How can I set up Jenkins CI to use https on Windows?
Solution 1:
Go to your %JENKINS_HOME% and modify the jenkins.xml. Where you see --httpPort=8080
change it to --httpPort=-1 --httpsPort=8080
you can make the ports anything you want of course, but in my testing (a while ago, it may have changed) if you don't keep --httpPort=<something>
then Jenkins will always use 8080. So if you simply change --httpPort=8080
to --httpsPort=8080
, port 8080 will still use http.
Also, if you want to use your own certificate, there are some instructions at the bottom of this page.
http://wiki.jenkins-ci.org/display/JENKINS/Starting+and+Accessing+Jenkins
Solution 2:
Run:
keytool -genkey -keyalg RSA -keystore Jenkins.jks -alias [Name of website] -keysize 2048
Answer the questions remembering that First and last name
is the website URL and should be lowercase. Example:
build.jenkins-ci.org
State or province
cannot be abbreviated.
Run:
keytool -certreq -Keystore jenkins.jks -alias [Name of website] -file jenkins.csr -keysize 2048
Send Jenkins.csr
to your cert provider and request a PKCS#7 cert which has a .p7b
extension and starts with:
-----BEGIN PKCS #7 SIGNED DATA-----
Note: Trial certs are not normally available in .p7b
format but you may be able to combine the .cer
files using this tool which reported success but didn't work for me. (https://www.sslshopper.com/ssl-converter.html)
Run:
keytool -import -trustcacerts -file jenkins.p7b -keystore jenkins.jks -alias [Name of website]
Change the arguments
node in Jenkins.xml to the following prespectivly.
<arguments>-Xrs -Xmx256m -Dhudson.lifecycle=hudson.lifecycle.WindowsServiceLifecycle -jar "%BASE%\jenkins.war" --httpPort=-1 --httpsPort=443 --httpsKeyStore="%BASE%\Cert\Jenkins.jks" --httpsKeyStorePassword=[Cert password from step 1]</arguments>
Troubleshooting:
- If Jenkins doesn't start read the last lines from
Jenkins.err.log
. - If Jenkins didn't start because of an issue with
Jenkins.xml
, replace the–
(weird Windows hyphen) characters with an actual-
(ASCII hyphen). - If Jenkins starts but the cert still reads as bad, make sure the
[Name of website]
is the actual URL without thehttps:
example:https://build.jenkins-ci.org
would bebuild.jenkins-ci.org
. - If that isn't the issue inspect the
.jks
file usingKeyStore Explorer
. The "Certificate Hierarchy" should show that each cert is nested in another; This is to illustrate the cert chain. If it shows the certs next to each other then it's not correct. - If it won't start on a specific port, 443 for example, then verify IIS or another app isn't currently using the port.
- If you can see the site on the PC it's hosted on, but not another PC, then verify you aren't getting blocked by a firewall.