17

I want to enable LDAPS under security in Jenkins but my LDAP server has a self-signed CERT. Has anyone done this or have some pointers on doing this? Do I have to use keytool?

In my Dockerfile I'm trying the following but this won't work:

FROM jenkins

USER root

# Install CA certs
COPY ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
RUN chmod +r /etc/ssl/certs/ca-certificates.crt

# Install the Jenkins plugin  
COPY plugins.txt /usr/share/jenkins/plugins.txt
RUN /usr/local/bin/plugins.sh /usr/share/jenkins/plugins.txt

# Expose container port 33838 for Jenkins UDP-based auto-discovery
EXPOSE 33848/udp

ENV JAVA_OPTS -Xmx2048m
occasl
  • 5,303
  • 5
  • 56
  • 81

3 Answers3

38

It turns out I just need to add this in the Dockerfile where ldap.cer is the cert chain for my self-signed cert.

COPY ldap.cer $JAVA_HOME/conf/security
RUN \
    cd $JAVA_HOME/conf/security \
    && keytool -cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias ldapcert -file ldap.cer
occasl
  • 5,303
  • 5
  • 56
  • 81
  • 1
    I needed to add a "USER root" command before the run to get around some permission problems. – Mr Shark Nov 28 '16 at 10:14
  • Oh man, this took me ages before on a full server install. Now it was sooooo easy...... Thank you so much! – uncletall Sep 26 '17 at 09:09
  • Thanks, this helped! – kolyaiks Mar 19 '21 at 13:06
  • 1
    This doesn't work anymore with newer Java versions. However, the fixes are pretty easy: a) `$JAVA_HOME/conf/security` instead of `$JAVA_HOME/jre/lib/security`; b) `-cacerts` instead of `-keystore cacerts` (which actually makes the directory irrelevant). As @MrShark said, you also need to add `USER root` before it, but don't forget to add `USER jenkins` _after_ it - otherwise Jenkins will run as root. – Rob Spoor Jan 27 '23 at 09:19
1

Run keytool to import the CA cert into your java keystore.

See:

telling java to accept self-signed ssl certificate

Community
  • 1
  • 1
Mark O'Connor
  • 76,015
  • 10
  • 139
  • 185
1

On our build server with jenkins, nexus and sonarqube we use a extracted and prepared cacerts file on the host using a start parameter for docker run.

See my answer on Stackoverflow "Importing self-signed cert into Docker's JRE cacert is not recognized by the service"

Volker Seibt
  • 1,479
  • 16
  • 19