Cannot get SSL configured on Bitbucket Server 5.0 Edited

Hello,

I upgraded to Bitbucket Server 5 from 4.latest and cannot get the SSL part configured in the new bitbucket.properties file which migrated from server.xml. I'm getting a SSL protocol error when trying to go to my site in Chrome, etc. Here are my configs, first the server. xml file and the new bitbucket.properties file.  I'm using Windows Server 2012 R2.

        <Connector port="80" address="209.9.229.54" protocol="HTTP/1.1"
                   connectionTimeout="20000"
                   useBodyEncodingForURI="true"
                   redirectPort="443"
                   compression="on"
                   compressableMimeType="text/html,text/xml,text/plain,text/css,application/json,application/javascript,application/x-javascript" />
        
        <Connector port="443" address="209.9.229.54" protocol="org.apache.coyote.http11.Http11NioProtocol"
                   maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
                   clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12" keystorePass="mypassword" keystoreFile="c:\certs\mycertfile.pfx" />
# Whether SSO support should be enabled or not. Regardless of this setting SSO authentication 
# will only be activated when a Crowd directory is configured in Stash that is configured 
# for SSO.
plugin.auth-crowd.sso.enabled=true

server.port=80
server.address=209.9.229.54
server.redirect-port=443
server.compression.enabled=true
server.compression.mime-types=
text/css,text/html,text/javascript,text/json,text/plain,text/xml,text/x-javascript,\
  application/javascript,application/json,application/x-javascript,application/vnd.git-lfs+json

server.additional-connector.1.port=443
server.additional-connector.1.address=209.9.229.54
server.additional-connector.1.secure=true
server.additional-connector.1.scheme=https
server.additional-connector.1.ssl.client-auth=want
server.additional-connector.1.ssl.protocol=TLSv1.2
server.additional-connector.1.ssl.key-store=c:\\certs\\mycertfile.pfx
server.additional-connector.1.ssl.key-store-password=mypassword
server.additional-connector.1.ssl.key-password=mypassword
server.additional-connector.1.ssl.key-store-type=pkcs12

Can someone please tell me how to setup the bitbucket.properties file for my former connectors?

Thank you

6 answers

1 accepted

I just resolved this issue, short story, I needed to have both ssl.key-store-password and ssl.key-password (in addition to ssl.enabled=true). While probably not necessary I also re-exported my wildcart cert from IIS to a pfx, left it as a pfx and updated my config to use pkcs12 as the type.  I used the keytool command to get the aliax from the pfx which is a guid. Here is my complete new config that now works.  Many thanks to Atlassian support for the help and Jeff above.

server.port=80
server.address=209.9.229.54
server.redirect-port=443
server.compression.enabled=true
server.compression.mime-types=
text/css,text/html,text/javascript,text/json,text/plain,text/xml,text/x-javascript,\
application/javascript,application/json,application/x-javascript,application/vnd.git-lfs+json

server.additional-connector.1.port=443
server.additional-connector.1.address=209.9.229.54
server.additional-connector.1.secure=true
server.additional-connector.1.scheme=https
server.additional-connector.1.ssl.protocol=TLSv1.2
server.additional-connector.1.ssl.enabled=true
server.additional-connector.1.ssl.key-store=c:/certs/key.jks
server.additional-connector.1.ssl.key-store-password=mypass
server.additional-connector.1.ssl.key-password=mypass
#server.additional-connector.1.ssl.key-alias=tomcat
server.additional-connector.1.proxy-port=443
server.additional-connector.1.ssl.client-auth=want
server.additional-connector.1.ssl.key-store-type=jks

It's a shame we don't have comments inline with the documentation like in the past as that's always been a huge help. There is a lot lacking in the documentation, I had to take a stab at server.address as you can see I set a port and IP address as do all my atlassian products on one server.

Full day lost on this one! :( But I'm glad it's fixed.

EDIT: I changed the config above, using the pfx / pkcs12 did not work, maybe for lack of using an alias in my config, I don't know. While it worked to connect from the web site Bamboo could not get a valid SSL connection to clone git repos. I changed to the JKS cert and added the alias and now it works for me for all endpoints.

I too have a wildcard cert that was working in Bitbucket Server 4.6.1.  How do you add an alias in Portecle?  Do I essentially have to request a new certificate, or is there an easier way?

Nevermind - I see the commented line above and added the wildcard address as the alias and it started working!

Hi Neal,

What is the SSL error that you're seeing?

It looks like the ssl.enabled property is missing. Can you try adding the following and see if it resolves the error?

server.additional-connector.1.ssl.enabled=true

If you were following a guide for this, can you let me know which one? I want to make sure that property is included in the documentation. 

Update: Looks like you may be following Migrate server.xml customizations to bitbucket.properties which is missing this property. I'll get it updated.

Jeff Thomas Atlassian Team May 05, 2017

We should see an error in the atlassian-bitbucket.log file which indicates why it failed to start. Can you find that log in $BITBUCKET_HOME/log and see what the error is?


***************************
APPLICATION FAILED TO START
***************************

Description:

The Tomcat connector configured to listen on port 443 failed to start. The port may already be in use or the connector may be misconfigured.

Action:

Verify the connector's configuration, identify and stop any process that's listening on port 443, or configure this application to listen on another port.

2017-05-05 14:40:16,166 INFO [main] c.a.b.i.boot.log.BuildInfoLogger Bitbucket 5.0.0 has shut down

Did you ever get this fixed?  Having the same issue but on Linux. 

I'm also having the exact same same issue.   It's obviously a bitbucket.properties configuration issue but I can't at all find what's wrong.  

My keystore is in pkcs12 format and my bitbucket.properties entries are:

server.port=8888
server.ssl.enabled=true
server.ssl.key-store=/etc/pki/tls/keystore/bitbucket.jks
server.ssl.key-store-password=<keystorepassword>
server.ssl.protocol=TLSv1.2
server.ssl.key-store-type=pkcs12

And I get the exact same error as above, when I attempt to stop and restart BB 5.5.0.

Is it possible that your key alias is a custom one?

 

If that's the case, you would need to explicitly define it in the bitbucket.properties file.

 

Here is how you can check it:

- Find the correct alias: run this command against your keystore to list the keys and look at the value of the "Alias name" field

keytool -v -list -keystore <keystore> | grep Alias

Add the key alias to your config: In $BITBUCKET_HOME/shared/bitbucket.propertie, add the key alias from step 1 to your main connector configuration

server.ssl.key-alias=yourkeyalias

Thank you, Caterina.  That variable is the one that I couldn't find documented.  Yes, my alias was custom so I was missing that entry. 

 

Thanks again!

Thanks for the tip on the keystore alias - looks like it is mandatory even if keystore has only one cert :/

I used portecle to examine the keystore and get the alias string - then it finally started working as expected.

I have a wildcard cert that was working in Bitbucket Server 4.6.1.  How do you add an alias in Portecle?  Do I essentially have to request a new certificate, or is there an easier way?

You do not create an alias. You use portecle to obtain the alias ID for the cert loaded to a keystore. Then use it in BitBucket config to identify which cert needs to load from the keystore - even if there is only one.

Do you have that cert loaded to the keystore?

Nevermind - I see the commented line in the example above and added the wildcard address as the alias and it started working!

Here's how I did it.

server.require-ssl=true
server.additional-connector.1.port=8443
server.additional-connector.1.redirect-port=443
server.additional-connector.1.address=x.x.x.x
server.additional-connector.1.require-ssl=true
server.additional-connector.1.secure=true
server.additional-connector.1.scheme=https
server.additional-connector.1.ssl.protocol=TLSv1.2
server.additional-connector.1.ssl.enabled=true
server.additional-connector.1.ssl.key-store=/data/var/atlassian/application-data/bitbucket/shared/bitbucket.jks
server.additional-connector.1.ssl.key-store-password=XXX
server.additional-connector.1.ssl.key-password=XXX
server.additional-connector.1.ssl.key-alias=bitbucket.XXX 
server.additional-connector.1.ssl.client-auth=want
server.additional-connector.1.ssl.key-store-type=jks

 

Alias needs to match the name in the keystore

I am also having issues, please help


server.additional-connector.1.port=7991
server.additional-connector.1.address=10.123.5.187
server.additional-connector.1.secure=true
server.additional-connector.1.scheme=https
#server.additional-connector.1.proxy-port=443
server.additional-connector.1.ssl.enabled=true
#server.additional-connector.1.ssl.client-auth=want
server.additional-connector.1.ssl.protocol=TLSv1.2
server.additional-connector.1.ssl.key-store=C:\\Atlassian\\Stash\\3.10.0\\stash02.jks
server.additional-connector.1.ssl.key-store-password=password
server.additional-connector.1.ssl.key-password=

These are the errors I am getting right now? Any help would be wonderful thanks

2018-05-14 15:51:35,099 ERROR [main]  o.a.coyote.http11.Http11NioProtocol Failed to start end point associated with ProtocolHandler ["https-jsse-nio-10.196.28.114-7991"]
java.lang.IllegalArgumentException: java.io.IOException: Alias name [tomcat] does not identify a key entry

Hi @Julie Roggenbuck,

Can you try the suggestion from  this comment in this thread?

 

We also have an article here that covers how to implement this configuration:

Unable to start Tomcat due to java.io.IOException Alias name not identifying a key entry

 

Cheers,

Caterina - Atlassian

I was having the same problem on Windows, turns out I needed to supply an alias name. I've copied my properties below for anyone else struggling to set up SSL on v5 of BitBucket on Windows.

If you've forgotten your alias, like I did, you can find it by opening a CMD prompt and using the following, altering the path to your point to your ".jks" file.

"%JAVA_HOME%\bin\keytool" -list -v -keystore C:\Atlassian\ApplicationData\Bitbucket\shared\config\ssl-keystore\bitbucket.jks 
server.port=8443
server.secure=true
server.scheme=https
server.ssl.enabled=true
server.ssl.client-auth=want
server.ssl.protocol=TLSv1.2
server.ssl.key-alias=<your alias here>
server.ssl.key-store=C:/Atlassian/ApplicationData/Bitbucket/shared/config/ssl-keystore/bitbucket.jks
server.ssl.key-store-password=<your password here>
server.ssl.key-password=<your password here>
0 votes

I am also having issue after upgrading from 4.12 to 5.13. Here is my server.xml

 

<Connector port="443"
                protocol="org.apache.coyote.http11.Http11NioProtocol"
                maxHttpHeaderSize="8192"
                SSLEnabled="true"
                maxThreads="150"
                minSpareThreads="25"
                maxSpareThreads="75"
                enableLookups="false"
                disableUploadTimeout="true"
                useBodyEncodingForURI="true"
                acceptCount="100"
                scheme="https"
                secure="true"
                URIEncoding="UTF-8"
                compression="on"
                compressionMinSize="2048"
                compressableMimeType="text/html,text/xml,text/csv,text/css,text/javascript"
                useCipherSuitesOrder="true"
                ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
                        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
                        TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
                        TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
                        TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
                        TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
                        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
                        TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
                        TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
                        TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
                        TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
                        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
                        TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
                        TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
                        TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,
                        TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
                        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
                        TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
                        TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
                        TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
                        TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
                        TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
                        TLS_ECDH_RSA_WITH_RC4_128_SHA,
                        TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
                        TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
                        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                        TLS_RSA_WITH_AES_256_GCM_SHA384,
                        TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
                        TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
                        TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
                        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                        TLS_RSA_WITH_AES_128_GCM_SHA256,
                        TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
                        TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
                        TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
                        TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
                        TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
                        TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
                        TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
                        TLS_EMPTY_RENEGOTIATION_INFO_SCSVF"
                clientAuth="false"
                sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"
                keystoreFile="C:\path_to_jks"
                keystorePass="passwordhere"
                keyAlias="tomcat"/>

 

 

and this is what on my bitbucket.properties

server.compression.enabled=true
server.compression.mime-types=text/css,text/html,text/javascript,text/json,text/plain,text/xml,text/x-javascript,\application/javascript,application/json,application/x-javascript,application/vnd.git-lfs+json
server.context-path=/
server.displayName=Atlassian Bitbucket
server.port=443
server.secure=true
server.scheme=https
server.ssl.enabled=true
server.ssl.client-auth=want
server.ssl.protocol=TLSv1, TLSv1.1, TLSv1.2
server.ssl.key-store=C:\path_to_jks
server.ssl.key-store-password=passwordhere
server.ssl.key-password=passwordhere
server.ssl.key-alias=tomcat
server.additional-connector.1.ssl.key-store-type=jks

 

but still having the error above. please help. thanks.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Tuesday in Bitbucket

Upgrade Best Practices

Hello! My name is Mark Askew and I am a Premier Support Engineer for products Bitbucket Server/Data Center, Fisheye & Crucible. Today, I want to bring the discussion that Jennifer, Matt, and ...

185 views 3 6
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you