Hi,
after some trials I've got JIRA and Confluence running with a PKCS12 keystore. However, Bitbucket does not want to play ball.
The JIRA/Confluence config in server.xml is:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxHttpHeaderSize="8192" SSLEnabled="true"
maxThreads="150" minSpareThreads="25"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" useBodyEncodingForURI="true"
keystoreType="PKCS12" keystoreFile="/etc/ssl/atl_rl.pfx"
keystorePass="(mypass)" />
The Bitbucket config I've gotten furthest with thus far is:
server.additional-connector.1.port=8445
server.additional-connector.1.ssl.enabled=true
server.additional-connector.1.ssl.protocol=TLS
server.additional-connector.1.ssl.key-store=/etc/ssl/atl_rl.pfx
server.additional-connector.1.ssl.key-store-password=(mypass)
server.additional-connector.1.ssl.key-password=
server.additional-connector.1.ssl.key-store-type=PKCS12
server.additional-connector.1.ssl.key-alias=1
The PKCS12 store is secured using the password. The keys within do not have passwords.
This leads to a startup error:
2017-07-06 16:48:34,606 ERROR [main] o.a.coyote.http11.Http11NioProtocol Failed to start end point associated with ProtocolHandler ["https-jsse-nio-8445"]
java.lang.IllegalArgumentException: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded
Any help appreciated.
Edit: Versions: atlassian-jira-software-7.3.6-x64.bin, atlassian-confluence-6.2.0-x64.bin, atlassian-bitbucket-5.0.1-x64.bin
There is a key-alias in the pfx which is needed.
To read it out you use the keytool.
Example:
c:\Atlassian\Bitbucket\5.4.1\jre\bin\keytool.exe -list -keystore d:\bitbucket_data\shared\ssl.pfx -storetype PKCS12
The output example:
Your keystore contains 1 entry
le-webserverexportable-bacc585a-1d2b-4702-92f2-78dbcbf4edf7, 12.10.2017, Private
KeyEntry,
Certificate fingerprint (SHA1): 50:07:CC:EF:F2:C3:14:D8:D2:DF:8A:37:BF:C5:6E:E7:07:D8:11:7B
The alias will be: le-webserverexportable-bacc585a-1d2b-4702-92f2-78dbcbf4edf7
The config:
server.additional-connector.1.ssl.key-alias=le-webserverexportable-bacc585a-1d2b-4702-92f2-78dbcbf4edf7
And I had to use the pfx password for the store and the key:
server.ssl.key-store-password=password
server.ssl.key-password=password
Then it worked.
"Fixed" by converting the keystore to a JKS, and applying the same password to the key within as for the entire key store (using Portecle).
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.