Running Bamboo Server over HTTPS with Self-Signed Certificate

Question

Bamboo server is running on Docker Container (linux) with the Public image.

docker pull atlassian/bamboo-server:latest

It's accessible at http://localhost:8085, but we want to use HTTPS with a self-signed certificate to run our Bamboo Server. Could you please explain the steps for "how to secure Bamboo server running on Docker Container with HTTPS"? I read the Atlassian article, but it does not appear to contain enough information.

We can use Ngnix (if necessary), but I haven't started because I'm not familiar with the configuration.

Despite the fact that I generated the.keystore file on the Docker host and used the environment to map with the container:

{$JAVA_HOME keytool -genkey} or

{openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365}

docker run -d -v bambooVolumeLatest:/var/atlassian/application-data/bamboo --init -p 54663:54663 -p 8443:8443 -e JVM_MINIMUM_MEMORY=3g -e JVM_MAXIMUM_MEMORY=3g -e ATL_TOMCAT_SCHEME=https -e ATL_TOMCAT_SECURE=true -e ATL_TOMCAT_SSL_ENABLED=true -e ATL_TOMCAT_SSL_PROTOCOL=TLS -e ATL_TOMCAT_KEYSTORE_FILE=/root/.keystore -e ATL_TOMCAT_KEYSTORE_PASS=changeit atlassian/bamboo

it's throwing an error :

02-Sep-2022 07:59:21.337 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to start component [Connector[HTTP/1.1-8085]]
    org.apache.catalina.LifecycleException: Protocol handler start failed
            at org.apache.catalina.connector.Connector.startInternal(Connector.java:1077)
            at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
            at org.apache.catalina.core.StandardService.startInternal(StandardService.java:449)
            at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
            at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:930)
            at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
            at org.apache.catalina.startup.Catalina.start(Catalina.java:772)
            at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
            at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
            at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
            at java.base/java.lang.reflect.Method.invoke(Method.java:566)
            at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:345)
            at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:476)
    Caused by: java.lang.IllegalArgumentException: /root/.keystore (Permission denied)
            at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107)
            at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)

Any help would be much Appricieated.

Answer 1

thsi does the trick for me (docker-compose file)

environment:
  - JVM_MINIMUM_MEMORY=4000m
  - JVM_MAXIMUM_MEMORY=8000m
  - ATL_TOMCAT_PORT=8443
  - ATL_TOMCAT_SSL_ENABLED=true
  - ATL_TOMCAT_SCHEME=https
  - ATL_TOMCAT_SECURE=true
  - ATL_TOMCAT_SSL_CERTIFICATE_FILE=/opt/atlassian/bamboo/conf/ssl/xxxxxx.com.crt
  - ATL_TOMCAT_SSL_CERTIFICATE_KEY_FILE=/opt/atlassian/bamboo/conf/ssl/xxxxxx.com.key
volumes:
  - bamboo:/var/atlassian/application-data/bamboo
  - ./ssl:/opt/atlassian/bamboo/conf/ssl

I don't bother with the keystore, on linux systems, be sure the files are owned by 2005:2005 (bamboo user in docker). cert & key can be retrieved with

openssl pkcs12 -in xxxxx.com.pfx -out xxxxx.com.pem -nodes

if you dig around a bit you can also find how to pull it from pem, good luck!