HTTPS - works okay, but 2 problems
98 views
Skip to first unread message
John Horne
Sep 13, 2022, 9:26:12 PM9/13/22
to Jenkins Users
Hello,
We are running Jenkins 2.368 on a Rocky 8 Linux server. I was asked to implement SSL onto our Jenkins service, and have done that using a keystore. (I only deal with the server itself as a sysadmin, I do not use Jenkins myself for CI purposes.)
This all seems to work okay, but I have noticed two issues:
1) Despite changing the '/etc/sysconfig/jenkins' file setting the JENKINS_PORT to -1 and setting the JENKINS_HTTPS_PORT to 8443, port 8080 is still listened upon by Jenkins. Using the 'lsof' command from a console shows that both ports 8080 and 8443 are listening. The 'System Information' page within Jenkins shows that it is also present on the supplied java command-line (as the --httpPort option). How do we fully disable the use of port 8080?
2) The keystore password is exposed in the 'ps' command output, and in the 'System Information' page found when I log into Jenkins and look under the 'Manage Jenkins' page. This is obviously not secure. Perhaps the password should be stored as part of the Jenkins configuration rather than just passed onto the command-line from the sysconfig file?
Is there another way to hide the password?
Thanks,
John.
Mark Waite
Sep 13, 2022, 10:33:17 PM9/13/22
to Jenkins Users
On Tuesday, September 13, 2022 at 7:26:12 PM UTC-6 John wrote:
Hello,We are running Jenkins 2.368 on a Rocky 8 Linux server. I was asked to implement SSL onto our Jenkins service, and have done that using a keystore. (I only deal with the server itself as a sysadmin, I do not use Jenkins myself for CI purposes.)This all seems to work okay, but I have noticed two issues:1) Despite changing the '/etc/sysconfig/jenkins' file setting the JENKINS_PORT to -1 and setting the JENKINS_HTTPS_PORT to 8443, port 8080 is still listened upon by Jenkins. Using the 'lsof' command from a console shows that both ports 8080 and 8443 are listening. The 'System Information' page within Jenkins shows that it is also present on the supplied java command-line (as the --httpPort option). How do we fully disable the use of port 8080?
If you installed Jenkins 2.368 on Rocky 8 Linux with the yum command, then Jenkins should be configured with "systemctl edit jenkins" instead of editing the '/etc/sysconfig/jenkins' file.
The "Managing systemd services page provides more details.
2) The keystore password is exposed in the 'ps' command output, and in the 'System Information' page found when I log into Jenkins and look under the 'Manage Jenkins' page. This is obviously not secure. Perhaps the password should be stored as part of the Jenkins configuration rather than just passed onto the command-line from the sysconfig file?Is there another way to hide the password?
I'm not sure on that one. You may need to replace the ExecStart with the specific command line arguments that you want to use.
Mark Waite
Dirk Heinrichs
Sep 14, 2022, 1:36:59 AM9/14/22
to jenkins...@googlegroups.com
Am Dienstag, dem 13.09.2022 um 16:58 -0700 schrieb John Horne:
> I was asked to implement SSL onto our Jenkins service, and have done
> that using a keystore.
Better use an Apache or NGinx reverse proxy in front of it to handle
> I was asked to implement SSL onto our Jenkins service, and have done
> that using a keystore.
the TLS stuff. They both read the certificate files directly, so you
don't need to mess with the Java keystore. And, in case you've got more
web based services to maintain, it's the same mechanism everywhere,
regardless of backend service. Doing this here for Jenkins, Mercurial
(HGWeb), Nexus, Artifactory, Vault, ...
HTH...
Dirk
--
Dirk Heinrichs
Senior Systems Engineer, Delivery Pipeline
OpenText ™ Discovery | Recommind
Phone: +49 2226 15966 18
Email: dhei...@opentext.com
Website: www.recommind.de
Recommind GmbH, Von-Liebig-Straße 1, 53359 Rheinbach
Vertretungsberechtigte Geschäftsführer Gordon Davies, Madhu
Ranganathan, Christian Waida, Registergericht Amtsgericht Bonn,
Registernummer HRB 10646
This e-mail may contain confidential and/or privileged information. If
you are not the intended recipient (or have received this e-mail in
error) please notify the sender immediately and destroy this e-mail.
Any unauthorized copying, disclosure or distribution of the material in
this e-mail is strictly forbidden
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-
Mail irrtümlich erhalten haben, informieren Sie bitte sofort den
Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie
die unbefugte Weitergabe dieser Mail sind nicht gestattet.
John Horne
Sep 14, 2022, 12:35:22 PM9/14/22
to Jenkins Users
Thanks for that. I looked through bug reports and found someone else saying that port 8080 remained open. It was you (I think) that replied to him/her that the RPM version does not use the sysconfig file. Creating a systemd override to disable port 8080 worked fine.
As to the second problem - it's still a problem. I remembered from other work that multiple 'ExecStart's are not allowed for certain types. So need to use 'ExecStart=' and then on the following line put the actual ExecStart I wanted. However, this invokes /usr/bin/jenkins which ultimately runs java with all the options passed to it. So no matter what I do in the systemd override file for ExecStart, it always ends up with a java command being run with the keystore password as one of the options being shown.
I need to think about this a bit more.
John.
James Nord
Sep 28, 2022, 6:01:09 AM9/28/22
to jenkins...@googlegroups.com
jenkins (winstone) can load arguments from a config file in addition to the command line (--config). https://github.com/jenkinsci/winstone#configuration-file
so you can (should be able) to put the password in that file.
Now if you put the password in that file and make it read only by the jenkins user you have not really gained anything over using a passwordless key/certificate file that is read only by the jenkins user...
so you can (should be able) to put the password in that file.
Now if you put the password in that file and make it read only by the jenkins user you have not really gained anything over using a passwordless key/certificate file that is read only by the jenkins user...
(allthough I guess you could hack the systemd command to write the file before startup, pass the argument and then wait until Jenkins has started and remove the file, then only root has access normally to the password in the systemd configuration)
/James
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/6ac178e4-4b63-470f-90ce-8e96568c9629n%40googlegroups.com.
Daniel Beck
Sep 28, 2022, 7:37:46 AM9/28/22
to jenkins...@googlegroups.com
On Wed, Sep 28, 2022 at 12:00 PM James Nord <james...@gmail.com> wrote:
jenkins (winstone) can load arguments from a config file in addition to the command line (--config). https://github.com/jenkinsci/winstone#configuration-file
so you can (should be able) to put the password in that file.
Now if you put the password in that file and make it read only by the jenkins user you have not really gained anything over using a passwordless key/certificate file that is read only by the jenkins user...(allthough I guess you could hack the systemd command to write the file before startup, pass the argument and then wait until Jenkins has started and remove the file, then only root has access normally to the password in the systemd configuration)
There's also --paramsFromStdIn as documented at https://github.com/jenkinsci/extras-executable-war#parameters-from-stdin
John Horne
Oct 3, 2022, 10:13:55 AM10/3/22
to Jenkins Users
Thanks for the replies. We have removed the keystore, and are now using the reverse proxy method.
John.
Reply all
Reply to author
Forward
0 new messages