Question
How to include new SSL cert on specific ports
- Posted October 2, 2020
- ApacheSecurityLet's EncryptUbuntu 18.04
I followed this tutorial and everything worked, except the new certificate only updated on the default port and not port 8443. How can I fix this? The sites are cicd.shelter-ent.app and cicd.shelter-ent.app:8443.
EDIT: I took over this server from someone else and am not sure how they configured everything. A few months ago, the SSL on the 8443 server running Jenkins expired.
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Hi there @jmudse55,
Installing a certificate for Jenkins is a bit different compared to a standard web server like Apache or Nginx, there are a few things that you need to do.
Note: before starting I recommend taking a backup of your current configuration so that in case anything goes wrong, you could restore to the working config
First, you need to obtain a new valid SSL certificate for the domain name in question and get the certificate files:
* The SSL certificate itself, it should be a file ending in `.crt`
* The Private Key, it will be a file ending in `.key`
* And also the CA bundle, in most cases it will again end in `.crt`
After that you need to convert the certificate into a .pfx format, you can either use a tool like openssl or use the SSL Shopper converter tool instead:
https://www.sslshopper.com/ssl-converter.html
After you have the .pfx file you need to convert it to JKS format. To do that, you need to have JDK installed and run the following command:
keytool -importkeystore -srckeystore your_certificate.pfx \
-srcstorepass 'your_pfx_password' -srcstoretype PKCS12 \
-srcalias jenkins.devopscube.com -deststoretype JKS \
-destkeystore jenkins.jks -deststorepass 'your_pfx_password' \
-destalias yourdomain.com
Copy the jenkins.jks file into the /etc/jenkins/ directory and make sure that it has secure permissions:
chmod 700 /etc/jenkins
chmod 600 /etc/jenkins/jenkins.jks
Once this is done edit the Jenkins config:
- nano /etc/sysconfig/jenkins
There update the path to the new file and the new password:
JENKINS_HTTPS_KEYSTORE="/etc/jenkins/jenkins.jks"
JENKINS_HTTPS_KEYSTORE_PASSWORD="<your-keystore-password>"
Finally, restart Jenkins so that it could read the new file.
Regards, Bobby
Hi,
The configuration described in @bobbyiliev’s answer is the first one you should check. Besides that, you should consider configuration where Apache server acts as reverse proxy for Jenkins. To check it, run the command:
The result similar to that
indicates that Apache serves reverse proxy for Jenkins, and you can follow the description below :)
I guess there are different virtual hosts (vhosts) for ports 443 and 8443 defined in your Apache configuration. It is very likely they are in different config files. Try to look for them with that command:
These vhosts config files should contain the directives pointing to the certificate files, e.g.
Copy the directives from 443 vhost and replace with them corresponding directives in 8443 vhost. Restart Apache service:
Let us know how it works.
Hi,
The configuration described in @bobbyiliev’s answer is the first one you should check. Besides that, you should consider configuration where Apache server acts as reverse proxy for Jenkins. To check it, run the command:
The result similar to that
indicates that Apache serves reverse proxy for Jenkins, and you can follow the description below :)
I guess there are different virtual hosts (vhosts) for ports 443 and 8443 defined in your Apache configuration. It is very likely they are in different config files. Try to look for them with that command:
These vhosts config files should contain the directives pointing to the certificate files, e.g.
Copy the directives from 443 vhost and replace with them corresponding directives in 8443 vhost. Restart Apache service:
Let us know how it works.