CODEWITHSUNDEEP
httpjenkinshttps
Triangle
Triangle

Reputation: 1507

Enable HTTPS in jenkins?

I have a private network with a local IP. I want to Enable HTTPS for my Jenkins server which is static IP W.X.Y.Z:8080.

Jenkins version 2.9
java version "1.7.0_111"
OpenJDK Runtime Environment (IcedTea 2.6.7) (7u111-2.6.7-0ubuntu0.14.04.3)
OpenJDK 64-Bit Server VM (build 24.111-b01, mixed mode)

I have tried configuring in /etc/defaults/jenkins file the following arguments

HTTP_PORT=-1
JENKINS_ARGS="--webroot=/var/cache/$NAME/war -DsessionTimeout=1 --httpPort=$HTTP_PORT  --httpsPort=8081"

But I get the following errors. Please help

Running from: /usr/share/jenkins/jenkins.war
webroot: $user.home/.jenkins
Oct 19, 2016 2:18:48 PM org.eclipse.jetty.util.log.JavaUtilLog info
INFO: Logging initialized @811ms
Oct 19, 2016 2:18:48 PM winstone.Logger logInternal
INFO: Beginning extraction from war file
Oct 19, 2016 2:18:48 PM org.eclipse.jetty.util.log.JavaUtilLog warn
WARNING: Empty contextPath
Using one-time self-signed certificate
Oct 19, 2016 2:18:48 PM winstone.Logger logInternal
INFO: Winstone shutdown successfully
Oct 19, 2016 2:18:48 PM winstone.Logger logInternal
SEVERE: Container startup failed
java.io.IOException: Failed to start a listener
winstone.HttpsConnectorFactory
at winstone.Launcher.spawnListener(Launcher.java:207)
at winstone.Launcher.<init>(Launcher.java:149)
at winstone.Launcher.main(Launcher.java:352)`enter code here`
at sun.reflect.NativeMethodAccessorImpl.invoke0

I found similar issues resolved here but it didn't work for me

EDIT1: The following changes have been tried in /etc/defaults/jenkins file and restarted jenkins but it didn't work for me.

HTTP_PORT=-1
JENKINS_ARGS="--webroot=/var/cache/$NAME/war -DsessionTimeout=1 --httpPort=$HTTP_PORT   --httpsPort=8443 --httpsCertificate=cert.pem --httpsPrivateKey=key.pem

https://issues.jenkins-ci.org/browse/JENKINS-34463

https://issues.jenkins-ci.org/browse/JENKINS-25333

Upvotes: 27

Views: 102903

Answers (6)

braga461
braga461

Reputation: 41

I've researched a lot of finally found a solution that works for me using the following setup.

1. Setup

Here's my setup, it's a linux virtual machine on aws ec2. I bought a domain on http://namecheap.com and also its SSL certificates there. On AWS I've configured the security groups to allow incoming connections to both ports 8443 and also 443 via load balancer and target groups too.

2. Create a .jks file

Using the SSL certificates private.key, certificate.crt and certificate.ca-bundle that I got from setup 1. On my jenkins home folder= `/var/lib/jenkins/`, I've created this `.ssl` folder and moved the 3 certificates there, and then created first a .p12 file and then .jks file on the terminal like this (replace PASSWORD by your actual password): 
cd /var/lib/jenkins/.ssl

openssl pkcs12 -export -out jenkins.p12 \
-passout 'pass:PASSWORD' -inkey private.key \
-in certificate.crt -certfile certificate.ca-bundle -name namecheap.online

keytool -importkeystore -srckeystore jenkins.p12 \
-srcstorepass 'PASSWORD' -srcstoretype PKCS12 \
-srcalias namecheap.online -deststoretype JKS \
-destkeystore jenkins.jks -deststorepass 'PASSWORD' \
-destalias namecheap.online

3. Make changes to jenkins config files

Have a look at the current status of jenkins 
sudo systemctl status jenkins

You will see something like

jenkins.service - Jenkins Continuous Integration Server
   Loaded: loaded (/usr/lib/systemd/system/jenkins.service; enabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/jenkins.service.d
           └─override.conf
   Active: active (running) since Tue 2024-03-05 16:07:30 UTC; 3s ago
 Main PID: 331 (java)
    Tasks: 54
   Memory: 593.7M
   CGroup: /system.slice/jenkins.service
           └─331 /usr/bin/java -Djava.awt.headless=true -jar /usr/share/java/jenkins.war --webroot=%C/jenkins/war --httpPort=8080

That means it's still running on the default HTTP port 8080. In order to change that, edit that file from the second line:

sudo nano /usr/lib/systemd/system/jenkins.service

We want to uncomment a few lines and overall change the parameters. Note that JENKINS_HTTPS_KEYSTORE is the path to the .jks file that you've created and JENKINS_HTTPS_KEYSTORE_PASSWORD is its password.

  • Environment="JENKINS_PORT=-1"
  • Environment="JENKINS_HTTPS_LISTEN_ADDRESS=0.0.0.0"
  • Environment="JENKINS_HTTPS_PORT=8443"
  • Environment="JENKINS_HTTPS_KEYSTORE=/etc/jenkins/jenkins.jks"
  • Environment="JENKINS_HTTPS_KEYSTORE_PASSWORD=PASSWORD"

After you edit it, the file should look like this:

# Port to listen on for HTTP requests. Set to -1 to disable.
# To be able to listen on privileged ports (port numbers less than 1024),
# add the CAP_NET_BIND_SERVICE capability to the AmbientCapabilities
# directive below.
Environment="JENKINS_PORT=-1"

# IP address to listen on for HTTPS requests. Default is disabled.
Environment="JENKINS_HTTPS_LISTEN_ADDRESS=0.0.0.0"

# Port to listen on for HTTPS requests. Default is disabled.
# To be able to listen on privileged ports (port numbers less than 1024),
# add the CAP_NET_BIND_SERVICE capability to the AmbientCapabilities
# directive below.
Environment="JENKINS_HTTPS_PORT=8443"

# Path to the keystore in JKS format (as created by the JDK's keytool).
# Default is disabled.
Environment="JENKINS_HTTPS_KEYSTORE=/etc/jenkins/jenkins.jks"

# Password to access the keystore defined in JENKINS_HTTPS_KEYSTORE.
# Default is disabled.
Environment="JENKINS_HTTPS_KEYSTORE_PASSWORD=PASSWORD

Notice also this file on lines 3 and 4 from image 35: /etc/systemd/system/jenkins.service.d/override.conf, have a look at it too:

sudo nano /etc/systemd/system/jenkins.service.d/override.conf

In case it's empty just write this line of code on it, save and quit:

[Service] Environment="JENKINS_PORT=8443"

Great, now you should restart jenkins and reload daemon with sudo. Then have a look again at jenkins' status with sudo systemctl status jenkins

sudo systemctl restart jenkins
sudo systemctl daemon-reload
sudo systemctl status jenkins -l

Now this is the new output that you should be seeing. Jenkins is running on HTTPS via port 8443, try now https://<YOUR_IP>:8443

    jenkins.service - Jenkins Continuous Integration Server
   Loaded: loaded (/usr/lib/systemd/system/jenkins.service; enabled; vendor preset: disabled)
  Drop-In: /etc/systemd/system/jenkins.service.d
           └─override.conf
   Active: active (running) since Tue 2024-03-05 16:10:08 UTC; 58min ago
 Main PID: 4614 (java)
    Tasks: 57
   Memory: 2.3G
   CGroup: /system.slice/jenkins.service
           └─4614 /usr/bin/java -Djava.awt.headless=true -jar /usr/share/java/jenkins.war --webroot=%C/jenkins/war --httpPort=-1 --httpsPort=8443 --httpsListenAddress=0.0.0.0 --httpsKeyStore=/etc/jenkins/jenkins.jks --httpsKeyStorePassword=PASSWORD

I hope this works for you too.

Upvotes: 1

Greg Gutman
Greg Gutman

Reputation: 1

this thread shows as the top hit, but lack actual information. if you run jenkins on linux vs windows use openssl create self-signed certs if you have certs convert them to pkcs12 whether self-signed or issued you have to import them in to java keystore keystore steps here 1.https://sopblog.com/how-to-enable-ssl-in-jenkins-server/ and HTTPS section here 2.https://www.jenkins.io/doc/book/installing/initial-settings/

Upvotes: -1

ravi creed
ravi creed

Reputation: 401

You can enable Jenkins via HTTPS with following steps:

  1. Create Certificate using Java

     keytool -genkey -keyalg RSA -alias "localhost" -keystore "C:\Users\username\Desktop\New folder\localhost.jks" -validity 365 -keysize 2048 -dname "CN=localhost, OU=OU_name, O=OU_name, L=city, ST=State_name, C=two_letter_country_code" -ext SAN=dns:localhost,ip:ip_address -storepass changeit

  2. Export p12 Public Certificate from key-store file

     keytool -importkeystore -srckeystore "C:\Users\username\Desktop\New folder\localhost.jks" -storepass changeit -destkeystore "C:\Users\username\Desktop\New folder\localhost.p12" -srcstoretype JKS -deststoretype PKCS12 -deststorepass changeit

  3. Host Jenkins using key-store (JKS) file

     java -jar jenkins.war --httpsPort=8082 --httpPort=-1 --httpsKeyStore="C:\Users\username\Desktop\New folder\localhost.jks" --httpsKeyStorePassword=changeit

  4. Import the Certificate into Browser

You may have a question like why we have exported *.p12 certificate...well, this certificate we are going to import into our browser from where we access Jenkins. The same p12 certificate can be shared between multiple users.

For example in Chrome go to Setting>Search - "Manage Certificate" and click on "Manage Certificate" you will get an "Certificate" window. Import the certificate into each tab (Personnel, Other People, Intermediate Certificate Authorities, Trusted Root Certification Authorities, Trusted Publishers, and Untrusted Publishers).

Upvotes: 25

MS_22
MS_22

Reputation: 127

If you have your new instance of Jenkins which is a copy of your old Jenkins instance. Copy the cacerts which will be located at ..\Jenkins\jre\lib\security to the jre\secrets folder of your existing new Jenkins instance.

In jenkins.xml change the arguments accordingly, e.g.:

<arguments>
    -Xrs 
    -Xmx256m 
    -Dhudson.lifecycle=hudson.lifecycle.WindowsServiceLifecycle 
    -jar "%BASE%\jenkins.war" 
    --httpPort=-1 
    --httpsPort=8443 
    --httpsKeyStore="%BASE%\secrets\keystore" 
    --httpsKeyStorePassword=your.password.here
</arguments>

Upvotes: 0

Manan Shah
Manan Shah

Reputation: 1098

If you have a valid certificate and you do not want to enable HTTPS for your Jenkins but still want an SSL enable traffic then here is another way.

In my case, I put Jenkins behind my Nginx web server. So here are the steps which I follow:

  1. I have installed Nginx server. (sudo apt install nginx)
  2. Copy the cert files in that machine. (Files are: <my-cert>.crt and <my-cert>.key)

  3. Changed the nginx configuration in /etc/nginx/sites-available/default file to something like this:

    ssl_certificate /etc/nginx/<my-cert>.crt;
ssl_certificate_key /etc/nginx/<my-cert>.key;

  4. Follow the steps mentioned in the Jenkins Wiki.

  5. And everything works like a charm...

By doing these steps the request flow will be like this:

  1. Request goes to Nginx web server.
  2. The reverse proxy redirects the traffic to the localhost:8080 (or custom IP: port) where Jenkins is running.
  3. Jenkins will serve the request and give the response to Nginx
  4. Nginx will return the response.

You can do the same with Apache, HAProxy, and squid, see

Upvotes: 5

Daniel Scott
Daniel Scott

Reputation: 7971

You'll need to pass a parameter for the keystore or .pem file of the private key

https://wiki.jenkins-ci.org/display/JENKINS/Starting+and+Accessing+Jenkins

Upvotes: 3

Related Questions