Configuring Jenkins with HTTPS/SSL on Fedora: Secure Access Setup Guide


2 views

html

When securing Jenkins with SSL/TLS on Fedora, you need to properly configure three main components:

  • Java KeyStore containing your SSL certificate
  • Jenkins WAR file arguments for HTTPS
  • Firewall rules for port 443

First, you'll need a valid certificate. Here's how to generate a self-signed certificate (for testing):

keytool -genkey -keyalg RSA -alias jenkins -keystore /root/.keystore -storepass MYPASSWORD -validity 360 -keysize 2048

For production, consider using Let's Encrypt:

sudo certbot certonly --standalone -d ci.mydomain.com
sudo openssl pkcs12 -export -in /etc/letsencrypt/live/ci.mydomain.com/fullchain.pem \
-inkey /etc/letsencrypt/live/ci.mydomain.com/privkey.pem \
-out /root/.keystore -name jenkins -passout pass:MYPASSWORD

Modify your /etc/sysconfig/jenkins with these critical parameters:

JENKINS_ARGS="--httpsPort=443 --httpsKeyStore=/root/.keystore --httpsKeyStorePassword=MYPASSWORD --httpPort=-1"
JENKINS_PORT="-1"  # Disables HTTP if you want HTTPS-only

Ensure your firewall allows HTTPS traffic:

sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload

For SELinux (if enforcing):

sudo semanage port -a -t http_port_t -p tcp 443
sudo restorecon -Rv /root/.keystore

For better security, consider using Nginx as reverse proxy:

server {
    listen 443 ssl;
    server_name ci.mydomain.com;

    ssl_certificate /etc/letsencrypt/live/ci.mydomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/ci.mydomain.com/privkey.pem;

    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Certificate errors: Verify permissions on keystore file:

chmod 600 /root/.keystore
chown jenkins:jenkins /root/.keystore

Port conflicts: Check if another service uses port 443:

sudo netstat -tulnp | grep 443

When running Jenkins in production, securing communications with HTTPS becomes essential. Unlike HTTP which transmits credentials in plain text, HTTPS encrypts all traffic including:

  • Login credentials
  • Build logs
  • Artifact transfers
  • API communications

For this Fedora setup, we assume:

# Verify Java installation
java -version
# openjdk version "1.8.0_392"
# OpenJDK Runtime Environment (build 1.8.0_392-b08)
# OpenJDK 64-Bit Server VM (build 25.392-b08, mixed mode)

# Check Jenkins service status
sudo systemctl status jenkins

First create a Java keystore containing your SSL certificate:

sudo keytool -genkey -alias jenkins -keyalg RSA -keysize 4096 \
  -keystore /var/lib/jenkins/jenkins.jks \
  -validity 3650 -storepass yourpassword \
  -keypass yourpassword -dname "CN=ci.mydomain.com, OU=DevOps, O=MyCompany, L=City, ST=State, C=US"

Edit your Jenkins sysconfig file:

sudo vi /etc/sysconfig/jenkins

Add these critical parameters to JENKINS_ARGS:

JENKINS_ARGS="--httpsPort=443 --httpsKeyStore=/var/lib/jenkins/jenkins.jks --httpsKeyStorePassword=yourpassword"

# Open HTTPS port
sudo firewall-cmd --permanent --add-port=443/tcp
sudo firewall-cmd --reload

# Set SELinux context for keystore
sudo chcon -R -t etc_t /var/lib/jenkins/jenkins.jks

sudo systemctl restart jenkins

# Verify HTTPS endpoint
curl -vk https://ci.mydomain.com
# Should return Jenkins homepage headers

Add this to Jenkins init script or use reverse proxy:

JENKINS_ARGS="$JENKINS_ARGS --httpPort=-1 --httpsPort=443"
  • Permission denied: Ensure jenkins user can read the keystore: 
    sudo chown jenkins:jenkins /var/lib/jenkins/jenkins.jks
  • Port conflict: Verify no other service uses port 443: 
    sudo netstat -tulnp | grep 443
  • Certificate errors: Check keystore validity: 
    keytool -list -v -keystore /var/lib/jenkins/jenkins.jks