How to configure HTTPS for Elasticsearch running via Buckler with Bitbucket Data Center
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
There are multiple ways to configure HTTPS for Elasticsearch. Out of the box, Bitbucket provides a Buckler plugin for Elasticsearch, which allows the administrator to set up both basic authentication and HTTPS.
Buckler is not the only way to configure HTTPS for Elasticsearch, however, it is the fastest and easiest for embedded and external Elasticsearch instances.
Environment
Valid for both in bundled and external Elasticsearch instances.
Solution
- Before starting with the HTTPS configuration, please install and configure Elasticsearch with basic authentication using Buckler and ensure it works over HTTP.
- Prepare the certificate together with all intermediate certificates in a single PFX Keystore. See the external article How to create a PFX file if you need instructions on doing that.
Edit
elasticsearch/config/buckler/buckler.yml
file and append the following properties:tls.http.enabled: true tls.tcp.enabled: true tls.keystore.path: /path/to/keystore tls.keystore.password: keystorepassword
Replace
/path/to/keystore
with the actual full path and ensure that the OS user running Elasticsearch is an owner or has Read-Write permissions to the keystone file.- Replace
keystorepassword
with an actual password. Please note if the password has any parentheses, use double-quotes. - Please make sure that {{elasticsearch/config/buckler/buckler.yml}} is located in this exact path. Don't rename the buckler folder.
After the changes to the file are done, the final result should look like this:
auth.basic.http.enabled: true auth.basic.tcp.enabled: true auth.basic.username: admin auth.basic.password: basicpassword tls.http.enabled: true tls.tcp.enabled: true tls.keystore.path: /path/to/keystore tls.keystore.password: keystorepassword
In the case of parentheses or other special symbols, the following form is also supported:
auth.basic.http.enabled: "true" auth.basic.tcp.enabled: "true" auth.basic.username: "admin" auth.basic.password: "basicpassword" tls.http.enabled: "true" tls.tcp.enabled: "true" tls.keystore.path: "/path/to/keystore" tls.keystore.password: "keystorepassword"
- Restart Elasticsearch after applying the changes to
bucker.yml
or, in the case of bundled Elasticsearch, restart Bitbucket Server. - Update the URL for Elasticsearch by logging into Bitbucket Server as an administrator and navigating to Settings by clicking the "cog" icon at the top right, and selecting Server Settings.