SSL Config: PKCS12 keystore works for JIRA/Confluence, but not for Bitbucket Edited

Hi,

after some trials I've got JIRA and Confluence running with a PKCS12 keystore. However, Bitbucket does not want to play ball.

The JIRA/Confluence config in server.xml is:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxHttpHeaderSize="8192" SSLEnabled="true"
maxThreads="150" minSpareThreads="25"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" useBodyEncodingForURI="true"
keystoreType="PKCS12" keystoreFile="/etc/ssl/atl_rl.pfx"
keystorePass="(mypass)" />

The Bitbucket config I've gotten furthest with thus far is:

server.additional-connector.1.port=8445
server.additional-connector.1.ssl.enabled=true
server.additional-connector.1.ssl.protocol=TLS
server.additional-connector.1.ssl.key-store=/etc/ssl/atl_rl.pfx
server.additional-connector.1.ssl.key-store-password=(mypass)
server.additional-connector.1.ssl.key-password=
server.additional-connector.1.ssl.key-store-type=PKCS12
server.additional-connector.1.ssl.key-alias=1

The PKCS12 store is secured using the password. The keys within do not have passwords.

This leads to a startup error:

2017-07-06 16:48:34,606 ERROR [main]  o.a.coyote.http11.Http11NioProtocol Failed to start end point associated with ProtocolHandler ["https-jsse-nio-8445"]
java.lang.IllegalArgumentException: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded

Any help appreciated.

Edit: Versions: atlassian-jira-software-7.3.6-x64.bin, atlassian-confluence-6.2.0-x64.bin, atlassian-bitbucket-5.0.1-x64.bin

2 answers

"Fixed" by converting the keystore to a JKS, and applying the same password to the key within as for the entire key store (using Portecle).

There is a key-alias in the pfx which is needed.

To read it out you use the keytool.

Example:

c:\Atlassian\Bitbucket\5.4.1\jre\bin\keytool.exe -list -keystore d:\bitbucket_data\shared\ssl.pfx -storetype PKCS12

 

The output example:

Your keystore contains 1 entry

 

le-webserverexportable-bacc585a-1d2b-4702-92f2-78dbcbf4edf7, 12.10.2017, Private

KeyEntry,

Certificate fingerprint (SHA1): 50:07:CC:EF:F2:C3:14:D8:D2:DF:8A:37:BF:C5:6E:E7:07:D8:11:7B

 

The alias will be: le-webserverexportable-bacc585a-1d2b-4702-92f2-78dbcbf4edf7

 

The config:

 

server.additional-connector.1.ssl.key-alias=le-webserverexportable-bacc585a-1d2b-4702-92f2-78dbcbf4edf7

 

And I had to use the pfx password for the store and the key:

 

server.ssl.key-store-password=password

server.ssl.key-password=password

 

Then it worked.

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Posted Jun 12, 2018 in Bitbucket

Do you use any Atlassian products for your personal projects?

After spinning my wheels trying to get organized enough to write a book for National Novel Writing Month (NaNoWriMo) I took my affinity for Atlassian products from my work life and decided to tr...

23,415 views 26 12
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you