Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,300,666
Community Members
 
Community Events
165
Community Groups

Webhook source IP not in published list

Hello, we've configured a webhook in a bitbucket cloud repo to call our on-prem jenkins instance. We've exposed the webhook endpoint using a whitelist for source IPs taken from https://support.atlassian.com/organization-administration/docs/ip-addresses-and-domains-for-atlassian-cloud-products/#AtlassiancloudIPrangesanddomains-OutgoingConnections - the "subset of ranges" in the doc.

 

The integration is not working, the webhook requests report a "connection timed out" and "X-Squid-Error ERR_CONNECT_FAIL 110". In our firewall we see incoming connection attempts correlating in time with the failed webhook delivery from these four IPs: 104.140.188.6, 89.248.165.201, 89.246.165.104 and 39.184.152.161. We can't easily tell if they are webhook deliveries as the intital connection attempts are dropped.

 

As far as I can tell, these adresses aren't covered by the more extensive list at https://ip-ranges.atlassian.com/ either.

 

What are we missing here?

1 answer

1 vote
Mark C Atlassian Team Sep 14, 2021

Hi @Mattias.Sjostrom

Welcome to the community.
I checked those 4 IPs you've got, however, I couldn't find it on this list as well.

For this, may I kindly ask if you feel comfortable sharing your masked repository URL here where you've added the webhook for me to further check?

You can mask it to something these:

https://bitbucket.org/w*******e/n**e

You can provide the first and last character of your workspace and repository name.

Otherwise, I can create a support request for you.

Thanks and looking forward to your response.

Regards,
Mark C

Hi Mark, 

That would work out to something like https//bitbucket.org/d******m/h****t

 

Thanks,

-Mattias

Mark C Atlassian Team Sep 15, 2021

Hi @Mattias.Sjostrom

Thank you for providing your masked repository URL.
I've checked your repository with our developers and we noticed the below error message in our internal logs:

unable to find valid certification path to requested target

For this, I'm suspecting that this is about the Webhook URL where it doesn't have a valid SSL certificate.
I'm afraid we don't allow an HTTPS Webhook URL with a self-signed certificate to be used on Bitbucket Cloud.
You can check out this documentation for some options.

Let me know if you have further questions that I can help with.

Regards,
Mark C

Hi Mark, 

Thank you for assisting with this. We are however not using a self-signed certificate. Our webhook URL is served with a DigiCert issued certificate for a wildcard pattern under our domain.

I can only assume this is due to our server not presenting a complete certificate chain. I'll try to adjust the configuration to rectify this.

 

Thanks,

-Mattias

Mark C Atlassian Team Sep 15, 2021

I see. Thanks for the confirmation.
Sure, let me know how it goes.

Regards,
Mark C

I added the full certificate chain to the configuration and I can see that it's served properly using openssl s_client from a whitelisted client over the Internet. 

The webhook delivery still doesn't work though.

 

My next hypothesis would be missing SNI support in the bitbucket webhook delivery mechanism. Unless SNI is used by the TLS client to indicate the server name, our server side will not present the correct certificate for the site. Could you offer any insight on the subject?

 

Thanks,

-Mattias

 

PS. I also validated that checking the "Skip certificate validation" box in the webhook config indeed makes the webhook deliveries successful.

Mark C Atlassian Team Sep 15, 2021

Hi @Mattias.Sjostrom

Thank you for the confirmation that checking the "Skip certificate validation" works fine.

You're correct. I'm afraid Bitbucket Cloud Webhooks does not support SNI.

We do have an existing feature request for it that can be located through this link.
Also, the feature request ticket has been closed as "Won't fix", however, I would recommend adding our comments/suggestions there to re-open the feature request.

Right now, the best I can suggest is for you to consider other option for SSL certificates.

Let me know if you have further questions that I can help with.

Regards,
Mark C

Hi @Mark C 

 

Thanks, I've added a comment to the feature request.

 

-Mattias

Mark C Atlassian Team Sep 16, 2021

Thanks for that.

Regards,
Mark C

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Bitbucket

Git push size limits are coming to Bitbucket Cloud starting April 4th, 2022

Beginning on April 4th, we will be implementing push limits. This means that your push cannot be completed if it is over 3.5 GB. If you do attempt to complete a push that is over 3.5 GB, it will fail...

2,262 views 2 9
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you