Medium Issue Summary
Currently, the Skip certificate verification feature on the webhooks page does not work in the following scenario.
- If a complete certificate chain (server certificate + CA certificate) is present in the certificate deployed at the target application/proxy, Bitbucket's "Skip certificate verification" checkbox doesn't work and results in the PKIX error.
This is reproducible on Data Center: yes
Steps to Reproduce
- Generate a certificate and install it with the complete chain (along with the root certificate of the CA) in the proxy or LB(The SSL offload will happen at Proxy/LB).
- Go to Webhooks > Create Webhook in Bitbucket. Enter the URL, select "Skip certificate verification," then press the Test connection button.
Expected Results
When the user clicks on the Test connection button on the Webhook page or Bitbucket tries to send actual webhook events to CI-CD systems, enabling the Skip certificate verification in both of these cases should work.
Actual Results
When the Skip certificate verification checkbox is enabled and the test connection is clicked, the following event is logged in the atlassian-bitbucket.log file and the GUI displays ERROR in front of the test connection button
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:456)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:323)
at sun.security.validator.Validator.validate(Validator.java:271)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:315)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:234)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:110)
at org.apache.http.ssl.SSLContextBuilder$TrustManagerDelegate.checkServerTrusted(SSLContextBuilder.java:413)
at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1311)
at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1334)
... 19 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:451)
... 27 common frames omitted
Workaround
Import the self-signed certificate in the Java trust store as specified in Unable to connect to SSL services due to "PKIX Path Building Failed" error KB.