Related

ERR_TOO_MANY_REDIRECTS after setting up SSL Question Question
PHP Error Log: authz_core:error - For files that don't exists on my server Question Question

Question

How to include new SSL cert on specific ports

Posted October 2, 2020 178 views
ApacheSecurityLet's EncryptUbuntu 18.04

I followed this tutorial and everything worked, except the new certificate only updated on the default port and not port 8443. How can I fix this? The sites are cicd.shelter-ent.app and cicd.shelter-ent.app:8443.

EDIT: I took over this server from someone else and am not sure how they configured everything. A few months ago, the SSL on the 8443 server running Jenkins expired.

Add a comment
jmudse55
By:
jmudse55
Add a comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
2 answers
bobbyiliev October 2, 2020

Hi there @jmudse55,

Installing a certificate for Jenkins is a bit different compared to a standard web server like Apache or Nginx, there are a few things that you need to do.

Note: before starting I recommend taking a backup of your current configuration so that in case anything goes wrong, you could restore to the working config

First, you need to obtain a new valid SSL certificate for the domain name in question and get the certificate files: 

* The SSL certificate itself, it should be a file ending in `.crt`
* The Private Key, it will be a file ending in `.key`
* And also the CA bundle, in most cases it will again end in `.crt`

After that you need to convert the certificate into a .pfx format, you can either use a tool like openssl or use the SSL Shopper converter tool instead:

https://www.sslshopper.com/ssl-converter.html

After you have the .pfx file you need to convert it to JKS format. To do that, you need to have JDK installed and run the following command:

keytool -importkeystore -srckeystore your_certificate.pfx \
-srcstorepass 'your_pfx_password' -srcstoretype PKCS12 \
-srcalias jenkins.devopscube.com -deststoretype JKS \
-destkeystore jenkins.jks -deststorepass 'your_pfx_password' \
-destalias yourdomain.com

Copy the jenkins.jks file into the /etc/jenkins/ directory and make sure that it has secure permissions:

chmod 700 /etc/jenkins
chmod 600 /etc/jenkins/jenkins.jks

Once this is done edit the Jenkins config:

  • nano /etc/sysconfig/jenkins

There update the path to the new file and the new password:

JENKINS_HTTPS_KEYSTORE="/etc/jenkins/jenkins.jks"
JENKINS_HTTPS_KEYSTORE_PASSWORD="<your-keystore-password>"

Finally, restart Jenkins so that it could read the new file.

Regards,
Bobby

Reply Report
  • jmudse55 October 5, 2020

    My specific directories were not set up exactly how you explained but I managed to find everything I needed and used a similar process.

    For anyone else looking for this answer (or me in the future):
    I had my SSL cert from Let’s Encrypt stored in 

    /etc/letsencrypt/my.domain.com/privkey.pem
/etc/letsencrypt/my.domain.com/cert.pem
/etc/letsencrypt/my.domain.com/fullchain.pem

    I converted them to a .pfx file with:

    openssl pkcs12 -inkey "/etc/letsencrypt/live/my.domain.com/privkey.pem" -in "/etc/letsencrypt/live/my.domain.com/fullchain.pem" -certfile "/etc/letsencrypt/live/my.domain.com/cert.pem" -export -out "/etc/letsencrypt/live/my.domain.com/jenkins_cert.pfx"

    Then to a JKS file with:

    keytool -importkeystore -srckeystore /etc/letsencrypt/live/my.domain.com/jenkins_cert.pfx -srcstorepass 'mypass' -srcstoretype PKCS12 -deststoretype JKS -destkeystore jenkins_active.jks -deststorepass 'mypass'

    and just made sure the jks file was in my /var/lib/jenkins/ directory and that the -args line in my /etc/default/jenkins config file pointed to the correct jks file. All is well now, amazing.

    Reply Report
Yannek October 2, 2020

Hi,

The configuration described in @bobbyiliev’s answer is the first one you should check. Besides that, you should consider configuration where Apache server acts as reverse proxy for Jenkins. To check it, run the command:

sudo netstat -tulpn | grep 8443

The result similar to that

Output
tcp       0      0.0.0.0:8443   0.0.0.0:*      LISTEN      760/apache2

indicates that Apache serves reverse proxy for Jenkins, and you can follow the description below :)

I guess there are different virtual hosts (vhosts) for ports 443 and 8443 defined in your Apache configuration. It is very likely they are in different config files. Try to look for them with that command:

sudo grep -e 443 $(find /etc/apache2/ -name "*.conf")

These vhosts config files should contain the directives pointing to the certificate files, e.g.

SSLCertificateFile /etc/letsencrypt/live/cicd.shelter-ent.app/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/cicd.shelter-ent.app/privkey.pem

Copy the directives from 443 vhost and replace with them corresponding directives in 8443 vhost. Restart Apache service:

sudo systemctl restart apache2

Let us know how it works.

Reply Report
  • jmudse55 October 5, 2020

    I ran

    sudo netstat -tulpn | grep 8443

    and got:

    tcp6    0    0:::8443     :::*     LISTEN     14984/java

    Your comment said that if the last part of that line was Apache, then I should continue with @bobbyiliev ’s advice. Since it is java listening, should I still continue with those steps?

    I appreciate all of the help, I have primarily been a front-end developer :)

    Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help