How do I add CA root cert to LDAP keystore on Jenkins Docker container?

Question

I want to configure ldaps on Jenkins in a Docker container.

Problem: Jenkins will not trust my certificate, (Confirmed by Wireshark traces), appears certificate is not loading to the keystore (or correct keystore)

Error Message:

In Jenkins: Unable to connect to ldaps://taxmducs01-v.cybertax.cso.com:636 : javax.naming.CommunicationException: simple bind failed: taxmducs01-v.cybertax.cso.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:
In Wireshark: Alert (Level: Fatal, Description: Certificate unknown)

Trouble shooting Performed:

Confirmed LDAP works, setting up LDAP via :389 works fine. I also know LDAPS works as I have configured ldaps with many other devices from this server.
Read through the following sources:
- https://docs.oracle.com/cd/E19509-01/820-3399/ggfrj/index.html
- https://wiki.jenkins.io/display/JENKINS/LDAP+Plugin
Followed the instructions from this guide post How to add a SSL self-signed cert to Jenkins for LDAPS within Dockerfile?
Performed tcpdump, extracted the byte string, converted it to .cer file with openssl and copied over with my dockerfile. I know I have the correct cert. docker-compose log shows it copies over, however when I check the keystore, my cert never appears. Note: checking keystore located at /etc/ssl/certs/java/cacerts, is this the right key store?

Here is my dockerfile:

FROM jenkinsci/blueocean

USER root 

COPY ["entrypoint.sh", "/"]

RUN apk add sudo && chmod 755 /entrypoint.sh

ENTRYPOINT ["/bin/bash","-c","./entrypoint.sh"]

COPY ["ldapRoot.cer", "/tmp"]
RUN \
    cd /tmp \
    && keytool -keystore cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias ldapcert -file ldapRoot.cer

Here is the log output from docker-compose:

docker-compose up --build
Building jenkins
Step 1/7 : FROM jenkinsci/blueocean
 ---> 9e29fdde63cc
Step 2/7 : USER root
 ---> Using cache
 ---> 597101d109b7
Step 3/7 : COPY ["entrypoint.sh", "/"]
 ---> Using cache
 ---> 32eea6c01a84
Step 4/7 : RUN apk add sudo && chmod 755 /entrypoint.sh
 ---> Using cache
 ---> 28858a5e6ec5
Step 5/7 : ENTRYPOINT ["/bin/bash","-c","./entrypoint.sh"]
 ---> Using cache
 ---> f466e9893c75
Step 6/7 : COPY ["ldapRoot.cer", "/tmp"]
 ---> 64dda06d6ed4
Step 7/7 : RUN     cd /tmp     && keytool -keystore cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias ldapcert -file ldapRoot.cer
 ---> Running in 95309101bec9
Certificate was added to keystore
Removing intermediate container 95309101bec9
 ---> cff58441080f
Successfully built cff58441080f
Successfully tagged docker_jenkins:latest
Recreating docker_jenkins_1 ... done

Any idea what I am doing wrong?

score 1 · Accepted Answer · answered Oct 30 '19 at 02:43

1

I believe you just created a new keystore file, /tmp/cacerts instead of updating /etc/ssl/certs/java/cacerts. What if you update keytool import command to point to /etc/ssl/certs/java/cacerts? Or, is entrypoint.sh using /tmp/cacerts as your truststore?

answered Oct 30 '19 at 02:43

Toby

186
3

1

This worked! Thank you, learned a few things as well: 1) LDAP/LDAPS integration seems to have problems with applying roles to groups, I used the Active Directory plugin instead. Still need to follow these steps to get encryption to work. 2) Active Directory uses starttls so the wireshark trace will first show an ldap communication between Jenkins and the server, then TLS will start after. You can also use the server log to view this happening (Manage Jenkins > System Log > Add new recorder > Name it, use the logger "hudson.plugins.active_directory.ActiveDirectorySecurityRealm" and save) – Dave Nov 05 '19 at 20:20

How do I add CA root cert to LDAP keystore on Jenkins Docker container?

1 Answers1