The Atlassian Marketplace server is not reachable in Bitbucket Data Center

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

When going to manage/add new add-ons page, this error is displayed:

The Atlassian Marketplace server is not reachable. To avoid problems when loading this page, you can disable the connection to the Marketplace server

Diagnosis

Cause 1: The Bitbucket Server logs contain the following errors in atlassian-bitbucket.log:

2013-10-29 14:30:17,194 WARN [http-bio-7990-exec-5] user 870x497x1 1lzkc13 XXX.XXX.XXX.XXX,127.0.0.1 "GET /plugins/servlet/upm/marketplace HTTP/1.0" com.atlassian.upm.pac.PacClientImpl Error when querying application info from MPAC: com.atlassian.marketplace.client.MpacException: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

Cause 2: The catalina.out contains messages similar to the following:

23-Sep-2014 14:07:32.497 SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-8443]] org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]] at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:567) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:834) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.startup.Catalina.load(Catalina.java:576) at org.apache.catalina.startup.Catalina.load(Catalina.java:599) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484) Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed at org.apache.catalina.connector.Connector.initInternal(Connector.java:962) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) ... 12 more Caused by: java.io.FileNotFoundException: /path/to/keystore (Permission denied) at java.io.FileInputStream.open(Native Method) at java.io.FileInputStream.<init>(FileInputStream.java:146) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:388) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:294) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:552) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:492) at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:363) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:727) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:456) at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:120) at org.apache.catalina.connector.Connector.initInternal(Connector.java:960) ... 13 more

Cause 3: You need an outbound proxy to reach Marketplace.

Cause

  • Cause 1: The Atlassian Marketplace needs to verify the SSL connection between Bitbucket Server and itself. This occurs because the certificate is missing or has been tampered with by the local Proxy.

  • Cause 2: That could also happen if the user who is starting Bitbucket Server (newly installed versions installed as a service are likely to be started by atlbitbucket) does not have access to a keystore configured for the connector.

Solution

Cause 1

If you are running Bitbucket Server on a Unix environment

1- Fetch the certificate from where you are running your Bitbucket Server instance

From the machine where you are running Bitbucket Server, export the certificates for the marketplace.atlassian.com:443, plugins.atlassian.com:443 and dq1dnt4af4eyy.cloudfront.net:443 websites:

openssl s_client -connect marketplace.atlassian.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > marketplace.atlassian.com.crt openssl s_client -connect plugins.atlassian.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > plugins.atlassian.com.crt openssl s_client -connect dq1dnt4af4eyy.cloudfront.net:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > dq1dnt4af4eyy.cloudfront.net.crt

2- Import the certificates into your Java keystore:

After you fetched the certificate, import it into the JAVA_HOME you are using to run Bitbucket Server:

keytool -import -alias marketplace.atlassian.com:443 -keystore /path/to/keystore -file /path/to/marketplace.atlassian.com.crt keytool -import -alias plugins.atlassian.com:443 -keystore /path/to/keystore -file /path/to/plugins.atlassian.com.crt keytool -import -alias dq1dnt4af4eyy.cloudfront.net:443 -keystore /path/to/keystore -file /path/to/dq1dnt4af4eyy.cloudfront.net.crt

Important Notes

Where is my keystore?

  • Windows/Linux: $JAVA_HOME/jre/lib/security/cacerts

  • Mac OS (not supported): $JAVA_HOME/lib/security/cacerts

What is the password?

  • The default password for the Java TrustStore password is changeit.

Where is my JAVA_HOME?

  • To check for the <JAVA_HOME> value, go to Admin cog icon >> Atlassian Support Tools >> System info tab and look for java.home. Use this value (full qualified path) on the $JAVA_HOME on the commands above.

If you are running Bitbucket Server on a Windows environment

Alternative 1: Using Portecle

What you need to do to get around this issue is to export the certificates for the marketplace.atlassian.com:443, plugins.atlassian.com:443 and dq1dnt4af4eyy.cloudfront.net:443 websites and import them into your Java keystore. There are detailed steps on how to do so using Portacle on the JIRA documentation below. Executing this procedure will take you through the whole export/import process (thus executing step #2 below is not required):

Alternative 2: Using command line

2.1- Fetch the certificate

If you prefer the command line as an alternative, you could do so by issuing:

openssl s_client -connect bitbucket.com:443 < NUL | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt

The command above will only be executed on Windows if you have Sed for Windows as well as OpenSSL installed on your environment. If you don't have Sed or OpenSSL and you don't want to install it, use the instructions below as an alternative. Issue the following command:

  • Use your browser to hit the URL's above.

  • Save the certificate content into a file called public.cert file. The file should contain only what is between the BEGIN CERTIFCATE and END CERTIFICATE lines. This is how your file should look like after you edited it:

    -----BEGIN CERTIFICATE----- < Certificate content as fetched by the command line. Don't change this content, only remove what is before and after the BEGIN CERTIFICATE and END CERTIFICATE. That's what your Sed command is doing for you :-) > -----END CERTIFICATE-----

2.2- Import the certificate into your Java keystore:

After you fetch the certificate, import it into the $JAVA_HOME you are using to run Bitbucket:

keytool -import -alias marketplace.atlassian.com:443 -keystore /path/to/keystore -file /path/to/marketplace.atlassian.com.cert keytool -import -alias plugins.atlassian.com:443 -keystore /path/to/keystore -file /path/to/plugins.atlassian.com.cert keytool -import -alias dq1dnt4af4eyy.cloudfront.net:443 -keystore /path/to/keystore -file /path/to/dq1dnt4af4eyy.cloudfront.net

Important Notes

Where is my keystore?

  • Windows/Linux: $JAVA_HOME/jre/lib/security/cacerts

  • Mac OS (not supported): $JAVA_HOME/lib/security/cacerts

What is the password?

  • The default password for the Java TrustStore password is changeit.

Where is my JAVA_HOME?

  • To check for the <JAVA_HOME> value, go to Admin cog icon >> Atlassian Support Tools >> System info tab and look for java.home. Use this value (full qualified path) on the $JAVA_HOME on the commands above.

Cause 2

Give permission to the user who is running Bitbucket Server to access the Java certificate store /path/to/keystore

Important notes

Where is my keystore?

  • Windows/Linux: $JAVA_HOME/jre/lib/security/cacerts

  • Mac OS (not supported): $JAVA_HOME/lib/security/cacerts

Where is my JAVA_HOME?

  • To check for the <JAVA_HOME> value, go to Admin cog icon >> Atlassian Support Tools >> System info tab and look for java.home.

Cause 3

Please refer to the document below - it contains links on how to configure an outbound proxy:

Updated on June 27, 2025
Platform
Data Center only
Product
Bitbucket Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community