Enable SSL for Jenkins

It is very important to secure Jenkins by enabling SSL which runs in a production environment.

This post walks you through the step-by-step guide for configuring SSL on a Jenkins server.

Following are the steps involved in configuring SSL on the Jenkins server.

1) Obtain SSL certificates.

2) Convert SSL keys to PKCS12 format.

3) Convert PKCS12 to JKS format - JKS[Java Key Store] Since Jenkins is a Java based application.

4) Add JKS to Jenkins path.

5) Configure Jenkins startup to use the JKS file.

6) Validate Jenkins SSL.

To run Jenkins with HTTPS, you need to configure SSL in Jenkins:

Generate CSR certificate:

root@devops:/openssl_cert# openssl req -new > jenkins.ssl.csr

Generating a RSA private key

.....................................................................................................................................................+++++

......................+++++

writing new private key to 'privkey.pem'

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:US

State or Province Name (full name) [Some-State]:CA

Locality Name (eg, city) []:SJC

Organization Name (eg, company) [Internet Widgits Pty Ltd]:RSInfoMinds

Organizational Unit Name (eg, section) []:IT

Common Name (e.g. server FQDN or YOUR name) []:rsinfominds.com

Email Address []:rsinfominds@gmail.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

root@devops:/openssl_cert#

root@devops:/openssl_cert# ls -l

total 8

-rw-r--r-- 1 root root 1054 Mar 23 12:34 jenkins.ssl.csr

-rw------- 1 root root 1854 Mar 23 12:33 privkey.pem

root@devops:/openssl_cert#

Create a key file:

Use your PEM file and execute the following command to create a file for the generating certificate and give the name "jenkins.cert.key".

root@devops:/openssl_cert# openssl rsa -in privkey.pem -out jenkins.cert.key

Enter pass phrase for privkey.pem:

writing RSA key

root@devops:/openssl_cert# ls -lrt

total 12

-rw------- 1 root root 1854 Mar 23 12:33 privkey.pem

-rw-r--r-- 1 root root 1054 Mar 23 12:34 jenkins.ssl.csr

-rw------- 1 root root 1675 Mar 23 12:35 jenkins.cert.key

root@devops:/openssl_cert#

Create CSR certificate using Key file:

Now we have a Key file and CSR file, run following command to create CSR file and define retention periods.

root@devops:/openssl_cert# openssl x509 -in jenkins.ssl.csr \

> -out jenkins.cert.cert \

> -req -signkey jenkins.cert.key -days 10

Signature ok

subject=C = US, ST = CA, L = SJC, O = RSInfoMinds, OU = IT, CN = rsinfominds.com, emailAddress = rsinfominds@gmail.com

Getting Private key

root@devops:/openssl_cert# ls -lrt

total 16

-rw------- 1 root root 1854 Mar 23 12:33 privkey.pem

-rw-r--r-- 1 root root 1054 Mar 23 12:34 jenkins.ssl.csr

-rw------- 1 root root 1675 Mar 23 12:35 jenkins.cert.key

-rw-r--r-- 1 root root 1318 Mar 23 12:37 jenkins.cert.cert

root@devops:/openssl_cert#

Create pkcs12 file:

root@devops:/openssl_cert# openssl pkcs12 -export -out jenkins.p12 -passout 'pass:password' \

> -inkey jenkins.cert.key -in jenkins.cert.cert -name rsinfominds.com

root@devops:/openssl_cert# ls -lrt

total 20

-rw------- 1 root root 1854 Mar 23 12:33 privkey.pem

-rw-r--r-- 1 root root 1054 Mar 23 12:34 jenkins.ssl.csr

-rw------- 1 root root 1675 Mar 23 12:35 jenkins.cert.key

-rw-r--r-- 1 root root 1318 Mar 23 12:37 jenkins.cert.cert

-rw------- 1 root root 2628 Mar 23 12:39 jenkins.p12

root@devops:/openssl_cert#

Create Java Keystore file (JKS):

root@devops:/openssl_cert# keytool -importkeystore -srckeystore jenkins.p12 \

> -srcstorepass 'password' -srcstoretype PKCS12 \

> -deststoretype JKS -destkeystore jenkins.jks \

> -deststorepass 'password'

Importing keystore jenkins.p12 to jenkins.jks...

Entry for alias rsinfominds.com successfully imported.

Import command completed: 1 entries successfully imported, 0 entries failed or cancelled

Warning:

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore jenkins.jks -destkeystore jenkins.jks -deststoretype pkcs12".

root@devops:/openssl_cert# keytool -importkeystore -srckeystore jenkins.jks -destkeystore jenkins.jks -deststoretype pkcs12

Enter source keystore password:

Entry for alias rsinfominds.com successfully imported.

Import command completed: 1 entries successfully imported, 0 entries failed or cancelled

Warning:

Migrated "jenkins.jks" to Non JKS/JCEKS. The JKS keystore is backed up as "jenkins.jks.old".

root@devops:/openssl_cert# ls -lrt

total 28

-rw------- 1 root root 1854 Mar 23 12:33 privkey.pem

-rw-r--r-- 1 root root 1054 Mar 23 12:34 jenkins.ssl.csr

-rw------- 1 root root 1675 Mar 23 12:35 jenkins.cert.key

-rw-r--r-- 1 root root 1318 Mar 23 12:37 jenkins.cert.cert

-rw------- 1 root root 2628 Mar 23 12:45 jenkins.p12

-rw-r--r-- 1 root root 2292 Mar 23 13:47 jenkins.jks.old

-rw-r--r-- 1 root root 2665 Mar 23 13:47 jenkins.jks

root@devops:/openssl_cert#

Copy keystore file to Jenkins.

root@devops:/var/lib/jenkins# mkdir keystore

root@devops:/var/lib/jenkins# cd keystore/

root@devops:/var/lib/jenkins/keystore# cp /openssl_cert/jenkins.jks .

root@devops:/var/lib/jenkins/keystore# ls -lrt

total 4

-rw-r--r-- 1 root root 2665 Mar 23 13:48 jenkins.jks

root@devops:/var/lib/jenkins/keystore#

root@devops:/var/lib/jenkins# ls -lrt keystore/

total 4

-rw-r--r-- 1 root root 2665 Mar 23 13:48 jenkins.jks

root@devops:/var/lib/jenkins#

root@devops:/var/lib/jenkins# chown -R jenkins:jenkins keystore/

Edit the Jenkins configuration file: /etc/default/jenkins

HTTPS_PORT=8443

KEYSTORE=/var/lib/jenkins/keystore/jenkins.jks

PASSWORD=password

JENKINS_ARGS="--webroot=/var/cache/$NAME/war --httpsPort=$HTTP_PORT --httpsKeyStore=$KEYSTORE --httpsKeyStorePassword=$PASSWORD"

root@devops:/etc/default#

root@devops:/# systemctl daemon-reload

root@devops:/# systemctl restart jenkins

root@devops:/# systemctl status jenkins

● jenkins.service - Jenkins Continuous Integration Server

Loaded: loaded (/lib/systemd/system/jenkins.service; enabled; vendor preset: enabled)

Active: active (running) since Wed 2022-03-23 14:27:01 MST; 7s ago

Main PID: 4896 (java)

Tasks: 41 (limit: 4588)

Memory: 420.5M

CGroup: /system.slice/jenkins.service

└─4896 /usr/bin/java -Djava.awt.headless=true -jar /usr/share/java/jenkins.war --webroot=/var/cache/jenkins/war --httpPort=8080 --httpListenAddress=192.168.45.130 --httpsListe>

Update /lib/systemd/system/jenkins.service:

Environment="JENKINS_LISTEN_ADDRESS=0.0.0.0"

Environment="JENKINS_PORT=-1"

Environment="JENKINS_HTTPS_PORT=8443"

root@devops:/# systemctl daemon-reload

root@devops:/# systemctl restart jenkins

Search This Blog

RSInfoMinds

Enable SSL for Jenkins

Comments

Post a Comment

Popular posts from this blog

SRE/DevOps Syllabus

AWS Code Commit - CI/CD Series Part 1

Docker - Preventing IP overlapping