Agents might stop connecting to Bamboo after updating SSL self-signed certificates.
Platform Notice: Server and Data Center Only. This article only applies to Atlassian products on the server and data center platforms.
After updating the SSL certificates used to secure Bamboo over HTTPS, the agents might stop connecting to the Bamboo server.
When the self-signed SSL certificates are updated, the remote agents will not be able to trust the server identity anymore, preventing them to establish a secure connection with the server.
Import the new certificates' public key into the Trutstore of the JDK used by the remote agents.
Test your SSL configuration
After replacing the SSL certificates for the Bamboo server is important to thoroughly test your configuration to make sure it is compatible across browsers and other applications. It's possible for SSL to work fine in a browser, but fail when other applications connect (not only Remote agents). This can cause failures in systems that connect to your application. In addition to the agents, here are some examples of things that might be connecting to your application and can be affected:
- Application links
- Third-party plugins
- Scripts or tools that use REST APIs
These kinds of failures may not be immediately obvious, and by the time they are discovered, it can be much more difficult to narrow down the cause. Because of this, it's essential to test your new SSL configuration immediately so you can correct configuration issues that would otherwise be difficult to detect and diagnose later on.
Below are three tests that we recommend you run. It's important that you run all of the tests, as in many cases only one out of three tests will detect a failure.
SSLPoke is a simple Java utility created by Atlassian to help diagnose SSL issues. This test relies on the local Java installation's own store of trusted certificate authorities, so this test is best run from systems that you plan to connect to your application, e.g. servers hosting existing Atlassian applications.
The KB article Unable to connect to SSL services due to "PKIX Path Building Failed" error covers the steps to download and run the SSLPoke utility. When using SSLPoke from another server that needs to connect to your app, it's important to make sure the version of Java being used is the same one used by that server to run its applications.
Most UNIX-like systems should have OpenSSL binaries installed, and binaries are also available for Windows. The OpenSSL test validates both your certificate and the certificate chain, which helps to catch more obscure validation issues.
To run the OpenSSL test, run the following command:
openssl s_client -connect <subdomain>.<domain>.com:443
This test will return a lot of information about your certificate. If successful, the last line of the output should read:
Verify return code: 0 (ok) ---