How to configure HTTPS for Elasticsearch running via Buckler with Bitbucket Data Center

Still need help?

The Atlassian Community is here for you.

Ask the community


Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

There are multiple ways to configure HTTPS for Elasticsearch. Out of the box, Bitbucket provides a Buckler plugin for Elasticsearch, which allows the administrator to set up both basic authentication and HTTPS.

Buckler is not the only way to configure HTTPS for Elasticsearch, however, it is the fastest and easiest for embedded and external Elasticsearch instances.


Environment

Valid for both in bundled and external Elasticsearch instances.

Solution

  1. Before starting with the HTTPS configuration, please install and configure Elasticsearch with basic authentication using Buckler and ensure it works over HTTP.
  2. Prepare the certificate together with all intermediate certificates in a single PFX Keystore. See the external article How to create a PFX file if you need instructions on doing that.
  3. Edit elasticsearch/config/buckler/buckler.yml  file and append the following properties:

    tls.http.enabled: true
    tls.tcp.enabled: true
    tls.keystore.path: /path/to/keystore
    tls.keystore.password: keystorepassword
    1. Replace /path/to/keystore  with the actual full path and ensure that the OS user running Elasticsearch is an owner or has Read-Write permissions to the keystone file.

    2. Replace keystorepassword  with an actual password. Please note if the password has any parentheses, use double-quotes.
    3. Please make sure that {{elasticsearch/config/buckler/buckler.yml}} is located in this exact path. Don't rename the buckler folder.
  4. After the changes to the file are done, the final result should look like this:

    auth.basic.http.enabled: true
    auth.basic.tcp.enabled: true
    auth.basic.username: admin
    auth.basic.password: basicpassword
    tls.http.enabled: true
    tls.tcp.enabled: true
    tls.keystore.path: /path/to/keystore
    tls.keystore.password: keystorepassword

    In the case of parentheses or other special symbols, the following form is also supported:

    auth.basic.http.enabled: "true"
    auth.basic.tcp.enabled: "true"
    auth.basic.username: "admin"
    auth.basic.password: "basicpassword"
    tls.http.enabled: "true"
    tls.tcp.enabled: "true"
    tls.keystore.path: "/path/to/keystore"
    tls.keystore.password: "keystorepassword"
  5. Restart Elasticsearch after applying the changes to bucker.yml  or, in the case of bundled Elasticsearch, restart Bitbucket Server.
  6. Update the URL for Elasticsearch by logging into Bitbucket Server as an administrator and navigating to Settings by clicking the "cog" icon at the top right, and selecting Server Settings.



Last modified on Jul 6, 2022

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.