Using self-signed certificates for Bitbucket Mirrors or Mirror Farms
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
One of the requirements for setting up Bitbucket Mirrors or Mirror Farms is that both the primary instance and the mirror should support HTTPS and have valid, non-expired SSL certificates.
It is recommended that they use certificates signed by a publicly-trusted Certification Authority (CA) instead of a self-signed certificates because this will make the mirror installation steps simpler and less prone to errors.
When a self-signed certificate is used, the certificate needs to be exported from the primary instance and imported into the Java truststore of the mirror.
In the same manner, if a self-signed certificate is used on the mirror, it also needs to be exported from the mirror and imported into the truststore of the primary instance.
If CA-signed certificates are used, the additional steps above will not be required.
In addition, if the self-signed certificates were imported into the default truststore location, e.g. $JAVA_HOME
/lib/security/cacerts and the Java installation used by the application is updated, the self-signed certificates would need to be reimported.
Environment
Bitbucket Data Center with Mirrors or Mirror Farms
Solution
If it is not possible to use certificates signed by a publicly-trusted CA, the general procedures would be to export the self-signed certificate from the Primary Data Center and import it into the truststore of the mirror, and vice versa.
For more detailed procedures, refer to the link: How to import a public SSL certificate into a JVM.
Note that if the Data Center instance is clustered, the mirror's certificate needs to be imported into the truststore of each primary Data Center node.
Correspondingly, if the mirror is a farm with multiple nodes, the primary instance's certificate needs to be imported into the truststore of each mirror farm node.