Search code examples
javanginxjenkinsssl-certificatesystemd

Unrecognized option: --httpsCertificate=/opt/certs/project.crt in Jenkins Systemd

361.4 on Linux. i have a Nginx Proxy using SSL. I'm trying to expose Jenkins via this SSL Proxy. In order for this i have copied ssl Certificate and key of nginx to /opt/certs/project.crt & /opt/certs/project.key. I have changed ownership to Jenkins. Now when i add the following command to /usr/lib/systemd/system/jenkins.service

[Service]
Type=notify
NotifyAccess=main
ExecStart=/usr/bin/jenkins --httpPort=-1 --httpsPort=8080 --httpsCertificate=/opt/certs/project.crt --httpsPrivateKey=/opt/certs/project.key
Restart=on-failure
SuccessExitStatus=143

Then i did systemctl daemon-realod & systemctl restart jenkins. i see below error on Jenkins logs.

Unrecognized option: --httpsCertificate=/opt/certs/project.crt

Also i tried the below without doing the above change,, there also i get the same error message.

Environment="JENKINS_OPTS= --httpPort=-1 --httpsPort=8080 --httpsCertificate=/opt/certs/project.crt --httpsPrivateKey=/opt/certs/project.key"

I also imported the Certificate to JVM using below. (Though Not sure whether this is Required)

<JAVA_HOME>/bin/keytool -importcert -alias <server_name> -keystore <JAVA_HOME>/lib/security/cacerts -file /opt/certs/project.crt

Hope Someone Can help me with error message. Thank you.

Solution

  • Based on the proposal [JENKINS-68694] Winstone 6.1: Upgrade Jetty from 9.4.46.v20220331 to 10.0.11 the flags --httpsPrivateKey and --httpsCertificate have been replaced with --httpsKeyStore and --httpsKeyStorePassword

    Fix

    Update the certificate's format to use a keystore for example using

    # Convert from PEM to P12
openssl pkcs12 -export -in project.crt -inkey project.key -out temp_cert.p12 -name "project_alias"

# Convert from P12 to JKS
# you'll get prompted for a new jks password, memorize it
keytool -importkeystore -srckeystore project.p12 -srcstoretype pkcs12 -destkeystore project.jks

# Set the alias (cert) password to the same of the jks password
keytool -keypasswd -alias project_alias -keystore project.jks

    Finally use the project.jks file and the jks password as following ExecStart=/usr/bin/jenkins --httpPort=-1 --httpsPort=8080 --httpsKeyStore=/opt/certs/project.jks --httpsKeyStorePassword=JKS_PASSWORD

    Further details could be found in this gist

    Work around

    Use an older jenkins version, for example 2.362