diff --git a/Mettre-%C3%A0-jour-les-certificats-du-keystore-Jenkins.md b/Mettre-%C3%A0-jour-les-certificats-du-keystore-Jenkins.md new file mode 100644 index 0000000..5b371be --- /dev/null +++ b/Mettre-%C3%A0-jour-les-certificats-du-keystore-Jenkins.md @@ -0,0 +1,61 @@ +## Mettre à jour les certificats du keystore Jenkins + +Dans un pipeline, si des erreurs de ce type apparaissent: + +``` +Attempting to resolve master from remote references... + > git --version # timeout=10 + > git --version # 'git version 2.18.4' +using GIT_ASKPASS to set credentials Identifiants Jenkins Forge + > git ls-remote -h -- https://forge.cadoles.com/Cadoles/Jenkins.git # timeout=10 +ERROR: Checkout failed +hudson.plugins.git.GitException: Command "git ls-remote -h -- https://forge.cadoles.com/Cadoles/Jenkins.git" returned status code 128: +stdout: +stderr: fatal: unable to access 'https://forge.cadoles.com/Cadoles/Jenkins.git/': SSL certificate problem: certificate has expired + + at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:2450) + at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandWithCredentials(CliGitAPIImpl.java:2051) + at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandWithCredentials(CliGitAPIImpl.java:1951) +[...] +``` + +Il est fort probable que le keystore java n'ait pas le certificat de la forge à jour (ce qui est probable avec LetsEncrypt). + +Dans ce cas: + +1. Se connecter sur la machine Jenkins en SSH avec le compte `root` +2. Si le script `/root/install-java-cert.sh` n'existe pas encore, le créer avec le contenu suivant: + + ``` + #!/bin/sh + + set -xe + + DOMAIN=$1 + JENKINS_HOME=/var/lib/jenkins + JAVA_HOME=/usr/lib/jvm/default-jvm + + if [ -z "$DOMAIN" ]; then + echo "You must specify the domain as first argument" + exit 1 + fi + + # Import certificate + openssl s_client -showcerts -connect "$DOMAIN" < /dev/null 2> /dev/null | openssl x509 -outform PEM > ~/root_ca.pem + + # Duplicate Java Keystore file and move into Jenkins... + mkdir -p $JENKINS_HOME/keystore/ + cp $JAVA_HOME/jre/lib/security/cacerts $JENKINS_HOME/keystore/ + + # Add Certificate to Keystore + keytool -import -alias $DOMAIN -keystore $JENKINS_HOME/keystore/cacerts -file ~/root_ca.pem + + # Add -Djavax.net.ssl.trustStore=$JENKINS_HOME/keystore/cacerts to the + # Jenkins startup parameters. For Debian/Ubuntu, this is /etc/default/jenkins + mkdir -p /etc/default + echo 'JAVA_ARGS="$JAVA_ARGS -Djavax.net.ssl.trustStore=$JENKINS_HOME/keystore/cacerts"' >> /etc/default/jenkins + + rc-service jenkins restart + ``` + +3. Lancer le script `/root/install-java-cert.sh forge.cadoles.com:443`. Le mot de passe par défaut du keystore est `changeit`. \ No newline at end of file