Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Unable to get SSL working post upgrade in Bitbucket 5.1

Leena Bakshi
Leena Bakshi April 25, 2018

Hi,

After doing the upgrade of stash 3.7.2 to Bitbucket 5.1, I am unable to get bitbucket run on SSL. It can be accessed on port 7990.

following is the bitbucket properties:

server.secure=true
server.scheme=https
server.proxy-port=443
server.proxy-name=bitbucket server name
server.additional-connector.1.redirect-port=443
server.additional-connector.1.secure=true
server.additional-connector.1.scheme=https
server.additional-connector.1.ssl.enabled=true
server.additional-connector.1.ssl.client-auth=want
server.additional-connector.1.ssl.protocol=TLSv1.2
server.additional-connector.1.ssl.key-store=C:\\keystore\\stash
server.additional-connector.1.ssl.key-store-password=password value

 

I am receiving following error in the bitbucket logs:

 

2018-04-25 15:33:18,536 ERROR [Caesium-1-2]  c.a.c.d.DbCachingDirectoryPoller Error occurred while refreshing the cache for directory [ 10125313 ].

com.atlassian.crowd.exception.OperationFailedException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

                at com.atlassian.crowd.integration.rest.service.RestExecutor$MethodExecutor.andReceive(RestExecutor.java:425)

                at com.atlassian.crowd.integration.rest.service.RestCrowdClient.searchUsers(RestCrowdClient.java:625)

                at com.atlassian.crowd.directory.RemoteCrowdDirectory.searchUsers(RemoteCrowdDirectory.java:401)

                at com.atlassian.crowd.directory.ldap.cache.RemoteDirectoryCacheRefresher.findAllRemoteUsers(RemoteDirectoryCacheRefresher.java:57)

                at com.atlassian.crowd.directory.ldap.cache.RemoteDirectoryCacheRefresher.synchroniseAllUsers(RemoteDirectoryCacheRefresher.java:100)

                at com.atlassian.crowd.directory.ldap.cache.AbstractCacheRefresher.synchroniseAll(AbstractCacheRefresher.java:49)

                at com.atlassian.crowd.directory.ldap.cache.EventTokenChangedCacheRefresher.synchroniseAll(EventTokenChangedCacheRefresher.java:71)

                at com.atlassian.crowd.directory.DbCachingRemoteDirectory.synchroniseCache(DbCachingRemoteDirectory.java:1182)

                at com.atlassian.crowd.manager.directory.DirectorySynchroniserImpl.synchronise(DirectorySynchroniserImpl.java:78)

                at com.atlassian.crowd.directory.DbCachingDirectoryPoller.pollChanges(DbCachingDirectoryPoller.java:50)

                at com.atlassian.crowd.manager.directory.monitor.poller.DirectoryPollerJobRunner.runJob(DirectoryPollerJobRunner.java:96)

                at com.atlassian.scheduler.core.JobLauncher.runJob(JobLauncher.java:153)

                at com.atlassian.scheduler.core.JobLauncher.launchAndBuildResponse(JobLauncher.java:118)

                at com.atlassian.scheduler.core.JobLauncher.launch(JobLauncher.java:97)

                at com.atlassian.scheduler.caesium.impl.CaesiumSchedulerService.launchJob(CaesiumSchedulerService.java:443)

                at com.atlassian.scheduler.caesium.impl.CaesiumSchedulerService.executeClusteredJob(CaesiumSchedulerService.java:438)

                at com.atlassian.scheduler.caesium.impl.CaesiumSchedulerService.executeClusteredJobWithRecoveryGuard(CaesiumSchedulerService.java:462)

                at com.atlassian.scheduler.caesium.impl.CaesiumSchedulerService.executeQueuedJob(CaesiumSchedulerService.java:390)

                at com.atlassian.scheduler.caesium.impl.CaesiumSchedulerService$1.consume(CaesiumSchedulerService.java:285)

                at com.atlassian.scheduler.caesium.impl.CaesiumSchedulerService$1.consume(CaesiumSchedulerService.java:282)

                at com.atlassian.scheduler.caesium.impl.SchedulerQueueWorker.executeJob(SchedulerQueueWorker.java:65)

                at com.atlassian.scheduler.caesium.impl.SchedulerQueueWorker.executeNextJob(SchedulerQueueWorker.java:59)

                at com.atlassian.scheduler.caesium.impl.SchedulerQueueWorker.run(SchedulerQueueWorker.java:34)

                at java.lang.Thread.run(Thread.java:745)

                ... 13 frames trimmed

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

                at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

                at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)

                at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)

                at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)

                at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)

                at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)

                at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)

                at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)

                at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)

                at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)

                at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)

                at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)

                at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)

                at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)

 

Thanks

Answer
Watch
Like Omar Herrera likes this
1720 views

1 answer

1 accepted

0 votes
Answer accepted
Caterina Curti
Caterina Curti
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 25, 2018

Hi @Leena Bakshi,

 

Can you try to replace the current configuration with the following?

server.additional-connector.1.port=443
server.additional-connector.1.ssl.enabled=true
server.additional-connector.1.ssl.key-store=/path/to/keystore/bitbucket.jks
server.additional-connector.1.ssl.key-store-password=<password value>

This will keep the 7990 port available for http connections and the 443 one for https ones.

 

If this does not work, please review the options on the Securing Bitbucket Server with Tomcat using SSL and Proxying and securing Bitbucket Server and let us know which is the current proxy setup that is in place.

 

The PKIX path building failed is related to the connection to the user directory (it could be Crowd or Jira but also LDAP) and is discussed on the Unable to Connect to SSL Services due to PKIX Path Building Failed article.

 

Cheers,

Caterina

View More Comments
Leena Bakshi
Leena Bakshi April 30, 2018

Hello Caterina,

After taking out the "server.additional-connector.1." completely from bitbucket.properties file, the following configuration has worked for me and I able to access bitbucket on https now:

server.port=443

server.ssl.enabled=true

server.ssl.key-store=C:/keystore/stash.jks

server.ssl.key-store-password= xxxxxxxxxxxx

server.ssl.key-password=xxxxxxxxxxxx

server.ssl.key-alias=stash

 

However now I am not able to integerate Jira with Bitbucket and receiving the same error when trying to add user directory of JIRA in bitbucket.

"Connection test failed. Response from the server:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

 

Any ideas/suggestions?

 

Thank you

Like
Caterina Curti
Caterina Curti
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 2, 2018

Hi @Leena Bakshi,

 

Great news about being able to connect using https.

 

Have you tried following the steps on the Unable to Connect to SSL Services due to PKIX Path Building Failed article to address this?

 

As a first step, let's try to verify the connectivity using the SSLPoke class available on the article.

 

Cheers,

Caterina - Atlassian

Like
Leena Bakshi
Leena Bakshi May 4, 2018

Hi Caterina,

This issue stands resolved now. we forgot  to add the certificate to the Java startup and after adding, I could discover Jira just fine and now both the applications are linked.

Thanks for following up.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events