[BSERV-9203] Bitbucket Search fails when connecting to Elasticsearch over HTTPS in certain environments

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 4.14.4
Affects Version/s: 4.9.1
Component/s: None
Labels:
- Targaryens

Symptom Severity:
Severity 3 - Minor
UIS:
47
Bug Fix Policy:
View Atlassian Server bug fix policy

Summary

Bitbucket Search fails to connect to a SSL enabled Elasticsearch instance with the following error in catalina.out:

Exception in thread "I/O dispatcher 11" java.lang.NoClassDefFoundError: javax/security/auth/x500/X500Principal

Environment

Elasticsearch 2.3.1
Buckler 0.2.1
Java 1.8.0_101
Ubuntu 14.04

Steps to Reproduce

Enable HTTPS on Elasticsearch with a self-signed certificate and import this certificate into the truststore of the JVM running Bitbucket Server
1. For example, with Buckler:
```
tls.http.enabled: true
tls.tcp.enabled: true
tls.keystore.path: /path/to/elasticsearch.jks
tls.keystore.password: changeit
```
Configure Bitbucket Server to point to the HTTPS URL for Elasticsearch
The test will fail and searches also fail

Expected Results

Connection test and search works without error.

Actual Results

The following is thrown in the atlassian-bitbucket.log:

2016-10-03 23:09:15,539 DEBUG [I/O dispatcher 13]  c.a.b.s.s.t.DefaultElasticsearchConnectionTester Detailed Exception: 
java.util.concurrent.CompletionException: org.apache.http.ConnectionClosedException: Connection closed unexpectedly
        at java.util.concurrent.CompletableFuture.encodeThrowable(CompletableFuture.java:292) ~[na:1.8.0_101]
        at java.util.concurrent.CompletableFuture.completeThrowable(CompletableFuture.java:308) ~[na:1.8.0_101]
        at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:593) ~[na:1.8.0_101]
        at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) ~[na:1.8.0_101]
        at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) ~[na:1.8.0_101]
        at java.util.concurrent.CompletableFuture.completeExceptionally(CompletableFuture.java:1977) ~[na:1.8.0_101]
        at com.atlassian.elasticsearch.client.apache.httpclient.ApacheRequestExecutor$1.failed(ApacheRequestExecutor.java:144) ~[na:na]
        at org.apache.http.concurrent.BasicFuture.failed(BasicFuture.java:134) ~[httpcore-4.4.4.jar:4.4.4]
        at org.apache.http.impl.nio.client.AbstractClientExchangeHandler.failed(AbstractClientExchangeHandler.java:414) ~[na:na]
        at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.closed(HttpAsyncRequestExecutor.java:137) ~[na:na]
        at org.apache.http.impl.nio.client.InternalIODispatch.onClosed(InternalIODispatch.java:71) ~[na:na]
        at org.apache.http.impl.nio.client.InternalIODispatch.onClosed(InternalIODispatch.java:39) ~[na:na]
        at org.apache.http.impl.nio.reactor.AbstractIODispatch.disconnected(AbstractIODispatch.java:102) ~[na:na]
        at org.apache.http.impl.nio.reactor.BaseIOReactor.sessionClosed(BaseIOReactor.java:281) ~[na:na]
        at org.apache.http.impl.nio.reactor.AbstractIOReactor.processClosedSessions(AbstractIOReactor.java:442) ~[na:na]
        at org.apache.http.impl.nio.reactor.AbstractIOReactor.hardShutdown(AbstractIOReactor.java:578) ~[na:na]
        at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:307) ~[na:na]
        at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:106) ~[na:na]
        at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:590) ~[na:na]
        at java.lang.Thread.run(Thread.java:745) ~[na:1.8.0_101]
Caused by: org.apache.http.ConnectionClosedException: Connection closed unexpectedly
        ... 11 common frames omitted

And the corresponding entry in catalina.out:

Exception in thread "I/O dispatcher 13" java.lang.NoClassDefFoundError: javax/security/auth/x500/X500Principal
        at org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:115)
        at org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:87)
        at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy.verifySession(SSLIOSessionStrategy.java:204)
        at org.apache.http.nio.conn.ssl.SSLIOSessionStrategy$1.verify(SSLIOSessionStrategy.java:188)
        at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:366)
        at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:507)
        at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:122)
        at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:164)
        at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:339)
        at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:317)
        at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:278)
        at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:106)
        at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:590)
        at java.lang.Thread.run(Thread.java:745)

Workaround

Use HTTP to connect to Elasticsearch.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

elasticsearch.jks
20/Oct/2016 6:52 PM
2 kB
Jeff Thomas

Jonas Andersson added a comment - 22/Mar/2017 7:50 AM

I setup stunnel to work around this bug, otherwise we would have been forced to drop it too.

Jonas Andersson added a comment - 22/Mar/2017 7:50 AM I setup stunnel to work around this bug, otherwise we would have been forced to drop it too.

Jonas Andersson added a comment - 19/Jan/2017 1:20 PM

Is there a workaround for this? Sending cleartext username and passwords are so 1997, and a dealbreaker in terms of us deploying it for our organization. For the record i see the same error for elasticsearch 2.3.4 and the appropriate Buckler version. Clear text http authentication works

Jonas Andersson added a comment - 19/Jan/2017 1:20 PM Is there a workaround for this? Sending cleartext username and passwords are so 1997, and a dealbreaker in terms of us deploying it for our organization. For the record i see the same error for elasticsearch 2.3.4 and the appropriate Buckler version. Clear text http authentication works

Hoi Tsang added a comment - 04/Oct/2016 1:38 PM - edited

This could be a show stopping to deploy bitbucket data center in an enterprise without https, given username and password being passed along into the header as clear text to the externalized elasticsearch endpoint.

Until then the "search" function may have to be turned off.

Hoi Tsang added a comment - 04/Oct/2016 1:38 PM - edited This could be a show stopping to deploy bitbucket data center in an enterprise without https, given username and password being passed along into the header as clear text to the externalized elasticsearch endpoint. Until then the "search" function may have to be turned off.

Bitbucket Data Center

Details

Description

Summary

Environment

Steps to Reproduce

Expected Results

Actual Results

Workaround

Attachments

Attachments

Forms

Activity

Collapse comment: Jonas Andersson added a comment - 22/Mar/2017 7:50 AM

Expand comment: Jonas Andersson added a comment - 22/Mar/2017 7:50 AM

Collapse comment: Jonas Andersson added a comment - 19/Jan/2017 1:20 PM

Expand comment: Jonas Andersson added a comment - 19/Jan/2017 1:20 PM

Collapse comment: Hoi Tsang added a comment - 04/Oct/2016 1:38 PM, Edited by Hoi Tsang - 04/Oct/2016 1:39 PM

Expand comment: Hoi Tsang added a comment - 04/Oct/2016 1:38 PM, Edited by Hoi Tsang - 04/Oct/2016 1:39 PM

People

Dates

Backbone Issue Sync