Hi,
After doing the upgrade of stash 3.7.2 to Bitbucket 5.1, I am unable to get bitbucket run on SSL. It can be accessed on port 7990.
following is the bitbucket properties:
server.secure=true
server.scheme=https
server.proxy-port=443
server.proxy-name=bitbucket server name
server.additional-connector.1.redirect-port=443
server.additional-connector.1.secure=true
server.additional-connector.1.scheme=https
server.additional-connector.1.ssl.enabled=true
server.additional-connector.1.ssl.client-auth=want
server.additional-connector.1.ssl.protocol=TLSv1.2
server.additional-connector.1.ssl.key-store=C:\\keystore\\stash
server.additional-connector.1.ssl.key-store-password=password value
I am receiving following error in the bitbucket logs:
2018-04-25 15:33:18,536 ERROR [Caesium-1-2] c.a.c.d.DbCachingDirectoryPoller Error occurred while refreshing the cache for directory [ 10125313 ].
com.atlassian.crowd.exception.OperationFailedException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.atlassian.crowd.integration.rest.service.RestExecutor$MethodExecutor.andReceive(RestExecutor.java:425)
at com.atlassian.crowd.integration.rest.service.RestCrowdClient.searchUsers(RestCrowdClient.java:625)
at com.atlassian.crowd.directory.RemoteCrowdDirectory.searchUsers(RemoteCrowdDirectory.java:401)
at com.atlassian.crowd.directory.ldap.cache.RemoteDirectoryCacheRefresher.findAllRemoteUsers(RemoteDirectoryCacheRefresher.java:57)
at com.atlassian.crowd.directory.ldap.cache.RemoteDirectoryCacheRefresher.synchroniseAllUsers(RemoteDirectoryCacheRefresher.java:100)
at com.atlassian.crowd.directory.ldap.cache.AbstractCacheRefresher.synchroniseAll(AbstractCacheRefresher.java:49)
at com.atlassian.crowd.directory.ldap.cache.EventTokenChangedCacheRefresher.synchroniseAll(EventTokenChangedCacheRefresher.java:71)
at com.atlassian.crowd.directory.DbCachingRemoteDirectory.synchroniseCache(DbCachingRemoteDirectory.java:1182)
at com.atlassian.crowd.manager.directory.DirectorySynchroniserImpl.synchronise(DirectorySynchroniserImpl.java:78)
at com.atlassian.crowd.directory.DbCachingDirectoryPoller.pollChanges(DbCachingDirectoryPoller.java:50)
at com.atlassian.crowd.manager.directory.monitor.poller.DirectoryPollerJobRunner.runJob(DirectoryPollerJobRunner.java:96)
at com.atlassian.scheduler.core.JobLauncher.runJob(JobLauncher.java:153)
at com.atlassian.scheduler.core.JobLauncher.launchAndBuildResponse(JobLauncher.java:118)
at com.atlassian.scheduler.core.JobLauncher.launch(JobLauncher.java:97)
at com.atlassian.scheduler.caesium.impl.CaesiumSchedulerService.launchJob(CaesiumSchedulerService.java:443)
at com.atlassian.scheduler.caesium.impl.CaesiumSchedulerService.executeClusteredJob(CaesiumSchedulerService.java:438)
at com.atlassian.scheduler.caesium.impl.CaesiumSchedulerService.executeClusteredJobWithRecoveryGuard(CaesiumSchedulerService.java:462)
at com.atlassian.scheduler.caesium.impl.CaesiumSchedulerService.executeQueuedJob(CaesiumSchedulerService.java:390)
at com.atlassian.scheduler.caesium.impl.CaesiumSchedulerService$1.consume(CaesiumSchedulerService.java:285)
at com.atlassian.scheduler.caesium.impl.CaesiumSchedulerService$1.consume(CaesiumSchedulerService.java:282)
at com.atlassian.scheduler.caesium.impl.SchedulerQueueWorker.executeJob(SchedulerQueueWorker.java:65)
at com.atlassian.scheduler.caesium.impl.SchedulerQueueWorker.executeNextJob(SchedulerQueueWorker.java:59)
at com.atlassian.scheduler.caesium.impl.SchedulerQueueWorker.run(SchedulerQueueWorker.java:34)
at java.lang.Thread.run(Thread.java:745)
... 13 frames trimmed
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
Thanks
Hi @Leena Bakshi,
Can you try to replace the current configuration with the following?
server.additional-connector.1.port=443 server.additional-connector.1.ssl.enabled=true server.additional-connector.1.ssl.key-store=/path/to/keystore/bitbucket.jks server.additional-connector.1.ssl.key-store-password=<password value>
This will keep the 7990 port available for http connections and the 443 one for https ones.
If this does not work, please review the options on the Securing Bitbucket Server with Tomcat using SSL and Proxying and securing Bitbucket Server and let us know which is the current proxy setup that is in place.
The PKIX path building failed is related to the connection to the user directory (it could be Crowd or Jira but also LDAP) and is discussed on the Unable to Connect to SSL Services due to PKIX Path Building Failed article.
Cheers,
Caterina
Hello Caterina,
After taking out the "server.additional-connector.1." completely from bitbucket.properties file, the following configuration has worked for me and I able to access bitbucket on https now:
server.port=443
server.ssl.enabled=true
server.ssl.key-store=C:/keystore/stash.jks
server.ssl.key-store-password= xxxxxxxxxxxx
server.ssl.key-password=xxxxxxxxxxxx
server.ssl.key-alias=stash
However now I am not able to integerate Jira with Bitbucket and receiving the same error when trying to add user directory of JIRA in bitbucket.
"Connection test failed. Response from the server:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
Any ideas/suggestions?
Thank you
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Leena Bakshi,
Great news about being able to connect using https.
Have you tried following the steps on the Unable to Connect to SSL Services due to PKIX Path Building Failed article to address this?
As a first step, let's try to verify the connectivity using the SSLPoke class available on the article.
Cheers,
Caterina - Atlassian
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Caterina,
This issue stands resolved now. we forgot to add the certificate to the Java startup and after adding, I could discover Jira just fine and now both the applications are linked.
Thanks for following up.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.