SSL

 1. Generate the wildcard SSL certificate /opt/certbot/certbot-auto certonly --manual --preferred-challenges=dns --email my@email.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.mydomain.com -d mydomain.com Note: You need to replace my@email.com, *.mydomain.com and mydomain.com with your actual information. 2. Verify domain's ownership Let’s Encrypt Wildcard certificates only accepts DNS challenge method, which we can invoke by using the preferred-challenges=dns flag. After executing the command on step 1, the Certbot will return a text record that you should add on your DNS. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name _acme-challenge.vhinandrich.com with the following value: vE7k91-8K9XPyMcNYFXP19Ijv7T4o0GAkJnRlwW7af0 Before continuing, verify the record is deployed. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Host: _acme-challenge Value: vE7k91-8K9XPyMcNYFXP19Ijv7T4o0GAkJnRlwW7af0 Create TXT record via DNS console and setup key and value 3. Get your Certificate After adding the dns challange, you can proceed with the generate certificate. It will return you the path of ssl certicates and chain. IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/mydomain.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/mydomain.com/privkey.pem Your cert will expire on 2020-09-07. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le 4. Verify the Certificate To check the validity of all your certificates, you can run this in your command line /opt/certbot/certbot-auto certificates Return:  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Found the following certs: Certificate Name: mydomain.com Serial Number: 3e53264dd24388560fb3dd95e2aa5970bbd Domains: *.mydomain.com mydomain.com Expiry Date: 2020-09-07 02:43:05+00:00 (VALID: 89 days) Certificate Path: /etc/letsencrypt/live/mydomain.com/fullchain.pem Private Key Path: /etc/letsencrypt/live/mydomain.com/privkey.pem - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -     Note: Renewal will always have to be done manually for wildcard certificates because of the dns challenge requirment. Thus you won't be able to create cronjobs to renew wildcard certificates.

In this tutorial, I will show how to use Let's Encrypt free SSL with a standalone Jenkins in Ubuntu 16.04.   Installation of certbot and jenkins are not included in this tutorial.   Generate Certificates Run the command to generate the certificate and key files. sudo certbot certonly --standalone --preferred-challenges http -d example.com You should get this response: Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for example.com Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2019-02-07. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le Just in case you got this response: Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for example.com Cleaning up challenges Problem binding to port 80: Could not bind to IPv4 or IPv6. You need to stop your web server and try again.   Convert the certificate to JKS keystore Go to your certificate folder cd /etc/letsencrypt/live/example.com And execute this command to convert the certificate to PKCS12 file first openssl pkcs12 -inkey privkey.pem -in fullchain.pem -export -out keys.pkcs12 If you are renewing the certificates, make sure to delete the existing /var/lib/jenkins/jenkins.jks file first. Then convert to JKS file keytool -importkeystore -srckeystore keys.pkcs12 -srcstoretype pkcs12 -destkeystore /var/lib/jenkins/jenkins.jks Enter export and import passwords and answer "yes" if asked to overwrite an existing alias Enter Export Password: Verifying - Enter Export Password: root@example:/etc/letsencrypt/live/example.com# keytool -importkeystore -srckeystore keys.pkcs12 -srcstoretype pkcs12 -destkeystore /var/lib/jenkins/jenkins.jks Importing keystore keys.pkcs12 to /var/lib/jenkins/jenkins.jks... Enter destination keystore password: Enter source keystore password: Existing entry alias 1 exists, overwrite? [no]: yes Entry for alias 1 successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled   Set Jenkins configuration to use the SSL Edit the Jenkins config file vim /etc/default/jenkins Look for JENKINS_ARGS and update the value to this: JENKINS_ARGS="--webroot=/var/cache/$NAME/war --httpPort=-1 --httpsPort=8443 --httpsKeyStore=/var/lib/jenkins/jenkins.jks --httpsKeyStorePassword=PASSWORD_SET_ON_CONVERT_TO_JKS" Restart jenkins sudo service jenkins restart