 2017

Nevermind - I see the commented line above and added the wildcard address as the alias and it started working!

2 votes
Jeff Thomas
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 5, 2017

Hi Neal,

What is the SSL error that you're seeing?

It looks like the ssl.enabled property is missing. Can you try adding the following and see if it resolves the error?

server.additional-connector.1.ssl.enabled=true

If you were following a guide for this, can you let me know which one? I want to make sure that property is included in the documentation. 

Update: Looks like you may be following Migrate server.xml customizations to bitbucket.properties which is missing this property. I'll get it updated.

Neal Culiner
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 5, 2017

When I add that the windows service will fail and stop.

I followed the guidance at https://confluence.atlassian.com/bitbucketserver/migrate-server-xml-customizations-to-bitbucket-properties-897811761.html

Jeff Thomas
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 5, 2017

We should see an error in the atlassian-bitbucket.log file which indicates why it failed to start. Can you find that log in $BITBUCKET_HOME/log and see what the error is?

Neal Culiner
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 5, 2017


***************************
APPLICATION FAILED TO START
***************************

Description:

The Tomcat connector configured to listen on port 443 failed to start. The port may already be in use or the connector may be misconfigured.

Action:

Verify the connector's configuration, identify and stop any process that's listening on port 443, or configure this application to listen on another port.

2017-05-05 14:40:16,166 INFO [main] c.a.b.i.boot.log.BuildInfoLogger Bitbucket 5.0.0 has shut down

Jennifer Hall November 4, 2017

Did you ever get this fixed?  Having the same issue but on Linux. 

OneTech IT January 11, 2018

I'm also having the exact same same issue.   It's obviously a bitbucket.properties configuration issue but I can't at all find what's wrong.  

My keystore is in pkcs12 format and my bitbucket.properties entries are:

server.port=8888
server.ssl.enabled=true
server.ssl.key-store=/etc/pki/tls/keystore/bitbucket.jks
server.ssl.key-store-password=<keystorepassword>
server.ssl.protocol=TLSv1.2
server.ssl.key-store-type=pkcs12

And I get the exact same error as above, when I attempt to stop and restart BB 5.5.0.

Caterina Curti
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 14, 2018

Is it possible that your key alias is a custom one?

 

If that's the case, you would need to explicitly define it in the bitbucket.properties file.

 

Here is how you can check it:

- Find the correct alias: run this command against your keystore to list the keys and look at the value of the "Alias name" field

keytool -v -list -keystore <keystore> | grep Alias

Add the key alias to your config: In $BITBUCKET_HOME/shared/bitbucket.propertie, add the key alias from step 1 to your main connector configuration

server.ssl.key-alias=yourkeyalias
Like Benjamin Horst likes this
OneTech IT January 15, 2018

Thank you, Caterina.  That variable is the one that I couldn't find documented.  Yes, my alias was custom so I was missing that entry. 

 

Thanks again!

Like Benjamin Horst likes this
0 votes
ensemblebd March 29, 2020

If you are :

  1. Using a reverse ARR proxy in IIS
  2. Running BitBucket Server locally
  3. Using Jira Cloud remotely

    aka... jira server is unacceptable due to lack of updates by Atlassian, and bitbucket server must run on a private system...

  4. Your bitbucket runs without SSL for speed on localhost 127.0.0.1 
    aka default install on windows..

  5. Your external DNS domain runs on 443 SSL pointing to the ARR iis binding
    (see reverse proxy web.config down below) 

  6. I presume you sorted out your SSL cert for the DNS item, using letsencrypt or whatever.
    aka you can reach your website in your browser...
    It could be php, it could be asp.net, it could be html.
    IN this case... it's a reverse proxy to another port --- for bitbucket.
    Point is, it's an IIS binding you can reach on SSL.....

  7. And your application links fail to connect ("Network error" on jira cloud)

Then you have my exact situation, and the proper config is like so:

server.port=8443
server.scheme=https
server.proxy-name=git.MyDomainWebsite.com
server.proxy-port=443

I do not know why.
I have tried EVERYTHING listed above, and bitbucket server refuses to boot up and/or Jira cloud refuses to process the OAUTH token ("Network error").
But the above works for me 100%.
Nothing more. Nothing less. bitbucket.properties
--> You don't NEED a self-signed ssl cert... IIS can proxy that sh*t. And you can avoid all the mayhem above which in my case solved absolutely nothing whatsoever.. 


P.s. extra.... And your web.config ARR should look like:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" redirectType="Permanent" url="https://{HTTP_HOST}/{R:1}" />
</rule>
<rule name="ReverseProxyInboundRule1" stopProcessing="true">
<match url="(.*)" />
<action type="Rewrite" url="http://127.0.0.1:8443/{R:1}" />
<serverVariables>
<set name="HTTP_USER_AGENT" value="whatever" />
<!--<set name="X_ATLASSIAN_TOKEN" value="nocheck" />-->
</serverVariables>
</rule>
</rules>
</rewrite>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
<add name="Content-Security-Policy" value="upgrade-insecure-requests" />
</customHeaders>
</httpProtocol>
<security>
<requestFiltering allowDoubleEscaping="true" />
</security>
<caching enabled="false" enableKernelCache="false" />
</system.webServer>
<system.web>
<httpRuntime executionTimeout="20" maxRequestLength="207151" requestPathInvalidCharacters="" requestValidationMode="2.0" />
<pages validateRequest="false" />
</system.web>
</configuration>

  

0 votes
Eric Massey August 26, 2019

For anyone still having an issue with this on a Windows installation of Bitbucket, pay close attention to the forward slashes for the key-store location:

server.ssl.key-store=C:/path/to/jks

Also, check the following issues that I've seen in several areas while looking for my own solution:

- If you set a custom key-store-password, you must also set the key-password to be the same.

- If you set a custom key-alias (mycertname), this must be in the bitbucket.properties.

- Don't use double quotes around the passwords, unless that's part of the password

- The settings are configured per interface (with the default interface being "server"). For example, with the following three lines, "additional-connector.1" does not have "ssl.enabled=true" applied to it:

server.port=443

server.ssl.enabled=true

server.additional-connector.1.port=8443

- The settings you choose simply override the default settings. If you only choose a port, for example, you will still have ssl enabled with the defualt protocols with the default keystore, assuming everything is configured as expected in that keystore. Keep this in mind while troubleshooting, it will come in handy.

- Check that your certs are in the proper key-store. I inherited my installation of Bitbucket, where the previous admin had imported the Java version to keep it stationary, but the upgrade changed to use the system default version of Java, where I had to import the certificates needed. You can check this with:

%JAVA_HOME%\bin\keytool -list -keystore C:\path\to\keystore.jks
- For trusted certs, you need to import them into the cacerts for the version of Java in use. This can typically be found by going to Control Panel > (View by Large Icons) Java > "Java" tab > "View..."

The cacerts keystore is in the jre > lib > security folder.

0 votes
Arjey Laxamana August 14, 2018

I am also having issue after upgrading from 4.12 to 5.13. Here is my server.xml

 

<Connector port="443"
                protocol="org.apache.coyote.http11.Http11NioProtocol"
                maxHttpHeaderSize="8192"
                SSLEnabled="true"
                maxThreads="150"
                minSpareThreads="25"
                maxSpareThreads="75"
                enableLookups="false"
                disableUploadTimeout="true"
                useBodyEncodingForURI="true"
                acceptCount="100"
                scheme="https"
                secure="true"
                URIEncoding="UTF-8"
                compression="on"
                compressionMinSize="2048"
                compressableMimeType="text/html,text/xml,text/csv,text/css,text/javascript"
                useCipherSuitesOrder="true"
                ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
                        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
                        TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
                        TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
                        TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
                        TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
                        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
                        TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
                        TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
                        TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
                        TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
                        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
                        TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
                        TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
                        TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
                        TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
                        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
                        TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
                        TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
                        TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
                        TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
                        TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
                        TLS_ECDH_RSA_WITH_RC4_128_SHA,
                        TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
                        TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
                        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                        TLS_RSA_WITH_AES_256_GCM_SHA384,
                        TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
                        TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
                        TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
                        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                        TLS_RSA_WITH_AES_128_GCM_SHA256,
                        TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
                        TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
                        TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
                        TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
                        TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
                        TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
                        TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
                        TLS_EMPTY_RENEGOTIATION_INFO_SCSVF"
                clientAuth="false"
                sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"
                keystoreFile="C:\path_to_jks"
                keystorePass="passwordhere"
                keyAlias="tomcat"/>

 

 

and this is what on my bitbucket.properties

server.compression.enabled=true
server.compression.mime-types=text/css,text/html,text/javascript,text/json,text/plain,text/xml,text/x-javascript,\application/javascript,application/json,application/x-javascript,application/vnd.git-lfs+json
server.context-path=/
server.displayName=Atlassian Bitbucket
server.port=443
server.secure=true
server.scheme=https
server.ssl.enabled=true
server.ssl.client-auth=want
server.ssl.protocol=TLSv1, TLSv1.1, TLSv1.2
server.ssl.key-store=C:\path_to_jks
server.ssl.key-store-password=passwordhere
server.ssl.key-password=passwordhere
server.ssl.key-alias=tomcat
server.additional-connector.1.ssl.key-store-type=jks

 

but still having the error above. please help. thanks.

0 votes
Jay Hayman July 24, 2018

I was having the same problem on Windows, turns out I needed to supply an alias name. I've copied my properties below for anyone else struggling to set up SSL on v5 of BitBucket on Windows.

If you've forgotten your alias, like I did, you can find it by opening a CMD prompt and using the following, altering the path to your point to your ".jks" file.

"%JAVA_HOME%\bin\keytool" -list -v -keystore C:\Atlassian\ApplicationData\Bitbucket\shared\config\ssl-keystore\bitbucket.jks 
server.port=8443
server.secure=true
server.scheme=https
server.ssl.enabled=true
server.ssl.client-auth=want
server.ssl.protocol=TLSv1.2
server.ssl.key-alias=<your alias here>
server.ssl.key-store=C:/Atlassian/ApplicationData/Bitbucket/shared/config/ssl-keystore/bitbucket.jks
server.ssl.key-store-password=<your password here>
server.ssl.key-password=<your password here>
Tshepza June 6, 2019

Hi Jay, 

 

Is below path correct for properties and certificate respectivly?

C:\Atlassian\ApplicationData\Bitbucket\shared\bitbucket.pproperties

C:\Atlassian\ApplicationData\Bitbucket\shared\config\ssl-keystore\ssl-keystore.jks

 

thanks,

Tshepiso

Jay Hayman June 6, 2019

Hi Tshepiso, yup those match the files I've changed on our installation.

J.

Tshepza June 10, 2019

Thank Jay,

 

I finally got the bitbucket to work on Https port 8443. 

But I am getting the warning message below. Do you know how I can fix this?

Your PC doesn’t trust this website’s security certificate.
The hostname in the website’s security certificate differs from the website you are trying to visit.

0 votes
shaecker December 4, 2017

Here's how I did it.

server.require-ssl=true
server.additional-connector.1.port=8443
server.additional-connector.1.redirect-port=443
server.additional-connector.1.address=x.x.x.x
server.additional-connector.1.require-ssl=true
server.additional-connector.1.secure=true
server.additional-connector.1.scheme=https
server.additional-connector.1.ssl.protocol=TLSv1.2
server.additional-connector.1.ssl.enabled=true
server.additional-connector.1.ssl.key-store=/data/var/atlassian/application-data/bitbucket/shared/bitbucket.jks
server.additional-connector.1.ssl.key-store-password=XXX
server.additional-connector.1.ssl.key-password=XXX
server.additional-connector.1.ssl.key-alias=bitbucket.XXX 
server.additional-connector.1.ssl.client-auth=want
server.additional-connector.1.ssl.key-store-type=jks

 

Alias needs to match the name in the keystore

Julie Roggenbuck May 14, 2018

I am also having issues, please help


server.additional-connector.1.port=7991
server.additional-connector.1.address=10.123.5.187
server.additional-connector.1.secure=true
server.additional-connector.1.scheme=https
#server.additional-connector.1.proxy-port=443
server.additional-connector.1.ssl.enabled=true
#server.additional-connector.1.ssl.client-auth=want
server.additional-connector.1.ssl.protocol=TLSv1.2
server.additional-connector.1.ssl.key-store=C:\\Atlassian\\Stash\\3.10.0\\stash02.jks
server.additional-connector.1.ssl.key-store-password=password
server.additional-connector.1.ssl.key-password=

These are the errors I am getting right now? Any help would be wonderful thanks

2018-05-14 15:51:35,099 ERROR [main]  o.a.coyote.http11.Http11NioProtocol Failed to start end point associated with ProtocolHandler ["https-jsse-nio-10.196.28.114-7991"]
java.lang.IllegalArgumentException: java.io.IOException: Alias name [tomcat] does not identify a key entry

Caterina Curti
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 14, 2018

Hi @Julie Roggenbuck,

Can you try the suggestion from  this comment in this thread?

 

We also have an article here that covers how to implement this configuration:

Unable to start Tomcat due to java.io.IOException Alias name not identifying a key entry

 

Cheers,

Caterina - Atlassian

0 votes
Marcin Dobija July 3, 2017

Thanks for the tip on the keystore alias - looks like it is mandatory even if keystore has only one cert :/

I used portecle to examine the keystore and get the alias string - then it finally started working as expected.

rooksoftware August 24, 2017

I have a wildcard cert that was working in Bitbucket Server 4.6.1.  How do you add an alias in Portecle?  Do I essentially have to request a new certificate, or is there an easier way?

Marcin Dobija August 24, 2017

You do not create an alias. You use portecle to obtain the alias ID for the cert loaded to a keystore. Then use it in BitBucket config to identify which cert needs to load from the keystore - even if there is only one.

Do you have that cert loaded to the keystore?

rooksoftware August 24, 2017

Nevermind - I see the commented line in the example above and added the wildcard address as the alias and it started working!

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events