Users are receiving a pop-up asking to "select a certificate to authenticate yourself" when accessing Bitbucket
プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Fisheye および Crucible は除く
要約
After upgrading Bitbucket, a few users are receiving a pop-up asking to Select a certificate to authenticate yourself to <Bitbucket server web address>:443. The pop-up appears when the user access the Bitbucket dashboard. User receives window prompt asking for certificate. If a user clicks okay, it results in the page not loading. If the user selects cancel, they are telling the site to not use the certificate as a method of authentication.
環境
- Bitbucket Server running on Windows
- Any browser is affected. Tested in Chrome, Edge, Firefox
- Using a certificate issuer by MS-Organization-Access
- Customized bitbucket.properties property for server.ssl.client-auth
診断
- Verify pop-up message received is Select a certificate to authenticate yourself to <Bitbucket server web address>:443.
- Verify custom configuration for the property server.ssl.client-auth in file $BITBUCKET_HOME/shared/bitbucket.properties.
- Verify certificate issuer is MS-Organization-Access.
原因
The certificate issuer MS-Organization-Access comes from Active Directory Federation Services and the certificate is automatically generated when someone uses a federated service such as Azure.
ソリューション
The solution is to remove the bitbucket.properties configuration for the parameter server.ssl.client-auth.
By commenting out the parameter server.ssl.client-auth=want, you are setting the parameters as Tomcat's default value of false. When setting that parameter as want or need, you are saying you want to enable client authentication, so if the server.ssl.client-auth property is not set, then the users will not receive the pop-up.
The server.ssl.client-auth property should only be used in very specific business cases where client authentication is also required.
- Stop Bitbucket
- Open the
$BITBUCKET_HOME/shared/bitbucket.properties
file - remove or comment the server.ssl.client-auth=want parameters
- Start the application
Users will no longer be prompted to select a certificate.