Stash Backup Client base URL when HTTPS is enabled

I have enabled HTTPS on my Stash instance. Now I would like to use the Backup Client but I need some information to fill the `backup-config.properties` file.

  • Stash is run by the user `atlstash` which was created by the installer. What is this user's password? I need to write it to the `stash.password` property
  • When I try to run the Backup Client with `stash.baseUrl=http://localhost:7990` I get an error message saying: "A backup could not be created. Reason: Unable to connect to localhost:7990; nested exception is java.net.ConnectException: Connection refused"

6 answers

1 accepted

0 vote

Hi Pierre,

Are you using a self-signed certificate on Stash? 

If so, can you follow the KB below, please:

Thanks!

Best regards,
Thiago Bomfim

Hi,

Yes I'm using a self-signed certificate on Stash.

Regarding the contents of the KB my server does not have a domain name so I always access it using its IP.

I've created a new certificate for "localhost" with the IP as an alternative name and I get the second error mentioned in the KB: PKIX path building failed etc.

Following the instructions in the second KB I got it to work. Thanks for the documentation Thiago!

Best Regards,

Pierre

Awesome, Pierre! I am glad this information helped you!

I was able to get this to work by adding the self signed cert to the java keystore on the server.

This is the correct link for testing with SSLPoke to confirm it's a cert issue: https://confluence.atlassian.com/display/KB/Unable+to+Connect+to+SSL+Services+due+to+PKIX+Path+Building+Failed

Then it has a link to the resolution on the page that it goes to here: (command line section)

https://confluence.atlassian.com/jira/connecting-to-ssl-services-117455.html#ConnectingtoSSLservices-commandline

cliff notes version for Linux:

1) openssl s_client -connect yourserver.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt

2) <JAVA_HOME>/bin/keytool -import -alias <server_name> -keystore <JAVA_HOME>/jre/lib/security/cacerts -file public.crt

- I used my full server name as the <alias> field

- default java keystore password is "changeit" if prompted

You'll also need to ensure that you put the cert it has you save into the correct cacerts directory. I had multiple so make sure that you verify which one your server is setup to use.

Hi Randy, That's what the second KB at the bottom of the main page above talks about. Thanks for your feedback!

0 vote

Hi Pierre,

"Stash is run by the user `atlstash` which was created by the installer. What is this user's password? I need to write it to the `stash.password` property"

Answer: as described on Using the Stash Backup Client, the values you need to insert into stash.user and stash.password are related to the user with administrative privileges on your Stash instance (i.e. admin user/password that you use to login to the Stash UI).

In regards to your second question:

The exception below:

A backup could not be created. Reason: Unable to connect to localhost:7990; nested exception is java.net.ConnectException: Connection refused

Means you didn't have your instance up and running at the time. Stash needs to be up and running so the backup client can back it up.

I hope that helps.

Best regards,
Thiago Bomfim
Atlassian Support

Hi Thiago,

Regarding my first question I corrected my mistake.

Regarding the second question I think it's something else. I think my instance is definitely up and running, since I can log in to it and view the repositories. However I'm not accessing it from http://<the server IP>:7990 but from https://<the server IP>:8443 since I have enabled HTTPS and disabled regular HTTP.

I do get the exact same error message if I stop the Stash service.

If I set the stash.baseUrl property to https://localhost:8443 I get a different error message :

ERROR A backup could not be created. Reason: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching localhost found

It seems logical to me that "no name matching localhost" is found since the subject name of the SSL certificate is the server IP.

I tried something different: I re-enabled the HTTP connector in stash/3.5.1/conf/server.xml and restarted Stash. Accessing Stash using HTTP on port 7990 works again. Now the Backup Client works.  

But I don't want to leave HTTP enabled so I would like to have the Backup Client working with HTTPS if possible.

Best Regards,

Pierre

I'm having the same problem that Pierre is having with the backup-client failing with https.  I get the same error:

[root@dev001 backup]# ./backup-stash.sh
2015-01-22 11:12:42,803 INFO Initializing
2015-01-22 11:12:44,863 ERROR A backup could not be created. Reason: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
org.apache.wink.client.ClientRuntimeException: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.apache.wink.client.internal.ResourceImpl.invoke(ResourceImpl.java:241) ~[wink-client-1.4.jar:1.4]
at org.apache.wink.client.internal.ResourceImpl.invoke(ResourceImpl.java:189) ~[wink-client-1.4.jar:1.4]
... 17 more frames available in the log file

however, we cannot turn on http access again.  HOW can we backup stash through SSL?

https://confluence.atlassian.com/display/STASHKB/Can%27t+backup+due+to+PKIX+path+building+failed+-+unable+to+find+valid+certification+path+to+requested+target didn't help. I was able to pull the public.crt file and create a new stash.jks file but can't get the backup client to use it. I still get this error. I'm going to log this as a formal issue instead of as a comment.

Hi Michael, In the procedure above you don't need to create a "jks". All you need to do is to import the public cert into your Java keystore then execute the backup again. Please have another look at it -- it worked for Pierre.

Hi Michael was you able to resolve this problem? i am now facing the same issue and i have imported our certificate to the cacerts file for the stash bundled java. thanks Josh

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Posted Jun 12, 2018 in Bitbucket

Do you use any Atlassian products for your personal projects?

After spinning my wheels trying to get organized enough to write a book for National Novel Writing Month (NaNoWriMo) I took my affinity for Atlassian products from my work life and decided to tr...

27,746 views 26 12
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you