Enable HTTPS in jenkins?

2020-02-09 03:46发布

问题:

I have a private network with a local IP. I want to Enable HTTPS for my Jenkins server which is static IP W.X.Y.Z:8080.

Jenkins version 2.9
java version "1.7.0_111"
OpenJDK Runtime Environment (IcedTea 2.6.7) (7u111-2.6.7-0ubuntu0.14.04.3)
OpenJDK 64-Bit Server VM (build 24.111-b01, mixed mode)

I have tried configuring in /etc/defaults/jenkins file the following arguments

HTTP_PORT=-1
JENKINS_ARGS="--webroot=/var/cache/$NAME/war -DsessionTimeout=1 --httpPort=$HTTP_PORT  --httpsPort=8081"

But I get the following errors. Please help

Running from: /usr/share/jenkins/jenkins.war
webroot: $user.home/.jenkins
Oct 19, 2016 2:18:48 PM org.eclipse.jetty.util.log.JavaUtilLog info
INFO: Logging initialized @811ms
Oct 19, 2016 2:18:48 PM winstone.Logger logInternal
INFO: Beginning extraction from war file
Oct 19, 2016 2:18:48 PM org.eclipse.jetty.util.log.JavaUtilLog warn
WARNING: Empty contextPath
Using one-time self-signed certificate
Oct 19, 2016 2:18:48 PM winstone.Logger logInternal
INFO: Winstone shutdown successfully
Oct 19, 2016 2:18:48 PM winstone.Logger logInternal
SEVERE: Container startup failed
java.io.IOException: Failed to start a listener
winstone.HttpsConnectorFactory
at winstone.Launcher.spawnListener(Launcher.java:207)
at winstone.Launcher.<init>(Launcher.java:149)
at winstone.Launcher.main(Launcher.java:352)`enter code here`
at sun.reflect.NativeMethodAccessorImpl.invoke0        

I found similar issues resolved here but it didn't work for me

EDIT1: The following changes have been tried in /etc/defaults/jenkins file and restarted jenkins but it didn't work for me.

HTTP_PORT=-1
JENKINS_ARGS="--webroot=/var/cache/$NAME/war -DsessionTimeout=1 --httpPort=$HTTP_PORT   --httpsPort=8443 --httpsCertificate=cert.pem --httpsPrivateKey=key.pem

https://issues.jenkins-ci.org/browse/JENKINS-34463

https://issues.jenkins-ci.org/browse/JENKINS-25333

回答1:

You can enable Jenkin via HTTPS with following steps,

Step1: Create Certificate using java

keytool -genkey -keyalg RSA -alias "localhost" -keystore "C:\Users\username\Desktop\New folder\localhost.jks" -validity 365 -keysize 2048 -dname "CN=localhost, OU=OU_name, O=OU_name, L=city, ST=State_name, C=two_letter_country_code" -ext SAN=dns:localhost,ip:ip_address -storepass changeit

Step2: Export p12 Public Certificate from key-store file

keytool -importkeystore -srckeystore "C:\Users\username\Desktop\New folder\localhost.jks" -storepass changeit -destkeystore "C:\Users\username\Desktop\New folder\localhost.p12" -srcstoretype JKS -deststoretype PKCS12 -deststorepass changeit

Step3: Host Jenkins using key-store (JKS) file

java -jar jenkins.war --httpsPort=8082 --httpPort=-1 --httpsKeyStore="C:\Users\username\Desktop\New folder\localhost.jks" --httpsKeyStorePassword=changeit

Step4: Import the Certificate into Browser

You may have question like why we have exported p12 certificate...well, this certificate we are going to import into our browser where we access Jenkins. The same p12 certificate can be shared between multiple users. For example in Chrome go to Setting>Search - "Manage Certificate" and click on "Manage Certificate" you will get an "Certificate" window. Import the certificate into each tab (Personnel, Other People, Intermediate Certificate Authorities, Trusted Root Certification Authorities, Trusted Pubilshers and Untrusted Publishers).



回答2:

You'll need to pass a parameter for the keystore or .pem file of the private key

https://wiki.jenkins-ci.org/display/JENKINS/Starting+and+Accessing+Jenkins



回答3:

(If you have a valid certificate and you do not want to enable HTTPs for your Jenkins but still want an SSL enable traffic then here is another way.)

In my case, I put Jenkins behind my Nginx webserver.

So here are the steps which I follow:

1.) I have installed Nginx server. (sudo apt-get install nginx)

2.) Copy the cert files in that machine. (Files are: .crt and .key )

3.) Changed the nginx configuration in /etc/nginx/sites-available/default file.

like

ssl_certificate /etc/nginx/<my-cert>.crt;

ssl_certificate_key /etc/nginx/<my-cert>.key;

4.) Follow the steps mentioned here: https://wiki.jenkins.io/display/JENKINS/Running+Jenkins+behind+Nginx

5.) And everything works like a charm...


By doing these steps the request flow will be like this:


1.) Request goes to Nginx web server.

2.) Where there is a reverse proxy which redirects the traffic to the localhost:8080 (or custom IP: port) (where Jenkins is running.)

3.) Jenkins will serve the request and gives the response to the Nginx

4.) Nginx will return the response.

Note: You can do the same with Apache, HAProxy and squid.

(Ref: https://wiki.jenkins.io/pages/viewpage.action?pageId=135468777 , https://wiki.jenkins.io/display/JENKINS/Running+Jenkins+behind+Nginx )

Edit: One more link: https://wiki.jenkins.io/display/JENKINS/Jenkins+behind+an+NGinX+reverse+proxy



回答4:

This is quite interesting. If you have your new instance of jenkins which is a copy of your old jenkins instance. Copy the cacerts which will be located at D:\Jenkins\jre\lib\security (Sample directory structure) to the jre/secrets folder of your existing new jenkins instance. In jenkins.xml change the arguments accordingly. Here is the sample -Xrs -Xmx256m -Dhudson.lifecycle=hudson.lifecycle.WindowsServiceLifecycle -jar "%BASE%\jenkins.war" --httpPort=-1 --httpsPort=8443 --httpsKeyStore="%BASE%\secrets\keystore" --httpsKeyStorePassword=your.password.here