Quick instructions on setting up Jenkins to use an SSL certificate provided by Let’s Encrypt. Heavily inspired by this post.

Getting the certificates

Install certbot and run it in manual mode.

sudo apt-get install certbot
sudo certbot certonly --manual --preferred-challenges dns -d my-jenkins-server.example.com

When it asks, set the desired DNS record through your DNS provider. It will be a TXT record with a name that looks like this:

_acme-challenge.my-jenkins-server.example.com.

The output will be these files:

/etc/letsencrypt/live/my-jenkins-server.example.com/fullchain.pem
/etc/letsencrypt/live/my-jenkins-server.example.com/privkey.pem

Converting the certificates

Backup the existing key, if any:

mv /var/lib/jenkins/jenkins.jks /var/lib/jenkins/jenkins.jks.bak

Then convert to a JKS keystore. Pick a unique password.

cd /etc/letsencrypt/live/build.pixplicity.com/
openssl pkcs12 -inkey privkey.pem -in cert.pem -export -out keys.pkcs12
keytool -importkeystore -srckeystore keys.pkcs12 -srcstoretype pkcs12 -destkeystore /var/lib/jenkins/jenkins.jks

Use the keystore

Edit Jenkin’s config file /etc/default/jenkins and look for the JENKINS_ARGS line (near the very bottom).

Change it to disable port 80 and use 443 for the secure url:

JENKINS_ARGS="--webroot=/var/cache/$NAME/war --httpPort=-1 --httpsPort=443 --httpsKeyStore=/var/lib/jenkins/jenkins.jks --httpsKeyStorePassword=THE-PASSWORD-YOU-PICKED-EARLIER-IN-PLAINTEXT"

Now you only need to restart Jenkins and the changes are in effect:

sudo service jenkins restart

Renewing the certificates

To update the certificates, run certbot renew. After that you will have to convert to JKS again, and restart Jenkins.

jenkins

Pixplicity's

Cookbook

Using Let's Encrypt SSL with stand-alone Jenkins

Getting the certificates

Converting the certificates

Use the keystore

Renewing the certificates