Bitnami Jenkins SSL Config

I am a real fan of Bitnami Stacks. They are great for both local dev and production deployments. Stacks exist for a plethora of applications including: Mantis (Bug tracker), Nginx (HTTP Server), Moodle (eLearning), WordPress (Blog), Magento (eCommerce) and Jenkins (CI). Setup on the Amazon Cloud is simple and straightforward:

  1. Pick the application
  2. Choose the AWS Region
  3. Choose the 64-bit EBS AMI
  4. Configure the AMI via the AWS EC2 Launch Wizard
  5. Confirm the config
  6. Launch the instance
  7. Grab some coffee

That process is the same regardless of the stack and saves me the time required to manually config an instance post-launch or to setup containerization. The plumbing of the stacks is very clean should you want to further customize. Even installing a public SSL certificate for the Jenkins stack is painless. Following is an overview of that process for a Wildcard SSL cert.

CSR Generation

After your instance is up and running you can SSH into the device:

$ ssh -i ~/.ssh/your_ec2_private_key.pem bitnami@your_ec2_ip_or_domain

Now that you’re connected, you can generate the certificate signing request (CSR) that you’ll need to order your SSL cert:

$ sudo openssl req -new -newkey rsa:2048 -nodes -out server.csr -keyout server.key

This will generate your CSR and private key in /home/bitnami.

Note: Should you want to generate your CSR w/o stepping through the Q&A via the CLI, I would recommend DigiCert’s OpenSSL CSR Wizard which provides a form that you can complete w/all of the details you normally have to provide via interactive mode. That tool then produces a command like the following that you can copy/paste into the CLI to bypass interactive mode:

$ sudo openssl req -new -newkey rsa:2048 -nodes -out star_fxnetworks_com.csr -keyout star_fxnetworks_com.key -subj "/C=US/ST=California/L=Los Angeles/O=FX Networks/OU=Digital/CN=*.fxnetworks.com"

Armed w/your CSR you can now complete the certificate order process.

Certificate Installation

After completing certificate validation and receiving your cert from the Certificate Authority (CA), you are ready to install the SSL cert and the Root CA cert. Upload your SSL and the Root CA cert to the bitnami home directory via SFTP. Next, backup the self-signed certificate and private key:

$ sudo cp /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.bak
$ sudo cp /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.bak

Now you want to move the SSL cert, the private key you created earlier and the Root CA cert to the /opt/bitnami/apache2/conf directory:

$ sudo mv /home/bitnami/star_fxnetworks_com.crt /opt/bitnami/apache2/conf/server.crt
$ sudo mv /home/bitnami/star_fxnetworks_com.key /opt/bitnami/apache2/conf/server.key
$ sudo mv /home/bitnami/AddTrustExternalCARoot.crt /opt/bitnami/apache2/conf/server-ca.crt

Next, change the ownership and file permissions for those files so that they are only accessible by the root user:

$ sudo chown root:root /opt/bitnami/apache2/conf/server*
$ sudo chmod 600 /opt/bitnami/apache2/conf/server*

Now you can activate the certificate by updating the SSL default virtual host in the bitnami config:

$ sudo nano /opt/bitnami/apache2/conf/bitnami/bitnami.conf

The virtual host definition (line 55) should read as follows:

<VirtualHost _default_:443>
  DocumentRoot "/opt/bitnami/apache2/htdocs"
  SSLEngine on
  SSLCertificateFile "/opt/bitnami/apache2/conf/server.crt"
  SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server.key"
  SSLCACertificateFile "/opt/bitnami/apache2/conf/server-ca.crt" # <-- add this line
  <Directory "/opt/bitnami/apache2/htdocs">
    Options FollowSymLinks MultiViews
    AddLanguage en en
    AddLanguage es es
    AddLanguage pt-BR pt-br
    AddLanguage zh zh
    AddLanguage ko ko
    AddLanguage he he
    AddLanguage de de
    AddLanguage ro ro
    AddLanguage ru ru
    LanguagePriority en
    ForceLanguagePriority Prefer Fallback
 
    AllowOverride All
    <IfVersion < 2.3 >
      Order allow,deny                          
      Allow from all
    </IfVersion>
    <IfVersion >= 2.3 >
      Require all granted
    </IfVersion>
  </Directory>
 
  # Error Documents
  ErrorDocument 503 /503.html
 
  # Resolves Jenkins "reverse proxy broken" message <-- add this section
  AllowEncodedSlashes NoDecode
  ProxyRequests Off
  ProxyPass /jenkins ajp://localhost:8009/jenkins nocanon 
  ProxyPass		/ http://localhost:8080/ nocanon
  ProxyPassReverse	/ http://localhost:8080/
  ProxyPassReverse	/ http://subdomain.fxnetworks.com/
  RequestHeader set X-Forwarded-Proto "https"
  RequestHeader set X-Forwarded-Port "443"
 
  # Bitnami applications installed with a prefix URL (default)
  Include "/opt/bitnami/apache2/conf/bitnami/bitnami-apps-prefix.conf"
</VirtualHost>

And you’re all set now. All that’s left to do is restart Apache and Tomcat:

$ sudo /opt/bitnami/ctlscript.sh restart

ViolĂ , your build server is now secured w/your Wildcard SSL certificate!

Leave a Reply

Your email address will not be published. Required fields are marked *