It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

SSL Config: PKCS12 keystore works for JIRA/Confluence, but not for Bitbucket Edited

Hi,

after some trials I've got JIRA and Confluence running with a PKCS12 keystore. However, Bitbucket does not want to play ball.

The JIRA/Confluence config in server.xml is:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxHttpHeaderSize="8192" SSLEnabled="true"
maxThreads="150" minSpareThreads="25"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" useBodyEncodingForURI="true"
keystoreType="PKCS12" keystoreFile="/etc/ssl/atl_rl.pfx"
keystorePass="(mypass)" />

The Bitbucket config I've gotten furthest with thus far is:

server.additional-connector.1.port=8445
server.additional-connector.1.ssl.enabled=true
server.additional-connector.1.ssl.protocol=TLS
server.additional-connector.1.ssl.key-store=/etc/ssl/atl_rl.pfx
server.additional-connector.1.ssl.key-store-password=(mypass)
server.additional-connector.1.ssl.key-password=
server.additional-connector.1.ssl.key-store-type=PKCS12
server.additional-connector.1.ssl.key-alias=1

The PKCS12 store is secured using the password. The keys within do not have passwords.

This leads to a startup error:

2017-07-06 16:48:34,606 ERROR [main]  o.a.coyote.http11.Http11NioProtocol Failed to start end point associated with ProtocolHandler ["https-jsse-nio-8445"]
java.lang.IllegalArgumentException: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded

Any help appreciated.

Edit: Versions: atlassian-jira-software-7.3.6-x64.bin, atlassian-confluence-6.2.0-x64.bin, atlassian-bitbucket-5.0.1-x64.bin

2 answers

"Fixed" by converting the keystore to a JKS, and applying the same password to the key within as for the entire key store (using Portecle).

There is a key-alias in the pfx which is needed.

To read it out you use the keytool.

Example:

c:\Atlassian\Bitbucket\5.4.1\jre\bin\keytool.exe -list -keystore d:\bitbucket_data\shared\ssl.pfx -storetype PKCS12

 

The output example:

Your keystore contains 1 entry

 

le-webserverexportable-bacc585a-1d2b-4702-92f2-78dbcbf4edf7, 12.10.2017, Private

KeyEntry,

Certificate fingerprint (SHA1): 50:07:CC:EF:F2:C3:14:D8:D2:DF:8A:37:BF:C5:6E:E7:07:D8:11:7B

 

The alias will be: le-webserverexportable-bacc585a-1d2b-4702-92f2-78dbcbf4edf7

 

The config:

 

server.additional-connector.1.ssl.key-alias=le-webserverexportable-bacc585a-1d2b-4702-92f2-78dbcbf4edf7

 

And I had to use the pfx password for the store and the key:

 

server.ssl.key-store-password=password

server.ssl.key-password=password

 

Then it worked.

Suggest an answer

Log in or Sign up to answer
Community showcase
Published in Bitbucket

Atlassian supported Jenkins integration for Bitbucket Server

We’ve been building a plugin to integrate Bitbucket Server and Jenkins CI, and I’m excited to announce that our alpha is ready to download and install. It lets you seamlessly configure a Jenkins job ...

426 views 0 9
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you