Enable HTTPS in jenkins?

Question

I have a private network with a local IP. I want to Enable HTTPS for my Jenkins server which is static IP W.X.Y.Z:8080.

Jenkins version 2.9
java version "1.7.0_111"
OpenJDK Runtime Environment (IcedTea 2.6.7) (7u111-2.6.7-0ubuntu0.14.04.3)
OpenJDK 64-Bit Server VM (build 24.111-b01, mixed mode)

I have tried configuring in /etc/defaults/jenkins file the following arguments

HTTP_PORT=-1
JENKINS_ARGS="--webroot=/var/cache/$NAME/war -DsessionTimeout=1 --httpPort=$HTTP_PORT  --httpsPort=8081"

But I get the following errors. Please help

Running from: /usr/share/jenkins/jenkins.war
webroot: $user.home/.jenkins
Oct 19, 2016 2:18:48 PM org.eclipse.jetty.util.log.JavaUtilLog info
INFO: Logging initialized @811ms
Oct 19, 2016 2:18:48 PM winstone.Logger logInternal
INFO: Beginning extraction from war file
Oct 19, 2016 2:18:48 PM org.eclipse.jetty.util.log.JavaUtilLog warn
WARNING: Empty contextPath
Using one-time self-signed certificate
Oct 19, 2016 2:18:48 PM winstone.Logger logInternal
INFO: Winstone shutdown successfully
Oct 19, 2016 2:18:48 PM winstone.Logger logInternal
SEVERE: Container startup failed
java.io.IOException: Failed to start a listener
winstone.HttpsConnectorFactory
at winstone.Launcher.spawnListener(Launcher.java:207)
at winstone.Launcher.<init>(Launcher.java:149)
at winstone.Launcher.main(Launcher.java:352)`enter code here`
at sun.reflect.NativeMethodAccessorImpl.invoke0        

I found similar issues resolved here but it didn't work for me

EDIT1: The following changes have been tried in /etc/defaults/jenkins file and restarted jenkins but it didn't work for me.

HTTP_PORT=-1
JENKINS_ARGS="--webroot=/var/cache/$NAME/war -DsessionTimeout=1 --httpPort=$HTTP_PORT   --httpsPort=8443 --httpsCertificate=cert.pem --httpsPrivateKey=key.pem

https://issues.jenkins-ci.org/browse/JENKINS-34463

https://issues.jenkins-ci.org/browse/JENKINS-25333

Answer 1

You can enable Jenkins via HTTPS with following steps:

1. Create Certificate using Java

    keytool -genkey -keyalg RSA -alias "localhost" -keystore "C:\Users\username\Desktop\New folder\localhost.jks" -validity 365 -keysize 2048 -dname "CN=localhost, OU=OU_name, O=OU_name, L=city, ST=State_name, C=two_letter_country_code" -ext SAN=dns:localhost,ip:ip_address -storepass changeit
   

2. Export p12 Public Certificate from key-store file

    keytool -importkeystore -srckeystore "C:\Users\username\Desktop\New folder\localhost.jks" -storepass changeit -destkeystore "C:\Users\username\Desktop\New folder\localhost.p12" -srcstoretype JKS -deststoretype PKCS12 -deststorepass changeit
   

3. Host Jenkins using key-store (JKS) file

    java -jar jenkins.war --httpsPort=8082 --httpPort=-1 --httpsKeyStore="C:\Users\username\Desktop\New folder\localhost.jks" --httpsKeyStorePassword=changeit
   

4. Import the Certificate into Browser

You may have a question like why we have exported *.p12 certificate...well, this certificate we are going to import into our browser from where we access Jenkins. The same p12 certificate can be shared between multiple users.

For example in Chrome go to Setting>Search - "Manage Certificate" and click on "Manage Certificate" you will get an "Certificate" window. Import the certificate into each tab (Personnel, Other People, Intermediate Certificate Authorities, Trusted Root Certification Authorities, Trusted Publishers, and Untrusted Publishers).

Answer 2

If you have a valid certificate and you do not want to enable HTTPS for your Jenkins but still want an SSL enable traffic then here is another way.

In my case, I put Jenkins behind my Nginx web server. So here are the steps which I follow:

1. I have installed Nginx server. (sudo apt install nginx)
2. Copy the cert files in that machine. (Files are: <my-cert>.crt and <my-cert>.key)

3. Changed the nginx configuration in /etc/nginx/sites-available/default file to something like this:

   ssl_certificate /etc/nginx/<my-cert>.crt;
   ssl_certificate_key /etc/nginx/<my-cert>.key;
   

4. Follow the steps mentioned in the Jenkins Wiki.

5. And everything works like a charm...

---

By doing these steps the request flow will be like this:

1. Request goes to Nginx web server.
2. The reverse proxy redirects the traffic to the localhost:8080 (or custom IP: port) where Jenkins is running.
3. Jenkins will serve the request and give the response to Nginx
4. Nginx will return the response.

You can do the same with Apache, HAProxy, and squid, see

• Running Jenkins with native SSL / HTTPS
• Running Jenkins behind Nginx
• Jenkins behind an NGinX reverse proxy)