Set up Jenkins with HTTPS

Here is a quick guide on how to set up Jenkins with HTTPS. There are numerous guides available, already. And I read some of them. But two things struck me odd. First, some guides want you to change the central systemd file for Jenkins (instead of an override file) and secondly, they want you to create a JKS file (instead of PKCS #12).

So, my words of warning: Never overwrite files in /etc/systemd/system. These files are manged by your system and package manager. If you want to add or change settings for Jenkins, use /etc/systemd/system/jenkins.service.d/override.conf. JKS is a proprietary format. PCKS #12 on the other hand, is an industry standard and also the default keystore format since Java 9!

Generate SSL certificate

First, you’ll need a certificate. You can create one with openssl:

 openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out jenkins.pem

Naturally, if you already have a certificate, you do not need to create a new one. But you’ll have to convert it to a PKCS #12 file.

Continuing with the example above, you’ll have to merge the files key.pem and jenkins.pem in a PKCS #12 keystore:

openssl pkcs12 -inkey key.pem -in jenkins.pem -export -out jenkins.p12

Finally, put the file jenkins.p12 somewhere accessible to Jenkins. I put it in /var/lib/jenkins.

sudo mv ./jenkins.p12 /var/lib/jenkins
# I assume you run Jenkins with default settings. If you run it with a different user, you'll have to adapt the 'chown', of course!
sudo chown jenkins:jenkins /var/lib/jenkins/jenkins.p12

Enable HTTPS in Jenkins service

With a new and shiny keystore in place, tell Jenkins how to use it. Create the file /etc/systemd/system/jenkins.service.d/override.conf and put the following content in it.

[Service]
Environment="JENKINS_HTTPS_PORT=8443"
Environment="JENKINS_HTTPS_KEYSTORE=/var/lib/jenkins/jenkins.p12"
Environment="JENKINS_HTTPS_KEYSTORE_PASSWORD=<your-password>"

Now, restart the Jenkins service.

sudo systemctl daemon-reload
sudo systemctl restart jenkins.service 

All done

Accessing https://localhost:8443 now should give you the Jenkins login page, but with a valid and secure https connection.