Currently, we use Microsoft Active Directory - Delegated LDAP Authentication as a user directory with BitBucket.
Operations department want me to switch from LDAP to LDAPS and port 636 enabling SSL.
We run BitBucket server on Windows server.
The description I found is here: https://confluence.atlassian.com/bitbucketserver067/connecting-bitbucket-server-to-an-existing-ldap-directory-979426969.html
It is not complete when it comes to the "Use SSL" option. Use SSL says: "... Note that you will need to configure an SSL certificate in order to use this setting."
It would be better with a step - by - step guideline on how to do it.
I guess I need to import some certificate into a certificate store available to BitBucket. But i can not find the details on this, even I have tried different searches on Google.
I believe first you must ask for the public part of your LDAP certificate. Then, you have to add it to the truste store used by the JVM which is in charge of running Bitbucket (you can find the complete rute if navigate to Administration >> Atlassian Support Tools >> System Information >> java.home
Supposing your configuration is the following:
java.home = /opt/atlassian/bitbucket/jre
Certificate = YOURCOMPANY.COM.crt
LDAP FQDN: ldap.yourcompany.com
You must to run the following command:
sudo /opt/atlassian/bitbucket/jre/bin/keytool -import -trustcacerts
-storepass changeit -noprompt -alias ldap.yourcompany.com -file
And then restart the Bitbucket Application...
You may find the following exception within the Bitbucket logs while trying to connect to your Secure LDAP, if the configuration is NOT correct:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Hi again, and thank you for using your time on me.
Today I got response from operations department that our main internal domain (company.com) responds to LDAPS.
When I tried to use the company.com address in bitbucket with ssl it complained that there was no subject alternative name for company.com:
Connection test failed. Response from the server:
simple bind failed: **********.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching **********.com found.]
I guess this means that the certificate presented lacks company.com alternate dns name.
In addition the SSL certificate I get back is from different server each time. There are a range of various servers responding with its server dns names. Like server1.company.com, server2.company.com and so on. This does not match the LDAPS adress company.com.
The certificates returned I am able to verify with openssl command. They have a certificate chain with two intermediate certificates and then same root CA certificate. Does this mean I need to add all three certificates with your example command?
In addition I have discovered that Bitbucket has its own certificate store, and it is different than the cacerts store on the java bin folder.
The operations department tell me that I should add trust on the root certificate and the two intermediate certificates. I would expect that the server certificates should have alternate dns name like company.com. (Which probably should be ldap.company.com instead)
A lot of details here, and more complicated than expected as our setup is more complex than I expected. If you still know what advice will bring me on track, i will be very grateful.
Hi again Owe, I believe that if you add to the Bitbucket's certificate store the Root CA all certificates signed by this CA will be trusted. So it worth to try to add the RootCA using the command I provided above, then restart and see the results.
Hi, after reconfiguration and restart service we still get this error:
Connection test failed. Response from the server:
simple bind failed: ********.com:636; nested exception is javax.naming.CommunicationException: simple bind failed: **********:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching ********.com found.]
I'm trying to implement this too and I'm confused by this "In addition I have discovered that Bitbucket has its own certificate store, and it is different than the cacerts store on the java bin folder"
In which certificate store do I need to add the certificate?, I know where the Java store is but I don't know where the bitbucket store is located.
It will be nice to have a step-by-step documentation about this.
PS: we are running bitbucket on windows server, so I'm not familiar with some linux commands.
Our bitbucket config file ( [DRIVE]:\STASH_DATA\shared\bitbucket.properties) contains this line:
That is related to the BitBucket SSL setup, and it confuses me if this overrides the config on java.home = /opt/atlassian/bitbucket/jre
@Jack Nolddor _ Sweet Bananas I guess your answer was correct, but it did not work out for me. I therefore wrote what I did to solve my problem. I see that the page I asked about still has too litle information about this. Thanks for helping out. Regards Owe
At last we disabled the certificate checks on the user running the BitBucket service by logging into the bitbucket user account on the server and setting the following environment user variable:
Not an ideal solution, but this is internal communication, and at least we get LDAPS with HTTPS up and running for now.
Jack's answer worked for us. You have to specifically add the certificate (that is used for LDAP) into the 'cacerts' keystore which is part of your java installation that is used for your Bitbucket instance for example: C:\Java\jre\lib\security\cacerts <-- keystore file.
Also make sure to set the -alias as the name of the CA maybe that will help your DNS issue.
The command that Jack provided works perfectly if you alter it to suit your set up.. we had spent some time looking at the Bitbucket ssl-keystore thinking it needed to go in there but that is only used for the https web interface it seems.
Hi everyone, Are you Bitbucket DC customer? If so, we'd love to talk to you! Our team wants to dive deep to understand your long-term plans regarding Bitbucket DC and Atlassian Cloud. Do you plan...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events