How to enable SSL on Bitbucket (Centos 7)

In this short tutorial i will go through how to enable SSL on Bitbucket on Centos 7.

Atlassian applications allow the use of SSL within range of their products, however Atlassian support doesn’t cover configuration of 3rd party software. Although there are many useful articles on Atlassian website on this subject, it is messy and hard to follow just one article from A to Z to especially for Centos 7 environment which doesn’t install latest required Apache web server by default.

There are few different ways to do this I will use Apache web server as reverse proxy server. Apache will serve as https server and Jira will stay on http.

You need to have Bitbucket installed and working to continue with this tutorial. If you haven’t yet got Bitbucket, you can do so by following my other post here: how to install Atlassian Bitbucket on Centos 7

Environment

  • OS: Centos 7.3
  • Apache web server: 2.4.18 (Will be installed as part of scl package)
  • Bitbucket: 4.12.1
  • Postgresql: 9.2.18

Install Dependencies

sudo yum -y update
sudo yum -y install centos-release-scl-rh 
sudo yum -y install httpd24-httpd httpd24-mod_ssl httpd24-mod_proxy_html

Prepare SSL certificate

Get your certification and key files from the certifying authority and copy them into a directory in your machine.
For example:

/etc/ssl/certs/yourdomain_cert.crt
/etc/ssl/private/yourdomain_key.key

make sure root owns them and they are only readable by root (chmod 300)

sudo chwon root:root /etc/ssl/certs/yourdomain_cert.crt
sudo chwon root:root /etc/ssl/certs/yourdomain_cert.key
sudo chmod 300 /etc/ssl/certs/yourdomain_cert.crt
sudo chmod 300 /etc/ssl/certs/yourdomain_cert.key

Set-up Apache

sudo mkdir /opt/rh/httpd24/root/var/www/bitbucket
sudo vim /opt/rh/httpd24/root/etc/httpd/conf.d/bitbucket.conf
    <VirtualHost *:443 >           
        ServerName bitbucket.yourdomain.com
        ErrorLog /opt/rh/httpd24/root/var/www/bitbucket/error.log
        CustomLog /opt/rh/httpd24/root/var/www/bitbucket/requests.log combined
        ProxyRequests Off   
        #       ProxyPreserveHost On   
        #       ProxyVia Off
        <Proxy *>
            Require all granted
        </Proxy>
        ProxyPass / http://bitbucket.yourdomain.com:8060/
        ProxyPassReverse / http://bitbucket.yourdomain.com:8060/
        SSLEngine On
        SSLCertificateFile /etc/ssl/certs/yourdomain_cert.crt
        SSLCertificateKeyFile /etc/ssl/certs/yourdomain_cert.key
    </VirtualHost>


    <VirtualHost *:80>
        ServerName bitbucket.yourdomain.com
        Redirect Permanent / https://bitbucket.yourdomain.com/
    </VirtualHost>
sudo systemctl enable httpd24-httpd
sudo systemctl restart httpd24-httpd

If SELinux is set to enforce it might stop httpd24 from starting. To get around this you can set the mode to disable or permissive the SELinux by updating the file below.

You need to reboot the server to make the selinux update effective.

 sudo vim /etc/sysconfig/selinux

Change the status from enforce to disabled or permissive. For more details on SELinux refer to: An introduction to SELinux on Centos 7

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Set-up Bitbucket

sudo vim /var/atlassian/application-data/bitbucket/shared/server.xml

Note: server.xml file is in home directory of Bitbucket unlike other Atlassian products which it lives in installation directory.

Update the connector to look like these lines:

         <Connector port="8060"
                  maxThreads="150"
                  minSpareThreads="25"
                  connectionTimeout="20000"
                  compression="on"                 
                  compressableMimeType="text/html,text/xml,text/plain,text/css,application/json,application/javascript,application/x-javascript"
                  enableLookups="false"
                  maxHttpHeaderSize="8192"
                  protocol="HTTP/1.1"
                  useBodyEncodingForURI="true"
                  redirectPort="443"
                  acceptCount="100"
                  disableUploadTimeout="true"
                  bindOnInit="false"
                  proxyName="bitbucket.yourdomain.com"
                  proxyPort="443"
                  secure="true"
                  scheme="https"
          />

Add certificate keys to the Bitbucket keystore

If you have followed the steps up to here, you should be able to access the web page through the https address. However Bitbucket will complain that it can not access itself from the back-end. This is because the version on Java that Atlassian products use doesn’t have your certificates in keystore hence doesn’t trust it and drops any attempt to reach it.

Follow these steps to add the key to Bitbucket version of java keystore.

cd ~
openssl s_client -connect bitbucket.yourdomain.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt
sudo /opt/atlassian/bitbucket/4.12.1/jre/bin/keytool -import -alias bitbucket.yourdomain.com -keystore /opt/atlassian/bitbucket/4.12.1/jre/lib/security/cacerts -file public.crt

Enter ‘changeit‘ as keystore password.

sudo systemctl restart atlbitbucket

Make sure your firewall has https service in the access list for public access. That is the only service I share in my server for bitbucket. No need for http nor 8060 (internal port for Bitbucket).

sudo firewall-cmd --zone=public --add-service=https --permanent
sudo firewall-cmd --reload

Leave a Reply