We need to migrate the Jenkins URL from http to https.
We have a server where Jenkins is installed and the jobs are running fine.
Now for the security enhancement we need to migrate to https.
We received a pkcs12 certificate. Now to include the certificate , the following steps was followed
Using the keytool , converted the pkcs12 to jks format.
Command used
keytool -v -importkeystore -srckeystore D:\Installations\JENKINS_HOME\httpsCertificate\certificate.p12 -srcstoretype PKCS12 -destkeystore D:\Installations\JENKINS_HOME\httpsCertificate\certificate.jks -deststoretype JKS
To include the jks certificate , changed the jenkins xml file with the following arguments
--httpPort=-1 --httpsPort=8443 --httpsKeyStore="D:\Installations\JENKINS_HOME\httpsCertificate\certificate.jks" --httpsKeyStorePassword=***** --httpsListenAddress="0.0.0.0"
Restarted Jenkins service
But after the restart even though it was mapped to https but showing as not secure
The Jenkins URL after the migration process
Related
inside docker golang image i am trying to go install a package and fail on this error:
go install google.golang.org/protobuf/cmd/protoc-gen-go#1.27.0: google.golang.org/protobuf/cmd/protoc-gen-go#1.27.0: invalid version: Get "https://proxy.golang.org/google.golang.org/protobuf/cmd/protoc-gen-go/#v/1.27.0.info": x509: certificate signed by unknown authority
i tried installing CA certificates unsuccessfully
any idea what could be the problem ?
Ok so the problem was my security client: Cisco AnyConnect "Umbrella".
it was acting like a man in the middle and re-sign the request with its own certificate.
in order for the in-docker go client to trust the traffic re-signed by the Cisco Umbrella, the "Cisco Umbrella Root CA" certificate was needed to be added to the docker file:
so clicking on the .cer URI we can see that certificate.
now inside my container i could:
$ wget http://www.cisco.com/security/pki/certs/ciscoumbrellaroot.cer
then convert it from .cer to a .crt file:
$ openssl x509 -inform DER -in ciscoumbrellaroot.cer -out ciscoumbrellaroot.crt
then copy it to the certificate folder:
$ cp ciscoumbrellaroot.crt /usr/local/share/ca-certificates/ciscoumbrellaroot.crt
and lastly update certificates:
$ update-ca-certificates
which outputs this:
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
done! now we can go get any package:
$ go install google.golang.org/protobuf/cmd/protoc-gen-go#v1.27.1
go: downloading google.golang.org/protobuf v1.27.1
this was written about cisco security client but can be applied to any client out there
IT team sent me an "cert.pfx" ssl certificate file to use our "subdomain.domain.com" web site.
I have to add this ssl cert to Jenkins and as I know it uses *.jks files. But I'm not sure how to convert pfx to jks.
I used the command below, it's creating an jks file but Jenkins giving error.
keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 -destkeystore clientcert.jks -deststoretype JKS
Any help appreciated.
Thanks!
Above command to generate .jks from .pfx looks fine, make sure that you have given the password to your jks file (Best practice to give password for .jks file).
Next step is, you need to make sure that %Jenkins_Home%\jenkins.xml has a correct configuration for .jks file.
Here is an example of Jenkins HTTPS connection setting,
-httpPort=-1 (To stop Jenkins from listening over plain HTTP)
-httpsPort=8080 (or 8181 or whatever SSL port you want Jenkins to listen on)
-httpsKeyStore="<JavaKeystore_path>\clientcert.jks"
-httpsKeyStorePassword="<cleartext-password-to-keystore>"
After modification of jenkins.xml, restart the windows jenkins service, it must be running.
I have been trying to get this to work for days, but can anyone point me in the right direction (tutorial ect.) for how to get LetsEncypt certs to run in Solr?
I have a Rails site running on 443 with LetsEncrypt and have added solr on the same machine, on a different port. The Solr is running SSL with self-signed certs.
Can i use the same Certs for the main site as both the site and the solr can be accessed on the same URL?
Obviously the solr instance is secured via IP tables as it seemed an easyier setup than reverse proxying while trying to use the same cert.
Any pointers or hints greatly appreciated!
Thanks
Sometimes i overlook the obvious!
As i have a key for the Domain already, and Solr responds on mydomain.com:8983 all that is needed is to create a Java Key Store (jks) from the existing keys on the system.
So all that was needed is
openssl pkcs12 -export -in /etc/letsencrypt/live/mydomain.com/fullchain.pem -inkey /etc/letsencrypt/live/mydomain.com/privkey.pem -out pkcs.p12 -name NAME
specifing the location of the Lets-Encrypt Cert (on my system /etc/letsencrypt/live/mydomain.com/)
Then convert the PKCS12 key to a jks...
keytool -importkeystore -deststorepass PASSWORD_STORE -destkeypass PASSWORD_KEYPASS -destkeystore keystore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -srcstorepass STORE_PASS -alias NAME
replacing password where needed.
I would have thought the best practace here would be to Automate this in a bash script to be run when the Lets-encrypt certs are renewed.
I'm trying to make requests to a private Docker registry but it requires me to login and responds with a 401 response. I've tried checking the docs but it doesn't say anything about the authorization process. So my questions is how to successfully make HTTP requests to a private Docker registry with authorization enabled using the REST API?
https://www.digitalocean.com/community/tutorials/how-to-set-up-a-private-docker-registry-on-ubuntu-14-04
That article was extremely helpful for me in setting up a secure private Docker registry. Goes through everything you'll need.
(This part, https://www.digitalocean.com/community/tutorials/how-to-set-up-a-private-docker-registry-on-ubuntu-14-04#step-four-—-secure-your-docker-registry-with-nginx, talks about securing the registry with basic HTTP authentication.)
docker registry requires ssl to be set up; you will have to configure ssl to get it to work.
I tried following the tutorial on digitalocean (https://www.digitalocean.com/community/tutorials/how-to-set-up-a-private-docker-registry-on-ubuntu-14-04)
But there are a number of little problems with it and I feel it doesn't quite do what I need it to. I tried the ssl instructions verbatim and it didn't work for me. Here is what I had to do to get set up with ssl (using fairly generic names) using a self-signed certificate:
Make a directory to store the ssl cert:
mkdir /etc/nginx/ssl
Create a certificate and key file:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt
Remember to put your common name as per instructions everywhere else (domain name)
Create a new directory under the ca-certificates directory:
mkdir /usr/share/ca-certificates/nginx
Copy the certificate file to that directory:
cp /etc/nginx/ssl/nginx.crt /usr/share/ca-certificates/
Append the following to the /etc/ca-certificates.conf file:
nginx/nginx.crt
Then update the certificates:
update-ca-certificates --fresh
I obtained a security certificate on StartSSL.com and followed the steps on Heroku closely. I was given intermediate as well as root certificates.
I tried different methods to chain these files but I get this error (see screenshot)
http://i.imgur.com/8WVmAVu.jpg
How can I fix this error?
The files that I downloaded are:
ca.pem (root cert)
sub.class1.server.ca.pem (intermediate cert)
copy and pasted the private key as server.key
copy and pasted the certificate as server.orig.crt
There's also the ca-bundle.pem that I tried using but no luck
I just redownloaded all of the files and ran this "cat server.orig.crt sub.class1.server.ca.pem ca-bundle.pem > server.crt"
Then ran heroku certs:add server.crt server.key and I get this error
Unable to read server.crt file
Additionally, I just tried without any CAT and simply "heroku certs:add ca-bundle.pem server.key" and I get this error
No certificate given is a domain name certificate
A pem encoded certificate chain suitable for installation on heroku should consist of, in order: site, intermediate, then root pem encoded certificates.
cat server.orig.crt sub.class1.server.ca.pem ca.pem > heroku.crt
It looks to me more like a problem with your private key -- you need to make sure the pem file isn't encrypted with a passphrase, and that it is the same key pair used to generate the cert. The head of the private key will look like this if encrypted:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
...
instead of just:
-----BEGIN RSA PRIVATE KEY-----
MIICaQIBAAKBhACxlzv7H57F+vapTjqS9qdfDg20RjwFFU1B3yK8SqN7rX0jpjsW
H3B2lhCqKPWd2To2LoOolhnsFbr5qlKK3ep/nuUZfkx1aOIg4L0FgzbuCSJfKE5B
...
In the former case, run (linux, mac os):
openssl rsa -in server.key -out server.unencrypted.key
and enter the passphrase when prompted. Then use server.unencrypted.key in the call to heroku to add the cert.