How to add the TLS certificate to the Java trust store when running Bitbucket Server and Data Center in a Docker container

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

This article explains how to add the TLS certificate to the Java trust store when Bitbucket runs in a Docker container. When running a dockerized Bitbucket, the procedure to alter the Java trust store differs from the case where Bitbucket is started directly on the server.

Environment

Bitbucket 7.21.10, but also applicable to other versions.

Solution

Steps to add a TLS certificate to the Java trust store inside a Docker container include copying the trusted certs store out of the running Docker container, adding the required certs to it, and re-running the Bitbucket container with a modified trust store mounted into it.

In the steps described below, paths are given as examples only, and you have to modify them for your setup!

  1. Get the original Java trust store from running Bitbucket container. That means copying the Java trust store out of the Docker container.

    An example of the command to use is

    1 docker cp <Bitbucket_Container>:/opt/java/openjdk/lib/security/cacerts /path/to/copy_of_cert_store

  2. Add all the certificates you need to the copy_of_cert_store trust store. You can do that manually using a keytool on your workstation or on the server itself.

    Use the document How to import a public SSL certificate into a JVM as a guide on adding the certificate to a trust store.

    ⚠️ Be sure to use the keytool from the same JVM version as the one Bitbucket runs within the Docker container!

  3. Reconfigure your Docker container deployment or orchestration system to mount the external, modified trust store file to the Docker container and restart the Bitbucket container.

    An example command to start Bitbucket in a Docker container with a mounted modified trust store:

    1 2 3 4 5 6 7 docker run -d \ --name <Bitbucket_Container> \ ... ... -v /path/to/copy_of_cert_store:/opt/java/openjdk/lib/security/cacerts \ ... ...

When using this approach, you would have to repeat steps 1 and 2 only when you upgrade the container to a newer Bitbucket version.

Updated on April 16, 2025
Platform
Data Center only
Product
Bitbucket Data Center
On this pageSummarySolution

Still need help?

The Atlassian Community is here for you.
Ask the Community