Jenkins is a powerful automation server widely used for continuous integration and continuous deployment (CI/CD) processes. Securing Jenkins with HTTPS is essential for protecting sensitive data transmitted over the network. In this guide, we'll walk through the process of enabling HTTPS on Jenkins using OpenSSL, including the necessary command outputs.
Prerequisites
Before starting, ensure you have:
Access to the server hosting Jenkins.
Root or sudo privileges.
OpenSSL installed on the server.
Step 1: Generate SSL Certificate
The first step is to generate a self-signed SSL certificate using OpenSSL. Execute the following command:
[root@siddhesh ~]# openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
Generating a 2048 bit RSA private key
.....+++
.....................................................+++
writing new private key to 'key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Maharashtra
Locality Name (eg, city) [Default City]:Mumbai
Organization Name (eg, company) [Default Company Ltd]:Builddevops Ltd
Organizational Unit Name (eg, section) []:DevOps
Common Name (eg, your name or your server's hostname) []:jenkins.builddevops.com
Email Address []:siddhesh@builddevops.com
[root@siddhesh ~]#You'll be prompted to provide information for the certificate. Fill in the details according to your organization's requirements.
Step 2: Create PKCS12 File
Next, create a PKCS12 file from the generated key and certificate:
[root@siddhesh ~]# openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12
Enter Export Password:
Verifying - Enter Export Password:
[root@siddhesh ~]#Set an export password when prompted, and verify it.
Step 3: Import Certificate to Keystore
Import the PKCS12 file into a Java keystore (JKS) using the keytool command:
[root@siddhesh ~]# keytool -importkeystore -srckeystore ./certificate.p12 -srcstoretype pkcs12 -destkeystore jenkinsbuilddevops.jks -deststoretype JKS
Importing keystore ./certificate.p12 to jenkinsbuilddevops.jks...
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias 1 successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
[root@siddhesh ~]#You'll need to enter the destination keystore password and the source keystore password.
Step 4: Move Keystore to Jenkins Directory
Copy the generated keystore file to the Jenkins directory:
[root@siddhesh ~]# cp -pav jenkinsbuilddevops.jks /var/lib/jenkins/
‘jenkinsbuilddevops.jks’ -> ‘/var/lib/jenkins/jenkinsbuilddevops.jks’
[root@siddhesh ~]# chown jenkins:jenkins /var/lib/jenkins/jenkinsbuilddevops.jks
[root@siddhesh ~]#Step 5: Set Jenkins HTTPS Configuration
Modify the Jenkins service configuration to enable HTTPS. Edit the Jenkins service file:
[root@siddhesh ~]# grep '^Environment="JENKINS_HTTPS' /usr/lib/systemd/system/jenkins.service
Environment="JENKINS_HTTPS_PORT=9090"
Environment="JENKINS_HTTPS_KEYSTORE=/var/lib/jenkins/jenkinsbuilddevops.jks"
Environment="JENKINS_HTTPS_KEYSTORE_PASSWORD=P@ssw0rd"
[root@siddhesh ~]#Ensure the environment variables are correctly set with the appropriate paths and passwords.
Step 6: Reload and Restart Jenkins Service
Reload the systemd daemon and restart the Jenkins service:
[root@siddhesh ~]# systemctl daemon-reload
[root@siddhesh ~]# systemctl restart jenkins.serviceFollowing these steps, you've successfully enabled HTTPS on Jenkins i.e https://<IPADDRESS>:9090, ensuring secure communication between Jenkins and clients. This setup enhances the security of your CI/CD workflows by encrypting data transmitted over the network.