parent
20c66fdfee
commit
8857afae0b
|
|
@ -0,0 +1,61 @@
|
||||||
|
## Mettre à jour les certificats du keystore Jenkins
|
||||||
|
|
||||||
|
Dans un pipeline, si des erreurs de ce type apparaissent:
|
||||||
|
|
||||||
|
```
|
||||||
|
Attempting to resolve master from remote references...
|
||||||
|
> git --version # timeout=10
|
||||||
|
> git --version # 'git version 2.18.4'
|
||||||
|
using GIT_ASKPASS to set credentials Identifiants Jenkins Forge
|
||||||
|
> git ls-remote -h -- https://forge.cadoles.com/Cadoles/Jenkins.git # timeout=10
|
||||||
|
ERROR: Checkout failed
|
||||||
|
hudson.plugins.git.GitException: Command "git ls-remote -h -- https://forge.cadoles.com/Cadoles/Jenkins.git" returned status code 128:
|
||||||
|
stdout:
|
||||||
|
stderr: fatal: unable to access 'https://forge.cadoles.com/Cadoles/Jenkins.git/': SSL certificate problem: certificate has expired
|
||||||
|
|
||||||
|
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:2450)
|
||||||
|
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandWithCredentials(CliGitAPIImpl.java:2051)
|
||||||
|
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandWithCredentials(CliGitAPIImpl.java:1951)
|
||||||
|
[...]
|
||||||
|
```
|
||||||
|
|
||||||
|
Il est fort probable que le keystore java n'ait pas le certificat de la forge à jour (ce qui est probable avec LetsEncrypt).
|
||||||
|
|
||||||
|
Dans ce cas:
|
||||||
|
|
||||||
|
1. Se connecter sur la machine Jenkins en SSH avec le compte `root`
|
||||||
|
2. Si le script `/root/install-java-cert.sh` n'existe pas encore, le créer avec le contenu suivant:
|
||||||
|
|
||||||
|
```
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
set -xe
|
||||||
|
|
||||||
|
DOMAIN=$1
|
||||||
|
JENKINS_HOME=/var/lib/jenkins
|
||||||
|
JAVA_HOME=/usr/lib/jvm/default-jvm
|
||||||
|
|
||||||
|
if [ -z "$DOMAIN" ]; then
|
||||||
|
echo "You must specify the domain as first argument"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Import certificate
|
||||||
|
openssl s_client -showcerts -connect "$DOMAIN" < /dev/null 2> /dev/null | openssl x509 -outform PEM > ~/root_ca.pem
|
||||||
|
|
||||||
|
# Duplicate Java Keystore file and move into Jenkins...
|
||||||
|
mkdir -p $JENKINS_HOME/keystore/
|
||||||
|
cp $JAVA_HOME/jre/lib/security/cacerts $JENKINS_HOME/keystore/
|
||||||
|
|
||||||
|
# Add Certificate to Keystore
|
||||||
|
keytool -import -alias $DOMAIN -keystore $JENKINS_HOME/keystore/cacerts -file ~/root_ca.pem
|
||||||
|
|
||||||
|
# Add -Djavax.net.ssl.trustStore=$JENKINS_HOME/keystore/cacerts to the
|
||||||
|
# Jenkins startup parameters. For Debian/Ubuntu, this is /etc/default/jenkins
|
||||||
|
mkdir -p /etc/default
|
||||||
|
echo 'JAVA_ARGS="$JAVA_ARGS -Djavax.net.ssl.trustStore=$JENKINS_HOME/keystore/cacerts"' >> /etc/default/jenkins
|
||||||
|
|
||||||
|
rc-service jenkins restart
|
||||||
|
```
|
||||||
|
|
||||||
|
3. Lancer le script `/root/install-java-cert.sh forge.cadoles.com:443`. Le mot de passe par défaut du keystore est `changeit`.
|
||||||
Loading…
Reference in New Issue