Webhook source IP not in published list

Mattias.Sjostrom September 8, 2021

Hello, we've configured a webhook in a bitbucket cloud repo to call our on-prem jenkins instance. We've exposed the webhook endpoint using a whitelist for source IPs taken from https://support.atlassian.com/organization-administration/docs/ip-addresses-and-domains-for-atlassian-cloud-products/#AtlassiancloudIPrangesanddomains-OutgoingConnections - the "subset of ranges" in the doc.

 

The integration is not working, the webhook requests report a "connection timed out" and "X-Squid-Error ERR_CONNECT_FAIL 110". In our firewall we see incoming connection attempts correlating in time with the failed webhook delivery from these four IPs: 104.140.188.6, 89.248.165.201, 89.246.165.104 and 39.184.152.161. We can't easily tell if they are webhook deliveries as the intital connection attempts are dropped.

 

As far as I can tell, these adresses aren't covered by the more extensive list at https://ip-ranges.atlassian.com/ either.

 

What are we missing here?

1 answer

1 vote
Mark C
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 14, 2021

Hi @Mattias.Sjostrom

Welcome to the community.
I checked those 4 IPs you've got, however, I couldn't find it on this list as well.

For this, may I kindly ask if you feel comfortable sharing your masked repository URL here where you've added the webhook for me to further check?

You can mask it to something these:

https://bitbucket.org/w*******e/n**e

You can provide the first and last character of your workspace and repository name.

Otherwise, I can create a support request for you.

Thanks and looking forward to your response.

Regards,
Mark C

Mattias.Sjostrom September 15, 2021

Hi Mark, 

That would work out to something like https//bitbucket.org/d******m/h****t

 

Thanks,

-Mattias

Mark C
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 15, 2021

Hi @Mattias.Sjostrom

Thank you for providing your masked repository URL.
I've checked your repository with our developers and we noticed the below error message in our internal logs:

unable to find valid certification path to requested target

For this, I'm suspecting that this is about the Webhook URL where it doesn't have a valid SSL certificate.
I'm afraid we don't allow an HTTPS Webhook URL with a self-signed certificate to be used on Bitbucket Cloud.
You can check out this documentation for some options.

Let me know if you have further questions that I can help with.

Regards,
Mark C

Mattias.Sjostrom September 15, 2021

Hi Mark, 

Thank you for assisting with this. We are however not using a self-signed certificate. Our webhook URL is served with a DigiCert issued certificate for a wildcard pattern under our domain.

I can only assume this is due to our server not presenting a complete certificate chain. I'll try to adjust the configuration to rectify this.

 

Thanks,

-Mattias

Mark C
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 15, 2021

I see. Thanks for the confirmation.
Sure, let me know how it goes.

Regards,
Mark C

Mattias.Sjostrom September 15, 2021

I added the full certificate chain to the configuration and I can see that it's served properly using openssl s_client from a whitelisted client over the Internet. 

The webhook delivery still doesn't work though.

 

My next hypothesis would be missing SNI support in the bitbucket webhook delivery mechanism. Unless SNI is used by the TLS client to indicate the server name, our server side will not present the correct certificate for the site. Could you offer any insight on the subject?

 

Thanks,

-Mattias

 

PS. I also validated that checking the "Skip certificate validation" box in the webhook config indeed makes the webhook deliveries successful.

Mark C
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 15, 2021

Hi @Mattias.Sjostrom

Thank you for the confirmation that checking the "Skip certificate validation" works fine.

You're correct. I'm afraid Bitbucket Cloud Webhooks does not support SNI.

We do have an existing feature request for it that can be located through this link.
Also, the feature request ticket has been closed as "Won't fix", however, I would recommend adding our comments/suggestions there to re-open the feature request.

Right now, the best I can suggest is for you to consider other option for SSL certificates.

Let me know if you have further questions that I can help with.

Regards,
Mark C

Mattias.Sjostrom September 16, 2021

Hi @Mark C 

 

Thanks, I've added a comment to the feature request.

 

-Mattias

Mark C
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 16, 2021

Thanks for that.

Regards,
Mark C

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events