Bitbucket Server fails to start with SSL - java.security.UnrecoverableKeyException: Cannot recover key

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

プラットフォームについて: Server と Data Center のみ - この記事は、サーバーおよびデータセンター プラットフォームのアトラシアン製品にのみ適用されます。

問題

After securing Bitbucket Server with Tomcat using SSL, the application fails to start.

catalina.out: に次のログが記録されます。

As of Bitbucket Server 5.x, catalina.out will no longer exist. It will be written to atlassian-bitbucket.log instead. 

14-Mar-2016 14:41:33.544 SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ["http-nio-8443"]
 java.security.UnrecoverableKeyException: Cannot recover key
	at sun.security.provider.KeyProtector.recover(KeyProtector.java:328)
	at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:146)
	at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:56)
	at sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96)
	at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:70)
	at java.security.KeyStore.getKey(KeyStore.java:1023)
	at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133)
	at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)
	at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
	at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:608)
	at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:537)
	at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:359)
	at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:737)
	at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:457)
	at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:120)
	at org.apache.catalina.connector.Connector.initInternal(Connector.java:960)
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
	at org.apache.catalina.core.StandardService.initInternal(StandardService.java:567)
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
	at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851)
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:576)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:599)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:497)
	at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:497)
	at com.atlassian.stash.internal.catalina.startup.Bootstrap.main(Bootstrap.java:79)

原因

The certificate key has a password that is different than the keystore password. Normally the key password isn't set and it defaults to the keystore password.

ソリューション

Set the key password to be the same as keystore password. This can be done by using the following command:

$ keytool -keypasswd -keystore /path/to/keystore.kst -alias bitbucket

In the command above, please attend to properly fill the path to the keystore used, as well as using the alias set for its key.


For Bitbucket Server 5.+, the keystore and key passwords are set using the following parameters in the bitbucket.properties file:

# Main connector
server.ssl.key-store-password=<password>
server.ssl.key-password=<password>


# Additional connector
server.additional-connector.<connectorNumber>.ssl.key-store-password=<password>
server.additional-connector.<connectorNumber>.ssl.key-password=<password>



説明After securing Bitbucket Server with Tomcat using SSL, the application fails to start.
製品Bitbucket
プラットフォームサーバー
最終更新日: 2018 年 9 月 11 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.