Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Deleted user
Level
0 / 0 points
Next:
badges earned

Your Points Tracker
Challenges
Leaderboard
  • Global
  • Feed

Badge for your thoughts?

You're enrolled in our new beta rewards program. Join our group to get the inside scoop and share your feedback.

Join group
Recognition
Give the gift of kudos
You have 0 kudos available to give
Who do you want to recognize?
Why do you want to recognize them?
Kudos
Great job appreciating your peers!
Check back soon to give more kudos.

Past Kudos Given
No kudos given
You haven't given any kudos yet. Share the love above and you'll see it here.

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

How to configure SSL certificate for LDAPS with Microsoft Active Directory (User Directory) Edited

Currently, we use Microsoft Active Directory - Delegated LDAP Authentication as a user directory with BitBucket.

Operations department want me to switch from LDAP to LDAPS and port 636 enabling SSL.

We run BitBucket server on Windows server.

The description I found is here: https://confluence.atlassian.com/bitbucketserver067/connecting-bitbucket-server-to-an-existing-ldap-directory-979426969.html

It is not complete when it comes to the "Use SSL" option. Use SSL says: "... Note that you will need to configure an SSL certificate in order to use this setting."

It would be better with a step - by - step guideline on how to do it.

I guess I need to import some certificate into a certificate store available to BitBucket. But i can not find the details on this, even I have tried different searches on Google.

Regards

Owe Kristiansen

2 answers

2 accepted

1 vote
Answer accepted

Hi Owe,

I believe first you must ask for the public part of your LDAP certificate. Then, you have to add it to the truste store used by the JVM which is in charge of running Bitbucket (you can find the complete rute if navigate to Administration >> Atlassian Support Tools >> System Information >> java.home


Supposing your configuration is the following:

java.home = /opt/atlassian/bitbucket/jre
Certificate = YOURCOMPANY.COM.crt
LDAP FQDN: ldap.yourcompany.com

You must to run the following command:

sudo /opt/atlassian/bitbucket/jre/bin/keytool -import -trustcacerts
-keystore /opt/atlassian/bitbucket/jr/lib/security/cacerts
-storepass changeit -noprompt -alias ldap.yourcompany.com -file
~/Downloads/YOURCOMPANY.COM.crt


And then restart the Bitbucket Application...

You may find the following exception within the Bitbucket logs while trying to connect to your Secure LDAP, if the configuration is NOT correct:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 

Kind regards

@Jack Nolddor -Sweet Bananas- Thank you for quick reply. I guess your answer will do the trick. I have requested internally the neccessary certificate and the LDAP FQDN. 

Let's wait until you add it to the related cacerts file and restart the application to see if it solves your problem

 

Regards

Hi again, and thank you for using your time on me.

Today I got response from operations department that our main internal domain (company.com) responds to LDAPS.

When I tried to use the company.com address in bitbucket with ssl it complained that there was no subject alternative name for company.com:

Connection test failed. Response from the server:
simple bind failed: **********.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching **********.com found.]

I guess this means that the certificate presented lacks company.com alternate dns name.

In addition the SSL certificate I get back is from different server each time. There are a range of various servers responding with its server dns names. Like server1.company.com, server2.company.com and so on. This does not match the LDAPS adress company.com.

The certificates returned I am able to verify with openssl command. They have a certificate chain with two intermediate certificates and then same root CA certificate. Does this mean I need to add all three certificates with your example command?

In addition I have discovered that Bitbucket has its own certificate store, and it is different than the cacerts store on the java bin folder.

The operations department tell me that I should add trust on the root certificate and the two intermediate certificates. I would expect that the server certificates should have alternate dns name like company.com. (Which probably should be ldap.company.com instead)

A lot of details here, and more complicated than expected as our setup is more complex than I expected. If you still know what advice will bring me on track, i will be very grateful.

Hi again Owe, I believe that if you add to the Bitbucket's certificate store the Root CA all certificates signed by this CA will be trusted. So it worth to try to add the RootCA using the command I provided above, then restart and see the results.

 

Regards

Hi, after reconfiguration and restart service we still get this error:

Connection test failed. Response from the server:
simple bind failed: ********.com:636; nested exception is javax.naming.CommunicationException: simple bind failed: **********:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching ********.com found.]

I'm trying to implement this too and I'm confused by this "In addition I have discovered that Bitbucket has its own certificate store, and it is different than the cacerts store on the java bin folder"

 

In which certificate store do I need to add the certificate?, I know where the Java store is but I don't know where the bitbucket store is located.

 

It will be nice to have a step-by-step documentation about this.

PS: we are running bitbucket on windows server, so I'm not familiar with some linux commands.

Our bitbucket config file ( [DRIVE]:\STASH_DATA\shared\bitbucket.properties) contains this line: 

server.additional-connector.1.ssl.key-store=C:/Atlassian/Bitbucket/Bitbucket.jks

That is related to the BitBucket SSL setup, and it confuses me if this overrides the config on java.home = /opt/atlassian/bitbucket/jre

@Jack Nolddor _Sweet Bananas_ I guess your answer was correct, but it did not work out for me. I therefore wrote what I did to solve my problem. I see that the page I asked about still has too litle information about this. Thanks for helping out. Regards Owe 

0 votes
Answer accepted

At last we disabled the certificate checks on the user running the BitBucket service by logging into the bitbucket user account on the server and setting the following environment user variable:

JVM_SUPPORT_RECOMMENDED_ARGS="-Dcom.sun.jndi.ldap.object.disableEndpointIdentification -Djdk.tls.trustNameService=true"

Not an ideal solution, but this is internal communication, and at least we get LDAPS with HTTPS up and running for now. 

Jack's answer worked for us. You have to specifically add the certificate (that is used for LDAP) into the 'cacerts' keystore which is part of your java installation that is used for your Bitbucket instance for example: C:\Java\jre\lib\security\cacerts <-- keystore file.

Also make sure to set the -alias as the name of the CA maybe that will help your DNS issue.

The command that Jack provided works perfectly if you alter it to suit your set up.. we had spent some time looking at the Bitbucket ssl-keystore thinking it needed to go in there but that is only used for the https web interface it seems.

Ok @Rick Spano

Since we had a load balanced setup with several LDAPS servers behind the DNS alias, we decided to not add all the server certificates, but trust the name service instead.

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Bitbucket

Calling any interview participants for Bitbucket Data Center

Hi everyone,  We are looking to learn more about development teams’ workflows and pain points, especially around DevOps, integrations, administration, scale, security, and the related challeng...

505 views 6 4
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you