JJENKINS

How to Configure SSL on Jenkins Server

Configure SSL for Jenkins

It is very important to secure Jenkins by enabling SSL which runs in a project environment. This article walks you through the step-by-step guide for configuring SSL on a Jenkins server.

Following are the steps involved in configuring SSL on the Jenkins server.

  1. Obtain SSL certificates
  2. Convert SSL keys to PKCS12 format
  3. Convert PKCS12 to JKS format
  4. Add JKS to Jenkins path
  5. Configure Jenkins startup to use the JKS file.
  6. Validate Jenkins SSL

Let’s get started with the setup

Step 1: Obtain Domain & SSL Certificates

You should have a valid domain pointing to Jenkins server IP to configure SSL. The domain can be internal or external based on your organization’s infrastructure.

SSL certificate can be obtained using the following methods.

  1. In most cases, you will be having Jenkins in a private environment with an internal DNS and you can obtain the internal SSL certificates from the respective organizations.
  2. You can also create self-signed SSL certificates using OpenSSL. Follow create self-signed certificates using OpenSSL
  3. Also, you can use services as Letsencrypt for valid SSL certificates. But these certificates have to be renewed every three months.

Step 2: Convert SSL keys to PKCS12 format

Note: If you already have the certificate in .p12 or .pfx format, you don’t have to do this conversion.

The command given below converts SSL certs to intermediate PKCS12 format named jenkins.p12. Make sure you have the following certs with you before executing the command.

  1. ca.crt
  2. server.key
  3. server.crt

Also,

  1. Replace jenkins.devopscube.com in the command with your own alias name
  2. Replace your-strong-password with a strong password.
openssl pkcs12 -export -out jenkins.p12 \
-passout 'pass:your-strong-password' -inkey server.key \
-in server.crt -certfile ca.crt -name jenkins.devopscube.com

Step 3: Convert PKCS12 to JKS format

Use the following keytool command to convert jenkins.p12 file to JKS format.

Replace the following with your own values.

  1. -srcstorepass – Password used in Step 3
  2. -deststorepass – Replace with a strong password.
  3. -srcalias – alias name used in step 2
  4. -destalias – Replace with a destination alias name.
keytool -importkeystore -srckeystore jenkins.p12 \
-srcstorepass 'your-secret-password' -srcstoretype PKCS12 \
-srcalias jenkins.devopscube.com -deststoretype JKS \
-destkeystore jenkins.jks -deststorepass 'your-secret-password' \
-destalias jenkins.devopscube.com

You should see a file named jenkins.jks in you current location.

Step 4: Add JKS to Jenkins path

jenkins.jks file should be saved in a specific location where Jenkins can access it.

Let’s create a folder and move the jenkins.jks key to that location.

mkdir -p /etc/jenkins
cp jenkins.jks /etc/jenkins/

Change the permissions of the keys and folder.

chown -R jenkins: /etc/jenkins
chmod 700 /etc/jenkins
chmod 600 /etc/jenkins/jenkins.jks

Step 5: Modify Jenkins Configuration for SSL

All the key Jenkins startup configurations are present in /etc/sysconfig/jenkins file. All the SSL-based configurations go into this file.

Open the file

sudo vi /etc/sysconfig/jenkins

Find and replace the values in the file as shown below.

Note: Replace your-keystore-password with the Keystore password, you set in step 3. Also you can use either 443 or 8443 for ports.

JENKINS_PORT="-1"
JENKINS_HTTPS_PORT="8443"
JENKINS_HTTPS_KEYSTORE="/etc/jenkins/jenkins.jks"
JENKINS_HTTPS_KEYSTORE_PASSWORD="<your-keystore-password>"
JENKINS_HTTPS_LISTEN_ADDRESS="0.0.0.0"

Save the configuration and restart Jenkins.

sudo systemctl restart jenkins

Check Jenkins status.

sudo systemctl status jenkins

Step 6: Validate SSL

Now you should be able to access Jenkins over HTTPS with port 8443

https://<jenkins-dns/ip>:8443

You can also use curl to verify SSL

curl -k https://<jenkins-dns/ip>:8443

Conclusion

In this Jenkins tutorial, you have learned how to run Jenkins on HTTPS.

Next, you can check out the following blogs on the Jenkins agent setup.

  1. Jenkins agent setup
  2. Jenkins Docker based agent setup
  3. Setup Kubernetes as Jenkins agent

Established in 2014, a community for developers and system admins. Our goal is to continue to build a growing DevOps community offering the best in-depth articles, interviews, event listings, whitepapers, infographics and much more on DevOps.

12 comments

  1. Is ‘curl -k’ really the best way to test an SSL certificate? The -k flag allows for insecure HTTPS calls.

    Reply

    1. Hi David, Only if you are using self signed certificates.

      If you have a valid certificate you dont have to use -k

      Reply

  4. Hello team
    At Step 4, shouldn’t the name be jenkins.jks instead of jenkins-keystore.jks.

    cp jenkins_keystore.jks /etc/jenkins/

    Please confirm and thank for the detailed article.
    Thanks

    Reply

  5. Just wanted to note that converting to JKS is no longer necessary (assuming you are using Java 8+). Java is able to utilize P12 as a keystore.

    Reply

  6. Got to step 5 and that was it. Have a valid JKS file, edite the Jenkins config, but the site would not load.

    Reply

  7. At step2 generating with jenkins.p12 but in step 3 we are giving input as jenkins_keystore.p12

    Could you please modify that file name from jenkins_keystore.p12 to jenkins.p12

    At step 6: https://:8400
    Please modify 8400 to 8443

    Thank you very much for providing the very detailed blog article on this topic

    Reply
Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like