SSL Config: PKCS12 keystore works for JIRA/Confluence, but not for Bitbucket Edited

Hi,

after some trials I've got JIRA and Confluence running with a PKCS12 keystore. However, Bitbucket does not want to play ball.

The JIRA/Confluence config in server.xml is:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxHttpHeaderSize="8192" SSLEnabled="true"
maxThreads="150" minSpareThreads="25"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" useBodyEncodingForURI="true"
keystoreType="PKCS12" keystoreFile="/etc/ssl/atl_rl.pfx"
keystorePass="(mypass)" />

The Bitbucket config I've gotten furthest with thus far is:

server.additional-connector.1.port=8445
server.additional-connector.1.ssl.enabled=true
server.additional-connector.1.ssl.protocol=TLS
server.additional-connector.1.ssl.key-store=/etc/ssl/atl_rl.pfx
server.additional-connector.1.ssl.key-store-password=(mypass)
server.additional-connector.1.ssl.key-password=
server.additional-connector.1.ssl.key-store-type=PKCS12
server.additional-connector.1.ssl.key-alias=1

The PKCS12 store is secured using the password. The keys within do not have passwords.

This leads to a startup error:

2017-07-06 16:48:34,606 ERROR [main]  o.a.coyote.http11.Http11NioProtocol Failed to start end point associated with ProtocolHandler ["https-jsse-nio-8445"]
java.lang.IllegalArgumentException: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded

Any help appreciated.

Edit: Versions: atlassian-jira-software-7.3.6-x64.bin, atlassian-confluence-6.2.0-x64.bin, atlassian-bitbucket-5.0.1-x64.bin

2 answers

"Fixed" by converting the keystore to a JKS, and applying the same password to the key within as for the entire key store (using Portecle).

There is a key-alias in the pfx which is needed.

To read it out you use the keytool.

Example:

c:\Atlassian\Bitbucket\5.4.1\jre\bin\keytool.exe -list -keystore d:\bitbucket_data\shared\ssl.pfx -storetype PKCS12

 

The output example:

Your keystore contains 1 entry

 

le-webserverexportable-bacc585a-1d2b-4702-92f2-78dbcbf4edf7, 12.10.2017, Private

KeyEntry,

Certificate fingerprint (SHA1): 50:07:CC:EF:F2:C3:14:D8:D2:DF:8A:37:BF:C5:6E:E7:07:D8:11:7B

 

The alias will be: le-webserverexportable-bacc585a-1d2b-4702-92f2-78dbcbf4edf7

 

The config:

 

server.additional-connector.1.ssl.key-alias=le-webserverexportable-bacc585a-1d2b-4702-92f2-78dbcbf4edf7

 

And I had to use the pfx password for the store and the key:

 

server.ssl.key-store-password=password

server.ssl.key-password=password

 

Then it worked.

Suggest an answer

Log in or Join to answer
Community showcase
Piotr Plewa
Published Dec 27, 2017 in Bitbucket

Recipe: Deploying AWS Lambda functions with Bitbucket Pipelines

Bitbucket Pipelines helps me manage and automate a number of serverless deployments to AWS Lambda and this is how I do it. I'm building Node.js Lambda functions using node-lambda&nbsp...

635 views 0 4
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot