It is very important to secure Jenkins by enabling SSL which runs in a project environment. This article walks you through the step by step guide for configuring SSL on a Jenkins server.
Following are the steps involved in configuring SSL on Jenkins server.
- Obtain SSL certificates
- Convert SSL keys to PKCS12 format
- Convert PKCS12 to JKS format
- Add JKS to Jenkins path
- Configure Jenkins startup to use the JKS file.
- Validate Jenkins SSL
Lets get started with the setup
Step 1: Obtain Domain & SSL Certificates
You should have a valid domain pointing to Jenkins server IP to configure SSL. The domain can be internal or external based on your organisations infrastructure.
SSL certificated can be obtained using the following methods.
- In most cases, you will be having Jenkins in a private environment with an internal DNS and you can obtain the internal SSL certificates from the respective organizations.
- You can also create self-signed SSL certificates using OpenSSL. Follow this blog, generate SSL certificates to create self-signed certificates using OpenSSL.
- Also, you can use services as let’s encrypt for valid SSL certificates. But these certificates have to be renewed every three months.
Step 2: Convert SSL keys to PKCS12 format
Note: If you already have the certificate in
.pfxformat, you don’t have to do this conversion.
The command given below converts SSL certs to intermediate PKCS12 format named
jenkins_keystore.p12. Make sure you have the following certs with you before executing the command.
jenkins.devopscube.comin the command with your own alias name
your-strong-passwordwith a strong password.
openssl pkcs12 -export -out jenkins.p12 \ -passout 'pass:your-strong-password' -inkey server.key \ -in server.crt -certfile ca.crt -name jenkins.devopscube.com
Step 3: Convert PKCS12 to JKS format
Use the following keytool command to convert
jenkins.p12 file to JKS format.
Replace the following with your own values.
-srcstorepass– Password used in Step 3
-deststorepass– Replace with a strong password.
-srcalias– alias name used in step 2
-destalias– Replace with a destination alias name.
keytool -importkeystore -srckeystore jenkins_keystore.p12 \ -srcstorepass 'your-secret-password' -srcstoretype PKCS12 \ -srcalias jenkins.devopscube.com -deststoretype JKS \ -destkeystore jenkins.jks -deststorepass 'your-secret-password' \ -destalias jenkins.devopscube.com
You should see a file named
jenkins.jks in you current location.
Step 4: Add JKS to Jenkins path
jenkins_keystore.jks file should be saved in a specific location where Jenkins can access it.
Lets create a folder and move the
jenkins.jks key to that location.
mkdir -p /etc/jenkins cp jenkins_keystore.jks /etc/jenkins/
Change the permissions of the keys and folder.
chown -R jenkins: /etc/jenkins chmod 700 /etc/jenkins chmod 600 /etc/jenkins/jenkins.jks
Step 5: Modify Jenkins Configuration for SSL
All the key Jenkins startup configurations are present in
/etc/sysconfig/jenkins file. All the SSL based configurations go into this file.
Open the file
sudo vi /etc/sysconfig/jenkins
Find and replace the values in the file as shown below.
your-keystore-passwordwith the Keystore password, you set in step 3
JENKINS_PORT="-1" JENKINS_HTTPS_PORT="8443" JENKINS_HTTPS_KEYSTORE="/etc/jenkins/jenkins.jks" JENKINS_HTTPS_KEYSTORE_PASSWORD="<your-keystore-password>" JENKINS_HTTPS_LISTEN_ADDRESS="0.0.0.0"
Save the configuration and restart Jenkins.
sudo systemctl restart jenkins
Check Jenkins status.
sudo systemctl status jenkins
Step 6: Validate SSL
Now you should be able to access Jenkins over https with port 8443
You can also use curl to verify SSL
curl -k https://<jenkins-dns/ip>:8400