Bitbucket Server fails to start with SSL - java.security.UnrecoverableKeyException: Cannot recover key

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Problem

After securing Bitbucket Server with Tomcat using SSL, the application fails to start.

The following appears in the catalina.out:

As of Bitbucket Server 5.x, catalina.out will no longer exist. It will be written to atlassian-bitbucket.log instead. 

14-Mar-2016 14:41:33.544 SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ["http-nio-8443"]
 java.security.UnrecoverableKeyException: Cannot recover key
	at sun.security.provider.KeyProtector.recover(KeyProtector.java:328)
	at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:146)
	at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:56)
	at sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96)
	at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:70)
	at java.security.KeyStore.getKey(KeyStore.java:1023)
	at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133)
	at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)
	at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
	at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:608)
	at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:537)
	at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:359)
	at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:737)
	at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:457)
	at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:120)
	at org.apache.catalina.connector.Connector.initInternal(Connector.java:960)
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
	at org.apache.catalina.core.StandardService.initInternal(StandardService.java:567)
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
	at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851)
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:576)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:599)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:497)
	at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:497)
	at com.atlassian.stash.internal.catalina.startup.Bootstrap.main(Bootstrap.java:79)

Cause

The certificate key has a password that is different than the keystore password. Normally the key password isn't set and it defaults to the keystore password.

Resolution

Set the key password to be the same as keystore password. This can be done by using the following command:

$ keytool -keypasswd -keystore /path/to/keystore.kst -alias bitbucket

In the command above, please attend to properly fill the path to the keystore used, as well as using the alias set for its key.


For Bitbucket Server 5.+, the keystore and key passwords are set using the following parameters in the bitbucket.properties file:

# Main connector
server.ssl.key-store-password=<password>
server.ssl.key-password=<password>


# Additional connector
server.additional-connector.<connectorNumber>.ssl.key-store-password=<password>
server.additional-connector.<connectorNumber>.ssl.key-password=<password>



DescriptionAfter securing Bitbucket Server with Tomcat using SSL, the application fails to start.
ProductBitbucket
PlatformServer
Last modified on Oct 11, 2018

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.