Jenkins refuses to serve jks keystore, claiming it's invalid

I’m trying to setup a Jenkins instance inside a docker container to use Jenkins built in https, I have a wildcard keystore that I’m attempting to use (we’ve used it before on a Jira instance) that’s in jks format. Yet always after the server starts and I try to access it the browser tells me that the certificate isn’t valid and won’t serve https. It also claims that the cert is self signed (it isn’t)

This is what I get in the browser
image

The steps in the Dockerfile are

# Enable https
EXPOSE 8443
ARG ssl_pass=changeit
COPY keystore /etc/jenkins/
RUN chown -R jenkins: /etc/jenkins \
    && chmod 700 /etc/jenkins \
    && chmod 600 /etc/jenkins/keystore
ENV JENKINS_OPTS="--httpPort=${http_port} --httpsPort=8443 --httpsKeyStore=\"/etc/jenkins/keystore\" --httpsKeyStorePassword=\"${ssl_pass}\""

and in my compose file

jenkins:
    build: 
      context: services/jenkins
    restart: unless-stopped 
    volumes:
      - jenkins_home:/var/jenkins_home
      - certs:/certs/client
    ports:
      - "8080:8080"
      - "8443:8443"
      - "3268:3268"
      - "50000:50000"
    environment:
      DOCKER_HOST: tcp://docker:2376
      DOCKER_CERT_PATH: /certs/client
      DOCKER_TLS_VERIFY: 1

Hello @WilliamBehrens,

Your configuration looks good to me.
The main difference I see with what I’ve already seen elsewhere is that most of the time, the whole keystore and port configuration is done via docker-compose and not Dockerfile, using the supplied Jenkins LTS docker image, and the http port is disabled.

That would give something like:


jenkins:
    build: 
      context: services/jenkins
    restart: unless-stopped 
    volumes:
      - jenkins_home:/var/jenkins_home
      - certs:/certs/client
    ports:
      - "8443:8443"
      - "3268:3268"
      - "50000:50000"
    environment:
      DOCKER_HOST: tcp://docker:2376
      DOCKER_CERT_PATH: /certs/client
      DOCKER_TLS_VERIFY: 0
      SSL_PASS: changeit
      JENKINS_OPTS: --httpPort=-1 --httpsPort=8443 --httpsKeyStore=/etc/jenkins/keystore --httpsKeyStorePassword=${SSL_PASS}

The image I’m using is a fork of the official (can’t pull from Docker hub for various reasons) but I did make the changes you recommended but get the same issue, curl returns this

curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

There are two entries the keystore, a cert issued by a CA and an SSL keypair

1 Like