If you run Jenkins build server and desire to link it to a repository to perform automatic builds you will discover you need a legitimate SSL certificate so that there are no communication issues between the services. Any of your services to the internet they should be secured via SSL at a minimum anyway and you will want to disable HTTP access. In your quest to secure the Jenkins endpoint you may find the documentation lacking for securing a default install of Jenkins on a Windows server. This tutorial seeks to make this job easier.
This tutorial is for a default install of Jenkins using its own bundled web server on a Windows server. It does not deal with a Jenkins install that uses Apache, NGINX, IIS, etc as its web server.
The first step to perform is to route your Jenkins build to the web. Perform whatever port forwarding and routing as well as A or CNAME DNS records so that your Jenkins server can be accessed via the web via a unique URL (jenkins.domain.com).
The second step is to:
- Install IIS server. I have found using IIS to acquire the SSL certificate from letsencrypt is the quickest route.
- Get a copy of Windows ACME Simple(WACS). A windows based client for letsencrypt.
- A copy of OpenSSL. This is used to convert certificate format
In IIS create a new site or modify the existing site with the domain you will use for your build server. Make sure the site is running and run WACS via command prompt.
Note: Options may change as WACS is constantly being updated.
- Select Option M (Create new certificate with advanced options).
- Then Option 4
- Enter the site URL. e.g. sample.domain.com
- Choose option 4 (Self-host verification files).
- Choose Option 3 (Do not run any installation steps).
- You will be prompted on a save location for the resulting certificates, enter an area.
- You will have 2 certificates, a privkey and a chain cert. (I suggest renaming so the next steps require less typing.)
- Done.
Now that you have the certificates you can shut down your IIS site. Keep it handy as you will need it for renewals.
The next step is to convert the certificate to a type of PKCS which is a required format to convert it ultimately to a Java Key Store JKS.
- Open OpenSSL in command prompt.
- Navigate to the location of your certificates.
- The openssl command is.
- openssl pkcs12 -inkey "privkey.pem" -in "certchain.pem" -export -out "location/certificate.pkcs12"
- You now have a single certificate file that can be created to a Java Key Store.
We now need to convert the certificate to a Java Key Store which is the format required by Jenkins.
- Open a command prompt and navigate to the "bin" folder of your Java install.
- This will be Program Files/jrex.x.x for 64bit or Program Files (x86)/jre.x.x.x for 32bit.
- Now run the following command
- Keytool -importkeystore -srckeystore <path to pkcs12 cert> -srcstoretype pkcs12 -destkeystore <sample.domain.com.jks> -deststoretype JKS
- You will be asked to enter a password to secure it. Enter whatever you want but use the same for every next step that needs a password.
- You will now have a JKS file in the same location as your certificates.
We now need to modify Jenkins XML file to point to the new JKS file.
- Navigate to %PROGRAMFILES(x86)/Jenkins/jenkins.xml
- In the file you will see a long string by the <arguments> tag.
- You will want to change the following options.
- --httpPort=-1(only change this to -1 if you want to turn off http access)
- --httpsPort=443(Change this if you want Jenkins to use a different port for https access)
- --httpsKeyStore= Path to the new JKS file
- --httpsKeyStorePassword="password created when creating the jks file" Password must match or this will not work.
- Save the xml file
- Restart the Jenkins windows service.
- Done.
Congratulations, you now have a Jenkins server secured with a Lets Encrypt certificate. You will need to perform this task every 90 days to renew the certificate.