How to Enable SSL in Jenkins

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in this video we're going to talk about how to enable ssl in jenkins [Music] ssl certificates we know that they're meant to help keep sensitive information encrypted as it traverses a network but what if all of your traffic is on a private network do you still really need ssl certificates only you can answer that question but in my opinion that answer is yes in many companies ssl is offloaded to apache or nginx or maybe even a hardware appliance however with jenkins this is not necessary in this video we are going to look at one way that you can install a ssl certificate into a jenkins controller here's today's starting point i have a jenkins lts controller version 2.289.3 this controller is running on centos 7.9 when it was installed it was installed using install suggested plugins in the description below there is a gist that's going to have all the commands that we're running in this video here we are at our controller the url you can see is jenkins.planetpope.com and port 8080 that's not a typical https port that you would use and we can see that the lock is struck through and tell here that our connection is not secure so the first thing that we're going to do is enable the https port inside of jenkins so i'm going to go over to my shell and i'm going to become root now i can do this sudo but for now just to make it simple i'm going to do root i'm going to say vi etsy sysconfig and this is sysconfig because i am on a centos-based server if you're running in a debian-based server it would be an etsy default i'll go here jenkins let's go look for https port we can see it's there so right now by default it is disabled let's go ahead and turn it on so i'm going to say insert 8443. now i could set the port to 443 but that would mean that i would have to run my jenkins instance as root any port below 1024 means i have to run it as root but i don't want to do that so i'm going to do sort of a standard 8443 and we will make 443 the real port a little bit later on so let's go ahead and save this get out there and save it and let's go ahead and restart our process so this will take just a few seconds so let's go back over here while it's coming up let's go ahead and go to 8443 and go to https so in theory once it finishes starting up we should land on a secure quote-unquote page we can see here that a potential security risk ahead that sort of makes sense because we haven't actually installed a certificate yet all we've done is enable https so i'm going to click on advanced it says that jenkins planetpope 8443 uses an invalid security certificate it's self-signed well let's take a look at that certificate and understand what it is since we turned on https within jenkins and remember within jenkins we're running jetty so it issued a self-signed certificate which is okay i mean that's that's what it is but if we go ahead and say all right i know that's okay i accept the risk and then i go ahead and go in well now i've got https and 8443 and if i take a look at it the connection is not secure that's okay and all of that's exactly what i expect because again i don't have a ssl certificate in place but the first step that we have to do before we even deal with the ssl certificate is enable that https port now that we have the https port enabled now we're ready to go ahead and put our certificate in place before i started recording i created a ssl certificate from xerossl.com you can do ssl certificates however you want whether you have your own ca you're buying them from a standard digicert godaddy wherever you get your ssl certificates from follow that process i chose xero ssl because number one free and number two it gives me a certificate that all browsers understand without having to install that ssl certificate into the browser thinking self-signed i have nothing against self-signed but to keep it simple for right now i just wanted my browser to be publicly signed so let's go ahead and flip over to our shell again and for my use case i am going to put my ssl certificate inside of my jenkins home this is up to you right now jenkins is running as a jenkins user so in order to be able to read these files which will be the key and the certificate i need to put them somewhere that the jenkins user can read them and for my time right now i'm just going to create a dot ssl directory and you can choose to do whatever you want this is just how i'm going to do mine also the way that i name my files is i name them what they are so the domain name and then key and here i'm going to grab my key file so let me grab the key we can take a look at it it's just standard rsa keys that's what i'm using here oops i went too far undo there we go i want to get rid of that last line there we go and all of that looks good and i'm also going to go ahead and create my certificate oops jenkins dot crt and you can name it whatever you want now with zero ssl it has an intermediate certificate as well when you're generating your certificates your ca may have an intermediate certificate or multiple intermediate certificates so what i'm doing is i'm creating a single file that has both my certificate for jenkins.planetpoop.com and also the intermediate certificate in it let me show you what that really is so if we take a look here about halfway up we're going to see where i have an n certificate and begin certificate this top certificate is the jenkins.planetpope.com this bottom certificate is my intermediate certificate so i'm just including both of these in this file that is named jenkins.planetpope.crt now since i am root so i sudo su we can see here that my files are owned by root but i'm inside of my jenkins home directory so the thing that i need to do is go ahead and change the ownership so the files are owned by jenkins we can see here that now i've re-owned var lib jenkins which is my jenkins home directory by default on centos and i changed the owner and the group to jenkins and we can see here with both files they are both owned by jenkins next up we need to make one more change to our sysconfig file or if you're on debian based in etsy default so i'm going to do vi etsy sysconfig jenkins i'm gonna go to the bottom of the file and go down to jenkins args and at the end of this file i'm adding in two parameters and this will be in the gist i'm adding in a dash https certificate so that's going to be the full path to my certificate jenkins.planetpope.com.crt and i'm adding in an https private key again var libjenkins.ssl jenkins.planetpope.com and make sure it is in the quotes it is so this is in the jenkins args not jenkins java args but jenkins args this is at the bottom of the file within centos so now that we've done that let's go ahead and save it and let's go ahead and restart our process and give this just a couple of seconds and let's see what happens so i'm going to go ahead and refresh this page and now look our lock is there let's take a look at the lock connection is secure let's take a look at this you are certainly con you are securely connected to the site verified by xero ssl let's click on more information and if we take a look at our certificate so we're on security tab and this is firefox view certificate we can see here jenkins.planetpope.com is there here's our intermediate cert for zero ssl and then finally the root certificate for user trust but here's the thing let's close this out and take a look again at our login screen we can see that i am completely secure https and 8443 however i can still go directly to port 8080 and i want to completely disable my port 8080 traffic i do not want any insecure traffic going into my controller so how do we do that let's go back over to our sysconfig file again this is centos if you're on debian that's the default jenkins let's edit our sysconfig and let's look for port and we'll find that 8080 is near the top roughly and you'll notice here in the comment we need to set it to -1 to disable so that's what we want to do so i'm going to say insert minus one and that's it we just need to disable that port completely so let's go ahead and do our restart one more time and as this restarts notice what we have here we're still sitting on jenkins 8080 i'm giving it just a second restart and now let's refresh and the connection was reset because there is no port 8080 listening anymore on that instance so now that we've completely disabled our insecure traffic port 8080 off of our controller let's go back over to our secure side so if i go to https and go to 8443 we're still good i get my login screen but reminding people that they need to go to 8443 is going to become let's call it painful because if i go right now to just 443 in fact let's just do https because by default 443 is the default https port nothing's going to happen because i don't have a listener for 443. in some places you might use a load balancer that would take care of routing that 443 to 8443 or using nginx or maybe apache and doing some redirects but we can do this simply just by using firewall d so let's go back over to our shell one more time let's go ahead and clear this so here's where we're going to start the first thing we're going to do is add the https service that's successful next up we are going to add a forward port for 443 to four 8443 that's showing successful in fact let's go ahead and verify that that actually took by doing list ford ports so 443 is forwarding to 8443 next up we need to basically save these two changes that we just made so we're doing firewall command runtime to permanent think of that as command s or control s and then finally let's go ahead and reload all the changes in the firewall that was successful now let's go back over to our browser and check out what happened as we can see here port 8443 is still listening now it's good to still go ahead and have 8443 open and available for check we just won't publish it to our end users so we can use that to make sure that okay if i'm getting to 8443 directly then i know that everything is working correctly in case that i've got a problem going from 443 to 8443 then i can isolate that to a firewall d problem now let's go ahead and get rid of the 8443 off the end so all that we have is https jenkins.planetpope.com and we can see here that it went ahead and ran successfully so we have https jenkinsplanetpope.comno8443 finally there's one more thing that we should do i'll leave it up to you if you're going to do it but you should do it let's go ahead and log in i'm logging in as somebody that has ability to access manage jenkins and what you'll see here is that it appears that your reverse proxy setup is broken when i set up everything i didn't have ssl so we can see here from our jenkins url that it is still reflecting what my jenkins url was when i did my initial installation which is http no s jenkins.planetpoke.com colon 8080. well what i want to do is change this to https and get rid of the 8080 and the colon so now it's just https jenkins.planetpope.com because that's what i want all normal usage to be so let's go ahead and save that if we take a look again at manage jenkins now our reverse proxy error is gone although i showed you one way of doing ssl with jenkins why would you not want to do it this way well you might already have a standard way of handling ssl certificates within your organization maybe you're used to offloading those to nginx or apache or some other appliance to make your ssl certificate management easier the other reason and i see this a lot is sometimes people want to go ahead and make it extremely easy on their end users and automatically redirect any request for http automatically to https now as you can see when we were doing the port forwarding there was no way to do an http redirect within firewall d so if that's a requirement for you you're going to need a way to do that redirect using apache nginx or maybe some load balancer to take care of that automatic redirect for you however if you know that you only want people going to your https endpoints then redirects may not be a big deal to you if you have any questions or comments you can reach out to us on twitter at cloudbeesdevs if this video was helpful to you give us a thumbs up and if you haven't subscribed to klobby's tv yet why not take a moment click on that subscribe button and then ring that bell and you'll be notified anytime there is new content available on cloudbees tv thanks for watching and we will see you in the next video
Info
Channel: CloudBeesTV
Views: 2,795
Rating: undefined out of 5
Keywords: darin pope, jenkins, jenkins tutorial, ssl, firewalld, jenkins basics
Id: 2uYL4az1BVU
Channel Id: undefined
Length: 15min 49sec (949 seconds)
Published: Thu Aug 19 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.