It is very important to secure Jenkins by enabling SSL which runs in a project environment. This article walks you through the step-by-step guide for configuring SSL on a Jenkins server.<\/p>\n
Following are the steps involved in configuring SSL on the Jenkins server.<\/p>\n
Let’s get started with the setup<\/p>\n
You should have a valid domain pointing to Jenkins server IP to configure SSL. The domain can be internal or external based on your organization’s infrastructure.<\/p>\n
SSL certificate can be obtained using the following methods.<\/p>\n
Note:<\/strong> If you already have the certificate in
.p12<\/code> or.pfx<\/code> format, you don’t have to do this conversion.<\/p><\/blockquote>\nThe command given below converts SSL certs to intermediate PKCS12 format named
jenkins.p12<\/code>. Make sure you have the following certs with you before executing the command.<\/p>\n\n
- ca.crt<\/li>\n
- server.key<\/li>\n
- server.crt<\/li>\n<\/ol>\n
Also,<\/p>\n
\n
- Replace
jenkins.devopscube.com<\/code> in the command with your own alias name<\/li>\n- Replace
your-strong-password<\/code> with a strong password.<\/li>\n<\/ol>\nopenssl pkcs12 -export -out jenkins.p12 \\\n-passout 'pass:your-strong-password' -inkey server.key \\\n-in server.crt -certfile ca.crt -name jenkins.devopscube.com<\/code><\/pre>\nStep 3: Convert PKCS12 to JKS format<\/h3>\n
Use the following keytool command to convert
jenkins.p12<\/code> file to JKS format.<\/p>\nReplace the following with your own values.<\/p>\n
\n
-srcstorepass<\/code> – Password used in Step 3<\/li>\n-deststorepass<\/code> – Replace with a strong password.<\/li>\n-srcalias <\/code>– alias name used in step 2<\/li>\n-destalias<\/code> – Replace with a destination alias name.<\/li>\n<\/ol>\nkeytool -importkeystore -srckeystore jenkins.p12 \\\n-srcstorepass 'your-secret-password' -srcstoretype PKCS12 \\\n-srcalias jenkins.devopscube.com -deststoretype JKS \\\n-destkeystore jenkins.jks -deststorepass 'your-secret-password' \\\n-destalias jenkins.devopscube.com<\/code><\/pre>\nYou should see a file named
jenkins.jks<\/code> in you current location.<\/p>\nStep 4: Add JKS to Jenkins path<\/h3>\n
jenkins.jks<\/code> file should be saved in a specific location where Jenkins can access it.<\/p>\nLet’s create a folder and move the
jenkins.jks<\/code> key to that location.<\/p>\nmkdir -p \/etc\/jenkins\ncp jenkins.jks \/etc\/jenkins\/<\/code><\/pre>\nChange the permissions of the keys and folder.<\/p>\n
chown -R jenkins: \/etc\/jenkins\nchmod 700 \/etc\/jenkins\nchmod 600 \/etc\/jenkins\/jenkins.jks<\/code><\/pre>\nStep 5: Modify Jenkins Configuration for SSL<\/h3>\n
All the key Jenkins startup configurations are present in
\/etc\/sysconfig\/jenkins<\/code> file. All the SSL-based configurations go into this file.<\/p>\nOpen the file<\/p>\n
sudo vi \/etc\/sysconfig\/jenkins<\/code><\/pre>\nFind and replace the values in the file as shown below.<\/p>\n
Note:<\/strong> Replace
your-keystore-password <\/code>with the Keystore password, you set in step 3. Also you can use either 443 or 8443 for ports.<\/p><\/blockquote>\nJENKINS_PORT=\"-1\"\nJENKINS_HTTPS_PORT=\"8443\"\nJENKINS_HTTPS_KEYSTORE=\"\/etc\/jenkins\/jenkins.jks\"\nJENKINS_HTTPS_KEYSTORE_PASSWORD=\"<your-keystore-password>\"\nJENKINS_HTTPS_LISTEN_ADDRESS=\"0.0.0.0\"<\/code><\/pre>\nSave the configuration and restart Jenkins.<\/p>\n
sudo systemctl restart jenkins<\/code><\/pre>\nCheck Jenkins status.<\/p>\n
sudo systemctl status jenkins<\/code><\/pre>\nStep 6: Validate SSL<\/h3>\n
Now you should be able to access Jenkins over HTTPS with port 8443<\/p>\n
https:\/\/<jenkins-dns\/ip>:8443<\/code><\/pre>\nYou can also use curl to verify SSL<\/p>\n
curl -k https:\/\/<jenkins-dns\/ip>:8443<\/code><\/pre>\nConclusion<\/h2>\n