I was able to get this to work by adding the self signed cert to the java keystore on the server.

This is the correct link for testing with SSLPoke to confirm it's a cert issue: https://confluence.atlassian.com/display/KB/Unable+to+Connect+to+SSL+Services+due+to+PKIX+Path+Building+Failed

Then it has a link to the resolution on the page that it goes to here: (command line section)

https://confluence.atlassian.com/jira/connecting-to-ssl-services-117455.html#ConnectingtoSSLservices-commandline

cliff notes version for Linux:

1) openssl s_client -connect yourserver.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt

2) <JAVA_HOME>/bin/keytool -import -alias <server_name> -keystore <JAVA_HOME>/jre/lib/security/cacerts -file public.crt

- I used my full server name as the <alias> field

- default java keystore password is "changeit" if prompted

You'll also need to ensure that you put the cert it has you save into the correct cacerts directory. I had multiple so make sure that you verify which one your server is setup to use.

Hi,

Yes I'm using a self-signed certificate on Stash.

Regarding the contents of the KB my server does not have a domain name so I always access it using its IP.

I've created a new certificate for "localhost" with the IP as an alternative name and I get the second error mentioned in the KB: PKIX path building failed etc.

Following the instructions in the second KB I got it to work. Thanks for the documentation Thiago!

Best Regards,

Pierre

I'm having the same problem that Pierre is having with the backup-client failing with https.  I get the same error:

[root@dev001 backup]# ./backup-stash.sh

2015-01-22 11:12:42,803 INFO Initializing
2015-01-22 11:12:44,863 ERROR A backup could not be created. Reason: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

org.apache.wink.client.ClientRuntimeException: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 at org.apache.wink.client.internal.ResourceImpl.invoke(ResourceImpl.java:241) ~[wink-client-1.4.jar:1.4]
 at org.apache.wink.client.internal.ResourceImpl.invoke(ResourceImpl.java:189) ~[wink-client-1.4.jar:1.4]
 ... 17 more frames available in the log file

however, we cannot turn on http access again.  HOW can we backup stash through SSL?

Hi Thiago,

Regarding my first question I corrected my mistake.

Regarding the second question I think it's something else. I think my instance is definitely up and running, since I can log in to it and view the repositories. However I'm not accessing it from http://<the server IP>:7990 but from https://<the server IP>:8443 since I have enabled HTTPS and disabled regular HTTP.

I do get the exact same error message if I stop the Stash service.

If I set the stash.baseUrl property to https://localhost:8443 I get a different error message :

ERROR A backup could not be created. Reason: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching localhost found

It seems logical to me that "no name matching localhost" is found since the subject name of the SSL certificate is the server IP.

I tried something different: I re-enabled the HTTP connector in stash/3.5.1/conf/server.xml and restarted Stash. Accessing Stash using HTTP on port 7990 works again. Now the Backup Client works.  

But I don't want to leave HTTP enabled so I would like to have the Backup Client working with HTTPS if possible.

Best Regards,

Pierre

Hi Pierre,

"Stash is run by the user `atlstash` which was created by the installer. What is this user's password? I need to write it to the `stash.password` property"

Answer: as described on Using the Stash Backup Client, the values you need to insert into stash.user and stash.password are related to the user with administrative privileges on your Stash instance (i.e. admin user/password that you use to login to the Stash UI).

In regards to your second question:

The exception below:

A backup could not be created. Reason: Unable to connect to localhost:7990; nested exception is java.net.ConnectException: Connection refused

Means you didn't have your instance up and running at the time. Stash needs to be up and running so the backup client can back it up.

I hope that helps.

Best regards,
Thiago Bomfim
Atlassian Support