Unable to setup SSL while migrating Bitbucket server from Linux to Windows environment

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Unable to setup SSL while migrating Bitbucket server from Linux to Windows environment

Diagnosis

You'll notice the below in the logs:

1 2 3 4 5 6 7 8 Caused by: java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big. at sun.security.util.DerInputStream.getLength(Unknown Source) at sun.security.util.DerValue.init(Unknown Source) at sun.security.util.DerValue.<init>(Unknown Source) at sun.security.util.DerValue.<init>(Unknown Source) at sun.security.pkcs12.PKCS12KeyStore.engineLoad(Unknown Source) at java.security.KeyStore.load(Unknown Source) ... 16 common frames omitted

Cause

Here are some of the causes of this error "Caused by: java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big": 

  • The keystore configured for SSL couldn't be read by keytool neither as JKS nor PKCS#12 keystore. So, this can affect Tomcat. 

  • Often how this error occurs is when certs are copied from Windows to Unix i.e you have raised a CSR and you have received via email a signed certificate or a set of multiple signed certs from your certificate Authority. A CA could be Verisign or other main stream vendor or even the security team within your organization. 

  • There are extra characters found at the end of the certificate file which the “certificate parser” is attempting to interpret as the start or end of a certificate section. The most common way to encounter this error is to have one, or more, blank lines at the end of the certificate file.  A line termination sequence is permitted (but not required) at the end of the final “—–END”  line (Sometimes you may have more than one encoded cert in a file), but there can be no more than one termination sequence of characters. Reference towebspheretools.com.

Solution

Check the protocol type selected on bitbucket.properties. The server.ssl.key-store-type is the parameter where you select the type, please see this document for more information. The format of the ssl-keystore file should be mentioned in server.ssl.key-store-type parameter, typically "jks", is used by default.

If that doesn't help:

  1. Re-setup the Certificates

  2. Remove the PKCS12 setting for truststore set in the service parameters, but have a backup of your .PFX files.

  3. Delete everything after the final “—–END” line.  Check the lines using a good editor that shows you the characters being used, don’t trust your eyes.

  4. Having back up of the keystore always helps to restore it when disaster happens.

Updated on February 25, 2025

Still need help?

The Atlassian Community is here for you.