Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Bitbucket import from external HTTPS source fails with "Unable to reach server".

Chris Twilleager
Chris Twilleager January 26, 2017

Summary

I'm posting this up because a considerable amount of time was wasted running off on a wild goose chase tracking down what we believed was a network communications issue when it was actually completely unrelated to network communications. Techincally this isn't a question, but rather a bit of knowledge that will hopefully spare another systems engineer the trouble of tracking down this problem.

Problem

When attempting to import repositories from a repository over HTTPS (SSL), the error "Unable to reach server" is shown. When examining the atlassian-bitbucket.log on the server, there is no indication of any exception being thrown.

Cause

While the vague error "Unable to reach server" suggests a network problem, the actual problem is that your local Java trust store does not contain the issuing Certification Authority certificate for the SSL certificat in use on your repository server. You can verify this by using the SSLPoke Java class provided by Atlassian (where source-server-fqdn is the fully qualified domain name of your source repository server):

java SSLPoke <source-server-fqdn> 443

If Java does not trust the certificate authority that issued your source server's certificate, you'll an exception similar to the following:

java.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: 
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: 
unable to find valid certification path to requested target.

Solution

Acquire the Certification Authority's CA that issued your source server's SSL certificate and import it into the Java CA trust store.

keytool -import -alias <desired-alias> -file /path/to/certificate.crt -keystore /path/to/java/cacerts

Once the certificate is imported, retry the SSLPoke test. If it works, restart the Bitbucket server.

Notes

  • Use Base64 X509 encoded certificates.
  • The default java keystore is defined by your $JAVA_HOME variable, so the path to the default cacerts file is $JAVA_HOME/jre/lib/security/cacerts.

Additional Info:

Because this is probably a bug and I can't actually submit a report for it to Atlassian, below is some information on my Bitbucket server at the time this problem was found and resolved:

Bitbucket Version: 4.11.0

Host OS Version: CentOS 7.2.1511 (Kernel 3.10.0-327.36.3.el7.x86_64)

Java JDK Version: 1.8.0u112 x64

Answer
Watch
Like G__Sylvie_Davies__bit-booster_com_ likes this
1847 views

1 answer

0 votes
G__Sylvie_Davies__bit-booster_com_
G__Sylvie_Davies__bit-booster_com_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
January 26, 2017

Brilliant report, I'm sure many people will find this helpful.

Another solution is to upgrade your Java version, since that sometimes brings in new ca authority certs.  For example, Java only started trusting "Let's Encrypt" sites as of Java 8u101 (July, 2016).

http://stackoverflow.com/questions/34110426/does-java-support-lets-encrypt-certificates

 

p.s.  I invite people to try my add-on:  Bit-Booster for Bitbucket Server

Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.