SSL Config: PKCS12 keystore works for JIRA/Confluence, but not for Bitbucket Edited

Hi,

after some trials I've got JIRA and Confluence running with a PKCS12 keystore. However, Bitbucket does not want to play ball.

The JIRA/Confluence config in server.xml is:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxHttpHeaderSize="8192" SSLEnabled="true"
maxThreads="150" minSpareThreads="25"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" useBodyEncodingForURI="true"
keystoreType="PKCS12" keystoreFile="/etc/ssl/atl_rl.pfx"
keystorePass="(mypass)" />

The Bitbucket config I've gotten furthest with thus far is:

server.additional-connector.1.port=8445
server.additional-connector.1.ssl.enabled=true
server.additional-connector.1.ssl.protocol=TLS
server.additional-connector.1.ssl.key-store=/etc/ssl/atl_rl.pfx
server.additional-connector.1.ssl.key-store-password=(mypass)
server.additional-connector.1.ssl.key-password=
server.additional-connector.1.ssl.key-store-type=PKCS12
server.additional-connector.1.ssl.key-alias=1

The PKCS12 store is secured using the password. The keys within do not have passwords.

This leads to a startup error:

2017-07-06 16:48:34,606 ERROR [main]  o.a.coyote.http11.Http11NioProtocol Failed to start end point associated with ProtocolHandler ["https-jsse-nio-8445"]
java.lang.IllegalArgumentException: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded

Any help appreciated.

Edit: Versions: atlassian-jira-software-7.3.6-x64.bin, atlassian-confluence-6.2.0-x64.bin, atlassian-bitbucket-5.0.1-x64.bin

2 answers

"Fixed" by converting the keystore to a JKS, and applying the same password to the key within as for the entire key store (using Portecle).

There is a key-alias in the pfx which is needed.

To read it out you use the keytool.

Example:

c:\Atlassian\Bitbucket\5.4.1\jre\bin\keytool.exe -list -keystore d:\bitbucket_data\shared\ssl.pfx -storetype PKCS12

 

The output example:

Your keystore contains 1 entry

 

le-webserverexportable-bacc585a-1d2b-4702-92f2-78dbcbf4edf7, 12.10.2017, Private

KeyEntry,

Certificate fingerprint (SHA1): 50:07:CC:EF:F2:C3:14:D8:D2:DF:8A:37:BF:C5:6E:E7:07:D8:11:7B

 

The alias will be: le-webserverexportable-bacc585a-1d2b-4702-92f2-78dbcbf4edf7

 

The config:

 

server.additional-connector.1.ssl.key-alias=le-webserverexportable-bacc585a-1d2b-4702-92f2-78dbcbf4edf7

 

And I had to use the pfx password for the store and the key:

 

server.ssl.key-store-password=password

server.ssl.key-password=password

 

Then it worked.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Nov 06, 2018 in Bitbucket

Upgrade Best Practices

Hello! My name is Mark Askew and I am a Premier Support Engineer for products Bitbucket Server/Data Center, Fisheye & Crucible. Today, I want to bring the discussion that Jennifer, Matt, and ...

1,896 views 7 10
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you