Deploy HTTPS certificates for VM on all nodes

15 views
Skip to first unread message

Francois Marot

unread,
Jul 20, 2018, 4:27:10 PM7/20/18
to Jenkins Users
Hello Jenkins users,

I used to have multiple Jenkins pipeline jobs (multibranch) running on miscellaneous nodes (Windows and Linux). Everything was fine.
My jobs were configured to use a specific JVM identified as "java-8":
  • declared only once in JDK installations sections (and downloaded from Oracle.com)
  • referenced inside each pipeline using the "tool" section like this:
tools { jdk 'java-8' }

Problem is that my IT recently wants to put my Maven repository (Apache Archiva) behind a reverse proxy, thus forcing me to use HTTPS to access it (and deploy my Maven artifacts).
And the HTTPS is configured with a self-signed certificate, not recognized by default by the JVM.
For testing purpose I tested it on my computer by importing the correct .cer file using java's "keytool" utility into the cacert keystore of my JVM. Maven builds worked.
I suppose all developers in the company will have to do the same.

But regarding Jenkins, what would be the preferred way to add certificates to the JVM used for Maven ?
  • One way would be to use the "Config File Provider plugin" to retrieve a specifically crafted cacert file and to overwrite the JDK's one at the start of each build.
  • Another way would be to not use Oracle's JDK anymore but to use a specifically crafted one including my specific cacert file but this would be more work on each JDK update.
  • I could also not overwrite the JDK's and still use the "Config File Provider plugin" to get the correct cacert file and pass it to Maven using options like -Djavax.net.ssl.trustStore and the likes.
None of this options satisfies me fully. What would you do ?

Francois Marot

unread,
Jul 25, 2018, 3:50:16 AM7/25/18
to Jenkins Users
In my case in the end, the solution was quite easy: there was no problem at all. Let me explain: Jenkins as well as Archiva are behind the reverse proxy so I do not have to configure the Jenkins (and slaves)'s JVM to have the certificate as they can communicate directly through HTTP unsecured.

But my question still remain: how would you have done that ?
Reply all
Reply to author
Forward
0 new messages