Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Stash Backup Client base URL when HTTPS is enabled

Pierre Bouchet
Pierre Bouchet January 15, 2015

I have enabled HTTPS on my Stash instance. Now I would like to use the Backup Client but I need some information to fill the `backup-config.properties` file.

  • Stash is run by the user `atlstash` which was created by the installer. What is this user's password? I need to write it to the `stash.password` property
  • When I try to run the Backup Client with `stash.baseUrl=http://localhost:7990` I get an error message saying: "A backup could not be created. Reason: Unable to connect to localhost:7990; nested exception is java.net.ConnectException: Connection refused"
Answer
Watch
Like Galya Ivalinova Genova likes this
1235 views

6 answers

1 accepted

0 votes
Answer accepted
ThiagoBomfim
ThiagoBomfim
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 20, 2015

Hi Pierre,

Are you using a self-signed certificate on Stash? 

If so, can you follow the KB below, please:

Thanks!

Best regards,
Thiago Bomfim

Reply
1 vote
Randy Kochis
Randy Kochis October 14, 2015

I was able to get this to work by adding the self signed cert to the java keystore on the server.

This is the correct link for testing with SSLPoke to confirm it's a cert issue: https://confluence.atlassian.com/display/KB/Unable+to+Connect+to+SSL+Services+due+to+PKIX+Path+Building+Failed

Then it has a link to the resolution on the page that it goes to here: (command line section)

https://confluence.atlassian.com/jira/connecting-to-ssl-services-117455.html#ConnectingtoSSLservices-commandline

cliff notes version for Linux:

1) openssl s_client -connect yourserver.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt

2) <JAVA_HOME>/bin/keytool -import -alias <server_name> -keystore <JAVA_HOME>/jre/lib/security/cacerts -file public.crt

- I used my full server name as the <alias> field

- default java keystore password is "changeit" if prompted

You'll also need to ensure that you put the cert it has you save into the correct cacerts directory. I had multiple so make sure that you verify which one your server is setup to use.

View More Comments
ThiagoBomfim
ThiagoBomfim
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 14, 2015

Hi Randy, That's what the second KB at the bottom of the main page above talks about. Thanks for your feedback!

Like
Reply
1 vote
Pierre Bouchet
Pierre Bouchet January 21, 2015

Hi,

Yes I'm using a self-signed certificate on Stash.

Regarding the contents of the KB my server does not have a domain name so I always access it using its IP.

I've created a new certificate for "localhost" with the IP as an alternative name and I get the second error mentioned in the KB: PKIX path building failed etc.

Following the instructions in the second KB I got it to work. Thanks for the documentation Thiago!

Best Regards,

Pierre

View More Comments
ThiagoBomfim
ThiagoBomfim
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 21, 2015

Awesome, Pierre! I am glad this information helped you!

Like
Reply
0 votes
Michael Vilain
Michael Vilain January 22, 2015

I'm having the same problem that Pierre is having with the backup-client failing with https.  I get the same error:

[root@dev001 backup]# ./backup-stash.sh
2015-01-22 11:12:42,803 INFO Initializing
2015-01-22 11:12:44,863 ERROR A backup could not be created. Reason: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
org.apache.wink.client.ClientRuntimeException: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 at org.apache.wink.client.internal.ResourceImpl.invoke(ResourceImpl.java:241) ~[wink-client-1.4.jar:1.4]
 at org.apache.wink.client.internal.ResourceImpl.invoke(ResourceImpl.java:189) ~[wink-client-1.4.jar:1.4]
 ... 17 more frames available in the log file

however, we cannot turn on http access again.  HOW can we backup stash through SSL?

View More Comments
Michael Vilain
Michael Vilain January 22, 2015

https://confluence.atlassian.com/display/STASHKB/Can%27t+backup+due+to+PKIX+path+building+failed+-+unable+to+find+valid+certification+path+to+requested+target didn't help. I was able to pull the public.crt file and create a new stash.jks file but can't get the backup client to use it. I still get this error. I'm going to log this as a formal issue instead of as a comment.

Like
ThiagoBomfim
ThiagoBomfim
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 22, 2015

Hi Michael, In the procedure above you don't need to create a "jks". All you need to do is to import the public cert into your Java keystore then execute the backup again. Please have another look at it -- it worked for Pierre.

Like
Lukas Rogoz
Lukas Rogoz November 6, 2015

Hi Michael was you able to resolve this problem? i am now facing the same issue and i have imported our certificate to the cacerts file for the stash bundled java. thanks Josh

Like
Reply
0 votes
Pierre Bouchet
Pierre Bouchet January 15, 2015

Hi Thiago,

Regarding my first question I corrected my mistake.

Regarding the second question I think it's something else. I think my instance is definitely up and running, since I can log in to it and view the repositories. However I'm not accessing it from http://<the server IP>:7990 but from https://<the server IP>:8443 since I have enabled HTTPS and disabled regular HTTP.

I do get the exact same error message if I stop the Stash service.

If I set the stash.baseUrl property to https://localhost:8443 I get a different error message :

ERROR A backup could not be created. Reason: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching localhost found

It seems logical to me that "no name matching localhost" is found since the subject name of the SSL certificate is the server IP.

I tried something different: I re-enabled the HTTP connector in stash/3.5.1/conf/server.xml and restarted Stash. Accessing Stash using HTTP on port 7990 works again. Now the Backup Client works.  

But I don't want to leave HTTP enabled so I would like to have the Backup Client working with HTTPS if possible.

Best Regards,

Pierre

Reply
0 votes
ThiagoBomfim
ThiagoBomfim
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 15, 2015

Hi Pierre,

"Stash is run by the user `atlstash` which was created by the installer. What is this user's password? I need to write it to the `stash.password` property"

Answer: as described on Using the Stash Backup Client, the values you need to insert into stash.user and stash.password are related to the user with administrative privileges on your Stash instance (i.e. admin user/password that you use to login to the Stash UI).

In regards to your second question:

The exception below:

A backup could not be created. Reason: Unable to connect to localhost:7990; nested exception is java.net.ConnectException: Connection refused

Means you didn't have your instance up and running at the time. Stash needs to be up and running so the backup client can back it up.

I hope that helps.

Best regards,
Thiago Bomfim
Atlassian Support

Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events