要約

One of the requirements for setting up Bitbucket Mirrors or Mirror Farms is that both the primary instance and the mirror should support HTTPS and have valid, non-expired SSL certificates.

It is recommended that they use certificates signed by a publicly-trusted Certification Authority (CA) instead of a self-signed certificates because this will make the mirror installation steps simpler and less prone to errors.

When a self-signed certificate is used, the certificate needs to be exported from the primary instance and imported into the Java truststore of the mirror.

In the same manner, if a self-signed certificate is used on the mirror, it also needs to be exported from the mirror and imported into the truststore of the primary instance.

If CA-signed certificates are used, the additional steps above will not be required.

In addition, if the self-signed certificates were imported into the default truststore location, e.g. $JAVA_HOME/lib/security/cacerts and the Java installation used by the application is updated, the self-signed certificates would need to be reimported.

環境

Bitbucket Data Center with Mirrors or Mirror Farms

ソリューション

If it is not possible to use certificates signed by a publicly-trusted CA, the general procedures would be to export the self-signed certificate from the Primary Data Center and import it into the truststore of the mirror, and vice versa.

For more detailed procedures, refer to the link: How to import a public SSL certificate into a JVM.

Note that if the Data Center instance is clustered, the mirror's certificate needs to be imported into the truststore of each primary Data Center node.

Correspondingly, if the mirror is a farm with multiple nodes, the primary instance's certificate needs to be imported into the truststore of each mirror farm node.