How to convert pfx files to the jks - jenkins

IT team sent me an "cert.pfx" ssl certificate file to use our "subdomain.domain.com" web site.
I have to add this ssl cert to Jenkins and as I know it uses *.jks files. But I'm not sure how to convert pfx to jks.
I used the command below, it's creating an jks file but Jenkins giving error.
keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 -destkeystore clientcert.jks -deststoretype JKS
Any help appreciated.
Thanks!

Above command to generate .jks from .pfx looks fine, make sure that you have given the password to your jks file (Best practice to give password for .jks file).
Next step is, you need to make sure that %Jenkins_Home%\jenkins.xml has a correct configuration for .jks file.
Here is an example of Jenkins HTTPS connection setting,
-httpPort=-1 (To stop Jenkins from listening over plain HTTP)
-httpsPort=8080 (or 8181 or whatever SSL port you want Jenkins to listen on)
-httpsKeyStore="<JavaKeystore_path>\clientcert.jks"
-httpsKeyStorePassword="<cleartext-password-to-keystore>"
After modification of jenkins.xml, restart the windows jenkins service, it must be running.

Related

http to https migration in Jenkins not working

We need to migrate the Jenkins URL from http to https.
We have a server where Jenkins is installed and the jobs are running fine.
Now for the security enhancement we need to migrate to https.
We received a pkcs12 certificate. Now to include the certificate , the following steps was followed
Using the keytool , converted the pkcs12 to jks format.
Command used
keytool -v -importkeystore -srckeystore D:\Installations\JENKINS_HOME\httpsCertificate\certificate.p12 -srcstoretype PKCS12 -destkeystore D:\Installations\JENKINS_HOME\httpsCertificate\certificate.jks -deststoretype JKS
To include the jks certificate , changed the jenkins xml file with the following arguments
--httpPort=-1 --httpsPort=8443 --httpsKeyStore="D:\Installations\JENKINS_HOME\httpsCertificate\certificate.jks" --httpsKeyStorePassword=***** --httpsListenAddress="0.0.0.0"
Restarted Jenkins service
But after the restart even though it was mapped to https but showing as not secure
The Jenkins URL after the migration process

Letsencypt Solr SSL JVM

I have been trying to get this to work for days, but can anyone point me in the right direction (tutorial ect.) for how to get LetsEncypt certs to run in Solr?
I have a Rails site running on 443 with LetsEncrypt and have added solr on the same machine, on a different port. The Solr is running SSL with self-signed certs.
Can i use the same Certs for the main site as both the site and the solr can be accessed on the same URL?
Obviously the solr instance is secured via IP tables as it seemed an easyier setup than reverse proxying while trying to use the same cert.
Any pointers or hints greatly appreciated!
Thanks
Sometimes i overlook the obvious!
As i have a key for the Domain already, and Solr responds on mydomain.com:8983 all that is needed is to create a Java Key Store (jks) from the existing keys on the system.
So all that was needed is
openssl pkcs12 -export -in /etc/letsencrypt/live/mydomain.com/fullchain.pem -inkey /etc/letsencrypt/live/mydomain.com/privkey.pem -out pkcs.p12 -name NAME
specifing the location of the Lets-Encrypt Cert (on my system /etc/letsencrypt/live/mydomain.com/)
Then convert the PKCS12 key to a jks...
keytool -importkeystore -deststorepass PASSWORD_STORE -destkeypass PASSWORD_KEYPASS -destkeystore keystore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -srcstorepass STORE_PASS -alias NAME
replacing password where needed.
I would have thought the best practace here would be to Automate this in a bash script to be run when the Lets-encrypt certs are renewed.

How to configure SSL in sgcWebSockets 3.2?

I bought an SSL certificate and all I've got is a .crt file.
I need to configure a https server on Delphi correctly. I use a module named sgcWebSockets 3.2. As I can see in manual, I need to set the following parameters:
1) SSLOptions/ CertFile/ KeyFile/ RootCertFile: you
need a certificate in .PEM format in order to encrypt
websocket communications.
2) SSLOptions/ Password: this is optional and only
needed if certificate has a password.
3) SSLOptions/ Port: port used on SSL connections.
But I have only a .crt file. I think I can convert it to .pem format using openssl. But what is this file will be? Is this a CertFile or RootCertFile? I haven't a KeyFile anyway. Will it works only with one cert file? I also haven't got any password. Should I leave this field empty? Please help.
You can convert your crt file to a pem file with OpenSSL as follows:
openssl x509 -inform der -in certificate.crt -out certificate.pem.
But that isn't the only file you need. You also need your private key which was used to generate your csr that you sent to the certificate authority and that also has to be in pem format. I'm not sure how you generated your csr, so I'd need more information to help you extract that or convert it to pem format.

Jenkins Publish over ssh authentification failed with private key

I can authenticate successfully with putty on the server with my private key and passphrase. But when I try to do it with jenkins publish over SSH plugin (using Test for configuration), I get the following error message:
jenkins.plugins.publish_over.BapPublisherException: Failed to connect session for config myconfig. Message [Auth fail]
I entered the same information as in putty:
Hostname : myhostname
Username : myusername
Remote Directory :
Use password authentication, or use a different key Passphrase / Password
Path to key : checked
Path to key : mypath
Passphrase : mypasssword
Key:
Port:22
Timeout(ms):300000
If you have any idea ...
Thanks for your help.
Looks like you're using keyfile authentication, so you'll get this error from Jenkins if you haven't set the permissions correctly on your .ssh folder and/or ~/.ssh/authorized_keys file.
the .ssh folder should have drwx------ permissions (read/write/execute owner only)
the authorized_keys file should have -rw------- permissions (read/write owner only)
To fix it:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
I ran into the same issue today and it turned out i was accidentally supplying the path to the public key instead of the private one.
So the "path to key" should be something like
.ssh/id_rsa
instead of
.ssh/id_rsa.pub
Because your linux login need password, the answer is :
1. Passphrase: your passphrase
2. path to key: your private key path
3. key : blank
4. Disable exec : un-check
SSH Servers
1. Name: remote_user#remotehost.com
2. hostname: remotehost.com
3. Username: remote_user
4. Remote Directory: empty
Advanced --
5. check the box "use passsword authentication, or use a different key"
`important`
6. Passphrase / Password: your linux login password`important`
7. path to key: blank
8. key:blank
9. port: 22
10. Timeout(ms): 300000
'Test Configuration'
success
Check that the public key is in the .ssh/authorized_keys file on the target server, even if the target server is the same as the jenkins server. I had what is probably the same problem, and it turned out that I needed this, even though ssh localhost worked fine.
(Addendum: also check that the jenkins server has the target server in its .ssh/known_hosts file, as that can affect this as well.)
I think as it says this is a authentication issue:
Use password authentication, or use a different key
Selecting this option will produce 3 more configuration boxes that mirror the options available for the Jenkins SSH Key.
Passphrase / Password
If either Path to key or Key are configured then this is the passphrase to use with the encrypted key.
If no key is configured then this is the password that will be used for password authentication.
Path to key
See description above.
Key
See description above.
Disable exec
This option will remove the ability to execute commands using this configuration.
LINK HERE
I am facing same issue , the following steps work for me:- ( i am using jenkins 1.57)
Go to http:///jenkins/manage
Configure System
Browse to Publish over SSH section
Passphrase: blank
path to key: blank
key : blank
Disable exec : un-check
SSH Servers
-- Name: remote_user#remotehost.com
-- hostname: remotehost.com
-- Username: remote_user
-- Remote Directory: empty
-- Advanced
-- check the box "use passsword authentication, or use a different key"
-- port: 22
-- Timeout(ms): 300000
-- 'Test Configuration'
success
Try restarting ssh of remote server
/etc/init.d/sshd restart
Don't do any ssh-keygen. Just enter the pem key details under key field,
Add SSH server details: Name, Hostname and Username as ec2-user.
Click test connection and it works.
Sometimes the SSH connection would fail, if the destination server doesnt have enough disk space to perform PUT operation
{ERROR: Exception when publishing, exception message [Failure]}
Make sure to verify the destination server has enough disk space.
In case of Linux, you can use 'df -kh /directoryname' to check the disk space
Just copy jenkins-user's id_rsa.pub to the end of ~/.ssh/authorized_keys on remote host.
I was having the same exact issue today and thought I would share what worked for me
Normally when I would SSH into my ec2 instance AWS likes the username to be
ubuntu#[ip address/url]
Jenkins likes it to be just the username so remove the rest
ubuntu
If you use RSA key, and see string like this in your private key:
-----BEGIN RSA PRIVATE KEY-----
***************************************
-----END RSA PRIVATE KEY-----
You need edit config file sshd on remote machine:
sudo vim /etc/ssh/sshd_config
add in this file stoke:
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
I have the same problem,I am on windows, the solution:
open the openssh debug model, no can see the error detail, detail click
Stop the sshd service
Type 'sshd -d' in PowerShell
no if you connect again ,you can see the error detail, my error is
userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
we can add PubkeyAcceptedKeyTypes=+ssh-rsa in server sshd_config file, detail click
now test success, if still has error like Failed to connect SFTP channel and debug is
debug1: subsystem: cannot stat sftp-server.exe: No such file or directory
this because the openssh no in windows system path. detail click

How to connect through SSH in Erlang using a PEM key file

Using the ssh module in erlang, it is possible to establish a connection to a remote server.
There are several options indicated in such API, but it is unclear to me which one would allow me to establish a connection that is enforced only by authenticating using a .pem file.
For example, using the ssh command in an OS shell, I can connect to my host using this:
ssh -c 3des -2 -l root -i MYPERMISSIONFILE.PEM myhost.mydomain.com -p 22
In Erlang, the ssh module has a fd option { fd,
ssh:start().
ssh:connect("myhost.mydomain.com",22, ???????? ).
There are several security options, I beleive the content of the .pem file could be used as one of the security optins, but that would be 1700 characters! There is an option to use a file descriptor [ {fd, } ], but it is unclear to me if that is the way to achieve this.
I was able to get it working by copying the pem file using the name id_rsa in a folder other than ~/.ssh (so it doesn't overwrite any keys you have set up already), e.g. ~/keys, and then passing into ssh:connect/3 the option {user_dir, "~/keys"}. It picks up the renamed pem as the rsa key.

Resources