How To Secure Self-Hosted Bamboo and Crucible with Let’s Encrypt SSL Certificates

Published Date Author: , Posted September 14th, 2023 at 6:26:30am


In this blog we explore how to use certificates from Let’s Encrypt to secure self-hosted Bamboo and Crucible.

Process To Follow

  • Install Certbot
  • Ensure that external DNS resolves to the correct IP address
  • Ensure that Port 80 is open from the outside to that IP address so that Let’s Encrypt can validate the domain
  • Ensure nothing is listening on Port 80
    netstat -pan | grep 80 | grep LISTEN | wc -l
  • Generate the new certificate via Let’s Encrypt
  • Create the new Java keystore for use with Bamboo and Crucible
  • Copy the new keystore into place and set ownership and permissions
  • Restart the services
  • Test

Install Certbot

You must first install Python >= 3
I like using pip to install certbot, but urge you to use any method that is the easiest and most familiar:
Run certbot help to confirm that it has been installed properly

Generate the Let’s Encrypt Certificate

Create The New Java Keystore

This step will result in two new files being created: example.p12 and example.jks


  • the name/alias MUST be “tomcat” (no quotes)
  • the password MUST be “changeit” (no quotes), unless you modify the config xml settings which is beyond the scope of this blog post.
  • when you list out the new example.jks keystore using keytool, ensure that it says PrivateKeyEntry next to the alias tomcat.
  • ignore the warning at the end because Apache Tomcat requires the JKS keystore format, not the PKCS12 format – do NOT convert!

Copy The Java Keystore Into Place

This step will copy the new keystore (bamboo.jks)into place for both bamboo and Crucible as ~/.keystore for each user. Ownership and permissions must also be set.

Restart Bamboo and Crucible

This step will restart the processes, so they read in the new certificate.

Test Bamboo and Crucible

Use the openssl command to test the new certs:

No comments as yet.

Leave Your Comment  Leave a comment

All fields marked with "*" are required.