tl; dr 固定
我一直运行Jenkins实例一段时间与自签名证书,除了在浏览器中创build证书validation例外的麻烦除了工作正常。 所以今天我从StartSSL获得了一个免费的1级证书,在/etc/sysconfig/jenkins更改了path,并重新启动了服务,但是根本不起作用:
$ openssl s_client -connect localhost:8080 -debug CONNECTED(00000003) write to 0xdce210 [0xdeeca0] (171 bytes => 171 (0xAB)) 0000 - 16 03 01 00 a6 01 00 00-a2 03 03 52 e3 f5 18 90 ...........R.... 0010 - e2 24 10 6a 6e ee 24 88-cd 52 e8 a8 0b 6f 71 85 .$.jn.$..R...oq. 0020 - 3f 5b a1 53 7b 2c 74 fe-a2 68 25 00 00 54 00 a3 ?[.S{,t..h%..T.. 0030 - 00 9f 00 6b 00 6a 00 39-00 38 00 88 00 87 00 9d ...kj9.8...... 0040 - 00 3d 00 35 00 84 00 16-00 13 00 0a 00 a2 00 9e .=.5............ 0050 - 00 67 00 40 00 33 00 32-00 9a 00 99 00 45 00 44 [email protected] 0060 - 00 9c 00 3c 00 2f 00 96-00 41 00 07 00 05 00 04 ...<./...A...... 0070 - 00 15 00 12 00 09 00 14-00 11 00 08 00 06 00 03 ................ 0080 - 00 ff 01 00 00 25 00 23-00 00 00 0d 00 18 00 16 .....%.#........ 0090 - 06 01 06 02 05 01 05 02-04 01 04 02 03 01 03 02 ................ 00a0 - 02 01 02 02 01 01 00 0f-00 01 01 ........... read from 0xdce210 [0xdf4200] (7 bytes => 0 (0x0)) 140506493065056:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 171 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE ---
在/var/log/jenkins/jenkins.log或/var/log/messages没有任何错误。
openssl似乎认为我的证书是合法的:
openssl x509 -in jenkins.crt.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 925667 (0xe1fe3) Signature Algorithm: sha1WithRSAEncryption Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA Validity Not Before: Jan 24 16:19:28 2014 GMT Not After : Jan 25 15:09:34 2015 GMT [...]
将它放入Java KeyStore文件后,它似乎仍然有效(匿名化FQDN):
$ keytool -list -keystore jenkins.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry jenkins_domain_tld, Jan 25, 2014, trustedCertEntry, Certificate fingerprint (MD5): 3D:6A:AB:83:0B:E8:21:DF:C3:17:E9:88:AD:19:24:EE
旧的自签名证书密钥存储没有太大的不同:
$ keytool -list -keystore jenkins.jks.old Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry jenkins_domain_tld, Jan 11, 2014, PrivateKeyEntry, Certificate fingerprint (MD5): A6:4E:F6:E8:56:D1:30:5E:11:63:59:C0:AA:24:B2:4F
我试着直接用JENKINS_ARGS="--httpsCertificate=/var/lib/jenkins/jenkins.crt.pem --httpsPrivateKey=/var/lib/jenkins/jenkins.key.pem" ,但是Jenkins不会开始一切:
Jan 25, 2014 5:22:47 PM winstone.Logger logInternal SEVERE: Container startup failed java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory at winstone.Launcher.spawnListener(Launcher.java:209) at winstone.Launcher.<init>(Launcher.java:149) at winstone.Launcher.main(Launcher.java:354) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:622) at Main._main(Main.java:293) at Main.main(Main.java:98) Caused by: java.io.IOException: DerValue.getBigInteger, not an int 48 at sun.security.util.DerValue.getBigInteger(DerValue.java:508) at winstone.HttpsConnectorFactory.readPEMRSAPrivateKey(HttpsConnectorFactory.java:171) at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:90) at winstone.Launcher.spawnListener(Launcher.java:207) ... 8 more
安装中间证书后:
$ keytool -list -keystore jenkins.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 3 entries sub.class1.server.ca, Jan 25, 2014, trustedCertEntry, Certificate fingerprint (MD5): 30:B0:5A:F7:B2:F4:BE:0C:28:67:15:EA:CC:5B:24:20 ca, Jan 25, 2014, trustedCertEntry, Certificate fingerprint (MD5): 22:4D:8F:8A:FC:F7:35:C2:BB:57:34:90:7B:8B:22:16 jenkins_domain_tld, Jan 25, 2014, trustedCertEntry, Certificate fingerprint (MD5): 3D:6A:AB:83:0B:E8:21:DF:C3:17:E9:88:AD:19:24:EE
Java版本:
java version "1.7.0_51" OpenJDK Runtime Environment (IcedTea 2.4.4) (ArchLinux build 7.u51_2.4.4-1-x86_64) OpenJDK 64-Bit Server VM (build 24.45-b08, mixed mode)
这似乎没有改变任何东西。
据我所知,设置JENKINS_DEBUG_LEVEL="99"没有产生任何相关的日志行。
我相信旧的CSR是用2048位生成的,而新的是用4096生成的 – 这是否是一个可能的原因?
两个公钥都是2048位的RSA。
根据diff -u <(openssl x509 -in jenkins.crt.pem.old -text) <(openssl x509 -in jenkins.crt.pem -text) ,旧证书使用sha256WithRSAEncryption而新证书使用sha1WithRSAEncryption签名algorithm。
别名是否重要? jenkins不支持长于2048位的密钥吗? Jenkins / OpenJDK / Amazon Linux不能使用某些密钥吗?
我还应该检查什么?
我相信你将需要一个PrivateKeyEntry。
您可能已经使用开放SSL而不是keytool生成了CSR。
你可以试试:
openssl pkcs12 -inkey /var/lib/jenkins/jenkins.key.pem -in /var/lib/jenkins/jenkins.crt.pem -export -out keys.pkcs12 keytool -importkeystore -srckeystore keys.pkcs12 -srcstoretype pkcs12 -destkeystore jenkins.jks
请参阅以下内容以供参考:
https://stackoverflow.com/questions/6252045/creating-a-keystore-from-private-key-and-a-public-key
如果您查看旧的密钥库,则该条目是“私有”还是“可信”。