Get product advice from experts

Ask a question →

Join a community group

Find a group →

Advance your career with learning paths

Take a free class →

Earn badges and rewards

Connect and share ideas at events

See the calendar →

Community
Products
Bitbucket
Questions
Import PFX Certificate

Import PFX Certificate

Hello,

I'm contacting you on behalf of our customer.

I have already had a ticket opened some time ago when I was not able to configure the Port and the SSL certificate. Now I have to upgrade the Certificate and it is not possible to get this working.

I already tried following steps:
1) Updated the configuration: https://confluence.atlassian.com/bitbucketserverkb/how-to-run-bitbucket-server-over-https-with-a-personal-information-exchange-pfx-keystore-779171445.html
2) Imported the PFX file with step two: https://confluence.atlassian.com/kb/how-to-import-an-existing-ssl-certificate-for-use-in-tomcat-838412853.html => But this doesn't work. I alway get the message "keytool error: java.lang.Exception: Alias <tomcat> does not exist"
3) Tried this way: "

keytool -importkeystore -srckeystore <Bitbucket server home>/shared/config/certificate.pfx -srcstoretype pkcs12 -srcstorepass exportpass -srcalias <Source keystore alias> -destkeystore <Bitbucket server home>/shared/config/ssl-keystore  -deststoretype jks -deststorepass changeit -destalias tomcat

source: https://confluence.atlassian.com/bitbucketserver/securing-bitbucket-server-with-tomcat-using-ssl-776640127.html In this article I don't know what "-srcalias" means. I don't have an alias. Or do I? I only have an alias in my actual configuration.

Nothing from above is working. What I'm doing wrong?

Thank you for your help!

Best regards, Michael Wielitsch INEO GmbH IT-Solutions

1 answer

0 votes

You can have a look at your aliases, eg:

# Alternative parameter is -v which will list all details

root@server:/tmp# $JRE_HOME/bin/keytool -keystore /var/atlassian/application-data/jira/some-jira.jks -list -v

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

/opt/atlassian/bitbucket/5.10.0/jre/bin/keytool -list -keystore /var/atlassian/application-data/bitbucket/shared/config/ssl-keystore
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

tomcat, Jul 4, 2018, PrivateKeyEntry,
Certificate fingerprint (SHA1):
1, Jul 4, 2018, PrivateKeyEntry,
Certificate fingerprint (SHA1):

I have removed the fingerprint, so it's not an error that there is no fingerprint visible. But the fingerprints are the same.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Please use the -list -v parameters to see the aliases.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Sorry, I forgot the -v option:

Your keystore contains 3 entries

Alias name: 1
Alias name: tomcat
Alias name: te-5a122007-b3f6-46a8-93c9-51797c76ba3d

The third one I have imported it to the keystore using following command:
keytool -importkeystore -destkeystore /var/atlassian/application-data/bitbucket/shared/config/ssl-keystore -srckeystore /var/atlassian/application-data/bitbucket/shared/config/godaddy.pfx -srcstoretype PKCS12

I had to enter the password for the keystore and the pfx and it generated the cryptical alias name. I changed the configuration to use the new alias, but I can't open the web interface.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

You might not be importing into the keystore that is used by your Bitbucket Server.

Perhaps you can use the SLLPoke utility to troubleshoot.

Just for reference, you can rename the alias to something more readable:

root@server:/opt/atlassian/jira/jre/lib/security# $JRE_HOME/bin/keytool -changealias -alias "old-alias" -destalias "new-alias" -keystore cacerts

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

I'm sure that it is the right keystore. When I change the configuration to the alias "tomcat" and restart the services with "stop-bitbucket.sh && start-bitbucket.sh" it's working.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Reply

Suggest an answer

Log in or Sign up to answer

Was this helpful?

Thanks!

TAGS