How can I enable SSL on Bitbucket?

Im trying to setup BitBucket server, and cant get the SSL to work.

 

I created a new keystore and a self-signed certificate. Then I signed the certificate with our CA. Then imported three certs to the keystore in the right order. First the RCA, then ICA and then the signed certificate. 

Bitbucket.properties look like this:

jdbc.driver=org.postgresql.Driver
jdbc.url=jdbc:postgresql://localhost:5432/bitbucket
jdbc.user=bitbucketuser
jdbc.password=xxxxxxx

server.port=8444
server.ssl.enabled=true
server.ssl.key-store=/var/atlassian/application-data/bitbucket/shared/config/ssl-keystore
server.ssl.key-store-password=Password
server.ssl.key-password=Password
server.ssl.key-alias=tomcat

 

Error log looks like this:

2017-10-11 13:20:03,802 INFO [main] c.a.b.i.b.BitbucketServerApplication Starting BitbucketServerApplication on rhonas with PID 1311 (/opt/atlassian/bitbucket/5.4.0/app/WEB-INF/classes started by atlbitbucket in /)
2017-10-11 13:20:03,809 INFO [main] c.a.b.i.b.BitbucketServerApplication No active profile set, falling back to default profiles: default
2017-10-11 13:20:06,812 INFO [main] c.a.b.i.boot.log.BuildInfoLogger Starting Bitbucket 5.4.0 (9d5666b built on Tue Sep 19 07:26:24 EEST 2017)
2017-10-11 13:20:06,812 INFO [main] c.a.b.i.boot.log.BuildInfoLogger JVM: Oracle Corporation Java HotSpot(TM) 64-Bit Server VM 1.8.0_102-b14
2017-10-11 13:20:10,262 ERROR [main] o.a.coyote.http11.Http11NioProtocol Failed to start end point associated with ProtocolHandler ["https-jsse-nio-8444"]
java.lang.IllegalArgumentException: java.io.IOException: Alias name [tomcat] does not identify a key entry
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
at org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainer.addPreviouslyRemovedConnectors(TomcatEmbeddedServletContainer.java:250)
at org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainer.start(TomcatEmbeddedServletContainer.java:193)
at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.startEmbeddedServletContainer(EmbeddedWebApplicationContext.java:297)
at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.finishRefresh(EmbeddedWebApplicationContext.java:145)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:546)
at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.refresh(EmbeddedWebApplicationContext.java:122)
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:693)
at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:360)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:303)
at com.atlassian.bitbucket.internal.boot.BitbucketServerApplication.start(BitbucketServerApplication.java:247)
at com.atlassian.bitbucket.internal.boot.BitbucketServerApplication.main(BitbucketServerApplication.java:83)
at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:48)
at org.springframework.boot.loader.Launcher.launch(Launcher.java:87)
at com.atlassian.bitbucket.internal.launcher.BitbucketServerLauncher.start(BitbucketServerLauncher.java:151)
at com.atlassian.bitbucket.internal.launcher.BitbucketServerLauncher.main(BitbucketServerLauncher.java:99)
... 11 frames trimmed
Caused by: java.io.IOException: Alias name [tomcat] does not identify a key entry
at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:217)
... 16 common frames omitted
2017-10-11 13:20:10,287 ERROR [main] o.a.catalina.core.StandardService Failed to start connector [Connector[HTTP/1.1-8444]]
org.apache.catalina.LifecycleException: Failed to start component [Connector[HTTP/1.1-8444]]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:167)
at org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainer.addPreviouslyRemovedConnectors(TomcatEmbeddedServletContainer.java:250)
at org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainer.start(TomcatEmbeddedServletContainer.java:193)
at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.startEmbeddedServletContainer(EmbeddedWebApplicationContext.java:297)
at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.finishRefresh(EmbeddedWebApplicationContext.java:145)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:546)
at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.refresh(EmbeddedWebApplicationContext.java:122)
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:693)
at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:360)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:303)
at com.atlassian.bitbucket.internal.boot.BitbucketServerApplication.start(BitbucketServerApplication.java:247)
at com.atlassian.bitbucket.internal.boot.BitbucketServerApplication.main(BitbucketServerApplication.java:83)
at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:48)
at org.springframework.boot.loader.Launcher.launch(Launcher.java:87)
at com.atlassian.bitbucket.internal.launcher.BitbucketServerLauncher.start(BitbucketServerLauncher.java:151)
at com.atlassian.bitbucket.internal.launcher.BitbucketServerLauncher.main(BitbucketServerLauncher.java:99)
... 5 frames trimmed
Caused by: org.apache.catalina.LifecycleException: service.getName(): "Tomcat"; Protocol handler start failed
at org.apache.catalina.connector.Connector.startInternal(Connector.java:1029)
... 16 common frames omitted
Caused by: java.lang.IllegalArgumentException: java.io.IOException: Alias name [tomcat] does not identify a key entry
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
... 16 common frames omitted
Caused by: java.io.IOException: Alias name [tomcat] does not identify a key entry
at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:217)
... 16 common frames omitted
2017-10-11 13:20:16,427 WARN [spring-startup] c.a.stash.internal.home.HomeLock Failed to write process information into the lock file
java.nio.channels.ClosedByInterruptException: null
at java.nio.channels.spi.AbstractInterruptibleChannel.end(AbstractInterruptibleChannel.java:202)
at sun.nio.ch.FileChannelImpl.write(FileChannelImpl.java:216)
at com.atlassian.stash.internal.home.HomeLock.acquireLock(HomeLock.java:123)
at com.atlassian.stash.internal.home.HomeLock.lock(HomeLock.java:94)
at com.atlassian.stash.internal.home.HomeLockAcquirer.lock(HomeLockAcquirer.java:58)
at org.springframework.context.support.PostProcessorRegistrationDelegate.invokeBeanFactoryPostProcessors(PostProcessorRegistrationDelegate.java:149)
at org.springframework.context.support.AbstractApplicationContext.invokeBeanFactoryPostProcessors(AbstractApplicationContext.java:687)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:525)
at javax.servlet.GenericServlet.init(GenericServlet.java:158)
at java.lang.Thread.run(Thread.java:745)
... 27 frames trimmed
2017-10-11 13:20:16,428 INFO [spring-startup] c.a.s.internal.home.HomeLockAcquirer Successfully acquired lock on home directory /var/atlassian/application-data/bitbucket
2017-10-11 13:20:19,466 ERROR [spring-startup] com.zaxxer.hikari.pool.HikariPool bitbucket - Exception during pool initialization.
org.postgresql.util.PSQLException: Something unusual has occurred to cause the driver to fail. Please report this exception.

 

And here is some relevant info from the keystore:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 3 entries

Alias name: tomcat
Creation date: Oct 9, 2017
Entry type: trustedCertEntry

Owner: CN=Gert Kosenkranius, OU=IT, O=North Estonian Medical Centre, L=Tallinn, ST=Harjumaa, C=EE
Issuer: CN=PERH ICA, DC=regionaalhaigla, DC=ee

*******************************************
*******************************************

Alias name: rca
Creation date: Oct 9, 2017
Entry type: trustedCertEntry

Owner: CN=PERH RCA
Issuer: CN=PERH RCA

*******************************************
*******************************************

Alias name: ica
Creation date: Oct 9, 2017
Entry type: trustedCertEntry

Owner: CN=PERH ICA, DC=regionaalhaigla, DC=ee
Issuer: CN=PERH RCA

 

2 answers

Setup a proxy in front of bitbucket. Nginx or apache is my preference. You´ll end up with a much better and easier configuration.

https://confluence.atlassian.com/bitbucketserver/proxying-and-securing-bitbucket-server-776640099.html

I had the same issue and I resolved it by doing the below

I had to change my pg_hba.conf to connect via localhost as I had issue connecting using the server IP address. I changed that file to allow the loopback interface to connect to the Bitbucket DB. I also adjusted the postgresql.conf to listen on the loopback address.

I then edited the bitbucket.properties file and added the below based on my config. This at least resolved my Postgresql connection issues as I am not sure why before the upgrade 4.14 of Bitbucket had no issue connecting to the actual IP address on port 5432.

jdbc.driver=org.postgresql.Driver
jdbc.url=jdbc:postgresql://127.0.0.1:5432/stash
jdbc.user=stash
jdbc.password=718181818jdjdjdjlslspwoiejdjhd

I then added the below configuration for the SSL configuration in the bitbucket.properties

server.additional-connector.1.port=8443
server.additional-connector.1.address=192.168.1.234
server.additional-connector.1.secure=true
server.additional-connector.1.scheme=https
server.additional-connector.1.ssl.protocol=TLSv1.2
server.additional-connector.1.ssl.enabled=true
server.additional-connector.1.ssl.key-store=/opt/keystore/keystore
server.additional-connector.1.ssl.key-store-password=changeit
server.additional-connector.1.ssl.key-password=changeit
server.additional-connector.1.ssl.key-alias=tomcat
server.additional-connector.1.ssl.client-auth=want
server.additional-connector.1.ssl.key-store-type=jks

if you do not know your key alias, then run the below test, you may need to adjust the path depending on your installed version of bitbucket.

/opt/atlassian/bitbucket/5.5.1/jre/bin/keytool -list -v -keystore /opt/keystore/keystore

enter your keystore password and you will be able to then see the alias configured.

I hope this helps other people as this was a mission and a waste of my time to finally get this working and I agree with a lot of comments in the community, Atlassian documentation is shocking and whoever manages this aspect of the business , should really start to take notice and resolve the documentation and KB issues.

Just to add to the above and some more testing I did,

I changed my postgresql database connection back to my IP address of the server and not the loopback and this worked fine.

I then decided to remove a single option in the bitbucket.properties file to see if this was the main issue I was having

server.additional-connector.1.ssl.key-alias=tomcat

The above option seems to be a mandatory requirement and if you do not have this defined in a SSL setup on bitbucket you get multiple errors in the log files and bitbucket refuses to start.

Hope that helps other people who may not have this option defined. Also just so you understand , my configuration uses a wildcard SSL certificate.

I have also create a shell script to automate the adding of SSL certificates and also creating the default keystore needed for a SSL setup and have tested this with all Atlassian products and it works 100%.

Let me know if you want a copy and I will upload it.

Suggest an answer

Log in or Join to answer
Community showcase
Piotr Plewa
Published Dec 27, 2017 in Bitbucket

Recipe: Deploying AWS Lambda functions with Bitbucket Pipelines

Bitbucket Pipelines helps me manage and automate a number of serverless deployments to AWS Lambda and this is how I do it. I'm building Node.js Lambda functions using node-lambda&nbsp...

649 views 0 4
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot