Question

How to include new SSL cert on specific ports

I followed this tutorial and everything worked, except the new certificate only updated on the default port and not port 8443. How can I fix this? The sites are cicd.shelter-ent.app and cicd.shelter-ent.app:8443.

EDIT: I took over this server from someone else and am not sure how they configured everything. A few months ago, the SSL on the 8443 server running Jenkins expired.

Submit an answer
Answer a question...

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Bobby Iliev
Site Moderator
Site Moderator badge
October 2, 2020
Accepted Answer

Hi there @jmudse55,

Installing a certificate for Jenkins is a bit different compared to a standard web server like Apache or Nginx, there are a few things that you need to do.

Note: before starting I recommend taking a backup of your current configuration so that in case anything goes wrong, you could restore to the working config

First, you need to obtain a new valid SSL certificate for the domain name in question and get the certificate files:

* The SSL certificate itself, it should be a file ending in `.crt`
* The Private Key, it will be a file ending in `.key`
* And also the CA bundle, in most cases it will again end in `.crt`

After that you need to convert the certificate into a .pfx format, you can either use a tool like openssl or use the SSL Shopper converter tool instead:

https://www.sslshopper.com/ssl-converter.html

After you have the .pfx file you need to convert it to JKS format. To do that, you need to have JDK installed and run the following command:

keytool -importkeystore -srckeystore your_certificate.pfx \
-srcstorepass 'your_pfx_password' -srcstoretype PKCS12 \
-srcalias jenkins.devopscube.com -deststoretype JKS \
-destkeystore jenkins.jks -deststorepass 'your_pfx_password' \
-destalias yourdomain.com

Copy the jenkins.jks file into the /etc/jenkins/ directory and make sure that it has secure permissions:

chmod 700 /etc/jenkins
chmod 600 /etc/jenkins/jenkins.jks

Once this is done edit the Jenkins config:

  1. nano /etc/sysconfig/jenkins

There update the path to the new file and the new password:

JENKINS_HTTPS_KEYSTORE="/etc/jenkins/jenkins.jks"
JENKINS_HTTPS_KEYSTORE_PASSWORD="<your-keystore-password>"

Finally, restart Jenkins so that it could read the new file.

Regards, Bobby

Janusz SzeligowskiOctober 2, 2020

Hi,

The configuration described in @bobbyiliev’s answer is the first one you should check. Besides that, you should consider configuration where Apache server acts as reverse proxy for Jenkins. To check it, run the command:

sudo netstat -tulpn | grep 8443

The result similar to that

Output
tcp       0      0.0.0.0:8443   0.0.0.0:*      LISTEN      760/apache2

indicates that Apache serves reverse proxy for Jenkins, and you can follow the description below :)

I guess there are different virtual hosts (vhosts) for ports 443 and 8443 defined in your Apache configuration. It is very likely they are in different config files. Try to look for them with that command:

sudo grep -e 443 $(find /etc/apache2/ -name "*.conf")

These vhosts config files should contain the directives pointing to the certificate files, e.g.

SSLCertificateFile /etc/letsencrypt/live/cicd.shelter-ent.app/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/cicd.shelter-ent.app/privkey.pem

Copy the directives from 443 vhost and replace with them corresponding directives in 8443 vhost. Restart Apache service:

sudo systemctl restart apache2

Let us know how it works.