Re: SSL native (self) Jenkins

2020-12-13 Thread geoffroy...@gmail.com 
Hello

if the root CA of your company is not issued from a trusted provider, then 
you will need to deploy the root certificate to all the user browser.
We had such issue when a company was issuing its own certificates using a 
private PKI.
Not user-friendly solution, i would recommend to go for a "real" signing 
authority like Digicert or others.

Other possible solution, maybe you are not providing to Jenkins the full 
SSL certificate, and it is missing the intermediate company certificate... 
In that case you should concatenate final & intermediate (& even root) into 
a single cert file.

Reg. letsencrypt, my understanding was you need your server to be 
accessible from letsencrypt so that you can prove you own it. Alternative 
was using a dedicated entry from your company DNS. But maybe i've 
misunderstood the concept...

Regards

On Sunday, 13 December 2020 at 16:33:12 UTC+1 unli...@gmail.com wrote:

> Thanks, Gianluca.
> This group is very helpful in resolving issues with Jenkins.
>
> The problem is that the SSL certificate installed and certified by the 
> root CA certificate of my Corporation still does not work with the error 
> specified earlier. Therefore, it is important for me to get a good proven 
> and working instruction that will allow me to follow the steps to create, 
> sign, and install the certificate and settings in Jenkins.
> Please share this link to the description or video. Thanks.
>
>
> Hi,
> let’s separate two completely different tasks of what you are trying to 
> achieve:
> 1) Configure Jenkins server to serve itself over SSL / HTTPS
> 2) Use a certificate that your browser recognise as valid
>
> The documents you listed, tell you how to do point 1) and in general is 
> left to you (or to other guides) how to do point 2)
>
> Now, from the error you see on the browser, “CERT_AUTHORITY_INVALID”, I’m 
> pretty sure that you achieved 1)
> So, you actually did it !!
>
> But maybe you don’t know exactly what the error means. So, I’ll try to 
> details to best of my knowledge (I’m not an expert of certificate 
> authorities):
> - the browser tries to reach your Jenkins over port 443 (HTTPS)
> - Jenkins reply correctly and the browser is happy and they start to 
> establish an SSL connection between them (that means they successfully 
> exchanged the SSL certificate and they can encrypt the connection)
> - But the browser wants to be sure that the certificate has been made by 
> some “known” trusted authority … let’s think of it like a known valid 
> institution that produce valid certificates
> - … but when it looks inside the certificates, it can’t find a certificate 
> authority that knows … and then, for safety, it stops the communication and 
> raise an error saying that it can’t “trust” the certificate because it’s 
> not produced by an authority that it knows.
>
> So, Jenkins is setup correctly and you did everything correctly on 
> configure it.
> The last bit that remains for you is to get a “real” valid certificate 
> from a real valid certificate authority … if you can’t, then you can’t 
> avoid the browser giving the CERT_AUTHORITY_INVALID error.
>
> I hope that’s clear.
>
> Cheers,
> Gianluca.
>
> P.S.: The fact Jenkins does not have access to the Internet, doesn’t 
> prevent you to get a valid certificate from a valid authority, like 
> letsencrypt or other certificate authorities like Comodo SSL, and so on.
> We have many servers in our infrastructure without access to Internet but 
> with valid certificate from Comodo SSL and LetsEncrypt
>
>
>
> On 11 Dec 2020, at 20:42, unli...@gmail.com wrote:
>
> SSL native (self) Jenkins
>
> Please help with the working instructions for installing SSL (https) on 
> Jenkins.
> Is it possible to install an SSL certificate on Jenkins without a reverse 
> proxy (nginx)?
>
> I tried these instructions below, but they didn't help (the certificate 
> doesn't work) and I get in the browser:
>
> Your connection is not private
> NET::ERR_CERT_AUTHORITY_INVALID
>
> p.s. My network with Jenkins does not have access to the Internet, so 
> solutions in letsencrypt and similar will not work for me.
>
> links:
> https://wiki.jenkins.io/pages/viewpage.action?pageId=135468777
>
> https://mohitgoyal.co/2017/02/08/securing-your-jenkins-environment-and-configure-for-auditing/
> https://wiki.jenkins.io/display/JENKINS/Running+Jenkins+behind+Nginx
> https://agirlhasnona.me/ops-tutorial-ssl-jenkins/
> https://jansipke.nl/enable-https-jenkins/
> 
> Thanks!
>
> --
> You received this message because you are subscribed to the Google Groups 
> "Jenkins Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to jenkinsci-use...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/jenkinsci-users/459881610.20201211234224%40gmail.com
>  
>

Re: SSL native (self) Jenkins

2020-12-13 Thread unlimhost 
Title: Re: SSL native (self) Jenkins


Thanks, Gianluca.
This group is very helpful in resolving issues with Jenkins.

The problem is that the SSL certificate installed and certified by the root CA certificate of my Corporation still does not work with the error specified earlier. Therefore, it is important for me to get a good proven and working instruction that will allow me to follow the steps to create, sign, and install the certificate and settings in Jenkins.
Please share this link to the description or video. Thanks.





Hi,
let’s separate two completely different tasks of what you are trying to achieve:
1) Configure Jenkins server to serve itself over SSL / HTTPS
2) Use a certificate that your browser recognise as valid

The documents you listed, tell you how to do point 1) and in general is left to you (or to other guides) how to do point 2)

Now, from the error you see on the browser, “CERT_AUTHORITY_INVALID”, I’m pretty sure that you achieved 1)
So, you actually did it !!

But maybe you don’t know exactly what the error means. So, I’ll try to details to best of my knowledge (I’m not an expert of certificate authorities):
- the browser tries to reach your Jenkins over port 443 (HTTPS)
- Jenkins reply correctly and the browser is happy and they start to establish an SSL connection between them (that means they successfully exchanged the SSL certificate and they can encrypt the connection)
- But the browser wants to be sure that the certificate has been made by some “known” trusted authority … let’s think of it like a known valid institution that produce valid certificates
- … but when it looks inside the certificates, it can’t find a certificate authority that knows … and then, for safety, it stops the communication and raise an error saying that it can’t “trust” the certificate because it’s not produced by an authority that it knows.

So, Jenkins is setup correctly and you did everything correctly on configure it.
The last bit that remains for you is to get a “real” valid certificate from a real valid certificate authority … if you can’t, then you can’t avoid the browser giving the CERT_AUTHORITY_INVALID error.

I hope that’s clear.

Cheers,
Gianluca.

P.S.: The fact Jenkins does not have access to the Internet, doesn’t prevent you to get a valid certificate from a valid authority, like letsencrypt or other certificate authorities like Comodo SSL, and so on.
We have many servers in our infrastructure without access to Internet but with valid certificate from Comodo SSL and LetsEncrypt







On 11 Dec 2020, at 20:42, unlimh...@gmail.com wrote:

SSL native (self) Jenkins
Please help with the working instructions for installing SSL (https) on Jenkins.
Is it possible to install an SSL certificate on Jenkins without a reverse proxy (nginx)?

I tried these instructions below, but they didn't help (the certificate doesn't work) and I get in the browser:

Your connection is not private
NET::ERR_CERT_AUTHORITY_INVALID

p.s. My network with Jenkins does not have access to the Internet, so solutions in letsencrypt and similar will not work for me.

links:
https://wiki.jenkins.io/pages/viewpage.action?pageId=135468777
https://mohitgoyal.co/2017/02/08/securing-your-jenkins-environment-and-configure-for-auditing/
https://wiki.jenkins.io/display/JENKINS/Running+Jenkins+behind+Nginx
https://agirlhasnona.me/ops-tutorial-ssl-jenkins/
https://jansipke.nl/enable-https-jenkins/

Thanks!

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/459881610.20201211234224%40gmail.com.


--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/6422CCE5-7F24-4671-A5D7-9DE43A47721E%40gmail.com.






-- 
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/1759662953.20201213183242%40gmail.com.