49

We've recently set up a Jenkins CI server on Windows. Now in order to use Active Directory authentication I'd like to require https (SSL/TLS) for access. Given this setup, what is the recommended way to do this?

Ripon Al Wasim
  • 36,924
  • 42
  • 155
  • 176
Nick Jones
  • 4,395
  • 6
  • 33
  • 44

3 Answers3

38

Go to your %JENKINS_HOME% and modify the jenkins.xml. Where you see --httpPort=8080 change it to --httpPort=-1 --httpsPort=8080 you can make the ports anything you want of course, but in my testing (a while ago, it may have changed) if you don't keep --httpPort=<something> then Jenkins will always use 8080. So if you simply change --httpPort=8080 to --httpsPort=8080, port 8080 will still use http.

Also, if you want to use your own certificate, there are some instructions at the bottom of this page.

http://wiki.jenkins-ci.org/display/JENKINS/Starting+and+Accessing+Jenkins

Mike Mertsock
  • 11,825
  • 7
  • 42
  • 75
aflat
  • 4,329
  • 1
  • 20
  • 23
  • Thanks George, I've gone through all the steps on the page you linked to. At this point I've got a winstone.ks keystore in my Jenkins folder (and can verify its contents using the java keytool). However, when I restart Jenkins, I get this: `[Winstone 2011/03/16 15:44:21] - Error during HTTPS listener init or shutdown java.security.UnrecoverableKeyException: Cannot recover key` followed by the rest of the stack trace. I'm sure the keystore password is correct. Any ideas? – Nick Jones Mar 16 '11 at 20:53
  • 1
    Just to close off this topic, the problem I'd run into was that the keystore password and the certificate password (entered when generating the CSR) were different. Once I recreated the keystore with a password that matched the certificate password, the problem was solved. – Nick Jones Mar 31 '11 at 14:39
  • 1
    Note for those looking to do the same on a CentOS machine, the suggested changes can be made to the file found in `/etc/sysconfig/jenkins` – dkinzer May 06 '12 at 18:23
  • One other thing is that I needed to set --httpPort=-1 or it wouldn't work. – dkinzer May 06 '12 at 18:34
  • After modifying jenkins.xml it needs to restart jenkins server – Ripon Al Wasim Feb 15 '13 at 09:12
  • 1
    You'd definitely want to also generate a self-signed certificate in JKS format as described in [that other answer](http://stackoverflow.com/a/9610431/1127485), and use it by adding `--httpsKeyStore=path/to/keystore --httpsKeyStorePassword=keystorePassword` to "jenkins.xml" as described in the [Jenkins Wiki](https://wiki.jenkins-ci.org/display/JENKINS/Starting+and+Accessing+Jenkins). Otherwise Jenkins seems to generate a new certificate each time it restarts, triggering the "Untrusted connection" dialog in Firefox each time as the fingerprints vary. – sschuberth Feb 03 '15 at 22:31
  • I created a self signed cert per the instructions and it worked perfectly. The only hiccup was that I had to reference the address by IP instead of localhost and immediately I could access Jenkins. – Ryan Rodemoyer Mar 24 '16 at 21:20
21

Run:

keytool -genkey -keyalg RSA -keystore Jenkins.jks -alias [Name of website] -keysize 2048

Answer the questions remembering that First and last name is the website URL and should be lowercase. Example: 

build.jenkins-ci.org

State or province cannot be abbreviated.

Run:

keytool -certreq -Keystore jenkins.jks -alias [Name of website] -file jenkins.csr -keysize 2048

Send Jenkins.csr to your cert provider and request a PKCS#7 cert which has a .p7b extension and starts with:

-----BEGIN PKCS #7 SIGNED DATA-----

Note: Trial certs are not normally available in .p7b format but you may be able to combine the .cer files using this tool which reported success but didn't work for me. (https://www.sslshopper.com/ssl-converter.html)

Run:

keytool -import -trustcacerts -file jenkins.p7b -keystore jenkins.jks -alias [Name of website]

Change the arguments node in Jenkins.xml to the following prespectivly.

<arguments>-Xrs -Xmx256m -Dhudson.lifecycle=hudson.lifecycle.WindowsServiceLifecycle -jar "%BASE%\jenkins.war" --httpPort=-1 --httpsPort=443 --httpsKeyStore="%BASE%\Cert\Jenkins.jks" --httpsKeyStorePassword=[Cert password from step 1]</arguments>

Troubleshooting:

  • If Jenkins doesn't start read the last lines from Jenkins.err.log.
  • If Jenkins didn't start because of an issue with Jenkins.xml, replace the (weird Windows hyphen) characters with an actual - (ASCII hyphen).
  • If Jenkins starts but the cert still reads as bad, make sure the [Name of website] is the actual URL without the https: example: https://build.jenkins-ci.org would be build.jenkins-ci.org.
  • If that isn't the issue inspect the .jks file using KeyStore Explorer. The "Certificate Hierarchy" should show that each cert is nested in another; This is to illustrate the cert chain. If it shows the certs next to each other then it's not correct.
  • If it won't start on a specific port, 443 for example, then verify IIS or another app isn't currently using the port.
  • If you can see the site on the PC it's hosted on, but not another PC, then verify you aren't getting blocked by a firewall.
the Tin Man
  • 158,662
  • 42
  • 215
  • 303
Gabe
  • 211
  • 2
  • 2
  • I just wanted to comment that this set of instructions worked flawlessly for me when I needed to set up a new Jenkins build server from scratch. – Nick Jones Jul 26 '12 at 15:42
  • Hi I know this is old but is there any way to convert a .crt file into jks? – derHugo Apr 19 '18 at 12:48
1

Step1: Create both public and private Certificate on your jenkin name (convert them into keysore file if its not) Step2: Import the public certificate into your browser certificate mananger (import into all tabs) Step3: Host your jenkin using JKS file which contain both public and private key.

For steps refer "Enable HTTPS in jenkins?"

ravi creed
  • 371
  • 3
  • 6