Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Bitbucket SSL Config For PKS File

Rob Ables
Rob Ables July 23, 2018

We have had Bitbucket running on SSL with a self-signed cert.  The properties file pointed to the jks keystore that had the cert in it. 

Now we have a purchased wildcard cert to use, and we are having trouble updating the properties file to work with the PFX file directly.  We have no issues with Jira using that PFX file, but it is doing it via the older style XML config.

Here is what we have in the properties file that is failing.  What are we missing, or have wrong?

server.port=8443
server.ssl.enabled=true
#server.ssl.key-store=e:/keystore/stash.jks
server.ssl.key-store-type=pkcs12
server.ssl.key-store=e:/ssl/healthsmart_wildcard_2017_cert.pfx
server.ssl.key-store-password=******
server.ssl.key-password=******
server.ssl.protocol=TLS

 

Thanks in advance.

Rob

Answer
Watch
Like Be the first to like this
1481 views

1 answer

1 accepted

1 vote
Answer accepted
Rodrigo M
Rodrigo M
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 23, 2018

Hello Rob!

Please take a look at the Securing Bitbucket Server with Tomcat using SSL documentation in order to set the new SSL cert.

Also, be sure to include all needed parameters in bitbucket.properties in order to set the new SSL certificate. For example, you may want to include the server.ssl.key-alias of the certificate if the alias is anything different from its standard value, which is tomcat.

If the issue still occurs, would you mind sharing with us any SSL errors that Bitbucket may generate when starting the application?
This way we would have more information about the issue and what's going on behind the scenes.


Regards
Rodrigo

View More Comments
Rob Ables
Rob Ables July 23, 2018

Hey Rodrigo!

Thank you for the reply.  I have read through the article (prior to posting this as well).  We didn't have the server.ssl.key-alias entry in there, and that could be the issue.  However, the PFX cert doesn't contain an alias as it was just directly issued by the CA.  Should I specify that entry in the file with a blank in that scenario?

The log file is very vague on startup fail:

2018-07-23 10:40:20 Commons Daemon procrun stderr initialized
Exception in thread "main" nTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:48)
at org.springframework.boot.loader.Launcher.launch(Launcher.java:87)
at com.atlassian.bitbucket.internal.launcher.BitbucketServerLauncher.start(BitbucketServerLauncher.java:151)
at com.atlassian.bitbucket.internal.launcher.BitbucketServerLauncher.main(BitbucketServerLauncher.java:99)
Caused by: org.springframework.boot.context.embedded.tomcat.ConnectorStartFailedException: Connector configured to listen on port 8443 failed to start
at org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainer.checkThatConnectorsHaveStarted(TomcatEmbeddedServletContainer.java:222)
at org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainer.start(TomcatEmbeddedServletContainer.java:198)
at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.startEmbeddedServletContainer(EmbeddedWebApplicationContext.java:297)
at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.finishRefresh(EmbeddedWebApplicationContext.java:145)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:546)
at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.refresh(EmbeddedWebApplicationContext.java:122)
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:693)
at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:360)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:303)
at com.atlassian.bitbucket.internal.boot.BitbucketServerApplication.start(BitbucketServerApplication.java:247)
at com.atlassian.bitbucket.internal.boot.BitbucketServerApplication.main(BitbucketServerApplication.java:83)

Thank you,

Rob

Like
Rodrigo M
Rodrigo M
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 23, 2018

Hey Bob


Can you confirm what log file did you share? Probably the errors we are looking for are being written in the BITBUCKET_HOME/log/atlassian-bitbucket.log file.

Regards
Rodrigo

Like
Rob Ables
Rob Ables July 23, 2018

Rodrigo,

 

Thanks for pointing that out.  There are two log file folders.  Logs and Log.  In reviewing the new file, I found that the service was being denied access to the new PFX cert file.  I corrected that issue, and now it is telling me that the alias does not identify a key entry.  I have tried leaving the server.ssl.key-alias= entry blank, and entering the wildcard cert's domain in there.  There is no alias I can see in for this cert.  How can you specify that?

"java.io.IOException: Alias name [*.healthsmart.com] does not identify a key entry"

Thanks,

Rob

Like
Rob Ables
Rob Ables July 23, 2018

* Update*  I found the alias name by running keytool -list -v on the PFX file.  It was just a numeric digit.

The service started up now, and is working now with the new PFX cert file.

Thank you for your assistance!

Like
Rodrigo M
Rodrigo M
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 23, 2018

Hey Rob

Good to know we found and fix the issue!

Cheers,

Rodrigo

Like
James Aker
James Aker
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
December 9, 2019

The porper command is keytool -v -list -keystore <FileName>.pfx   Below is the appended lines added to bitbucket.properties that work on RHEL servers
server.port=7990
server.ssl.enabled=true
server.scheme=https
server.ssl.key-store-type=pkcs12
server.ssl.key-store=/<DirectoryName>/<FileName>.pfx
server.ssl.key-store-password=XXXXX
server.ssl.key-password=XXXXXXXX
server.ssl.key-alias=1
server.ssl.protocol=TLS

The certificate I use is a wilrdcard issued from Sectigo (formerly Comodo) and was converted to pfx format using the below command.  

openssl pkcs12 -export -in <yourdomain_from ca>.crt -inkey <you_used_for_CSR>.key -certfile STAR_<yourdomain>.ca-bundle -out <filename>.pfx

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.