parent
20c66fdfee
commit
8857afae0b
|
|
@ -0,0 +1,61 @@
|
|||
## Mettre à jour les certificats du keystore Jenkins
|
||||
|
||||
Dans un pipeline, si des erreurs de ce type apparaissent:
|
||||
|
||||
```
|
||||
Attempting to resolve master from remote references...
|
||||
> git --version # timeout=10
|
||||
> git --version # 'git version 2.18.4'
|
||||
using GIT_ASKPASS to set credentials Identifiants Jenkins Forge
|
||||
> git ls-remote -h -- https://forge.cadoles.com/Cadoles/Jenkins.git # timeout=10
|
||||
ERROR: Checkout failed
|
||||
hudson.plugins.git.GitException: Command "git ls-remote -h -- https://forge.cadoles.com/Cadoles/Jenkins.git" returned status code 128:
|
||||
stdout:
|
||||
stderr: fatal: unable to access 'https://forge.cadoles.com/Cadoles/Jenkins.git/': SSL certificate problem: certificate has expired
|
||||
|
||||
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:2450)
|
||||
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandWithCredentials(CliGitAPIImpl.java:2051)
|
||||
at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandWithCredentials(CliGitAPIImpl.java:1951)
|
||||
[...]
|
||||
```
|
||||
|
||||
Il est fort probable que le keystore java n'ait pas le certificat de la forge à jour (ce qui est probable avec LetsEncrypt).
|
||||
|
||||
Dans ce cas:
|
||||
|
||||
1. Se connecter sur la machine Jenkins en SSH avec le compte `root`
|
||||
2. Si le script `/root/install-java-cert.sh` n'existe pas encore, le créer avec le contenu suivant:
|
||||
|
||||
```
|
||||
#!/bin/sh
|
||||
|
||||
set -xe
|
||||
|
||||
DOMAIN=$1
|
||||
JENKINS_HOME=/var/lib/jenkins
|
||||
JAVA_HOME=/usr/lib/jvm/default-jvm
|
||||
|
||||
if [ -z "$DOMAIN" ]; then
|
||||
echo "You must specify the domain as first argument"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Import certificate
|
||||
openssl s_client -showcerts -connect "$DOMAIN" < /dev/null 2> /dev/null | openssl x509 -outform PEM > ~/root_ca.pem
|
||||
|
||||
# Duplicate Java Keystore file and move into Jenkins...
|
||||
mkdir -p $JENKINS_HOME/keystore/
|
||||
cp $JAVA_HOME/jre/lib/security/cacerts $JENKINS_HOME/keystore/
|
||||
|
||||
# Add Certificate to Keystore
|
||||
keytool -import -alias $DOMAIN -keystore $JENKINS_HOME/keystore/cacerts -file ~/root_ca.pem
|
||||
|
||||
# Add -Djavax.net.ssl.trustStore=$JENKINS_HOME/keystore/cacerts to the
|
||||
# Jenkins startup parameters. For Debian/Ubuntu, this is /etc/default/jenkins
|
||||
mkdir -p /etc/default
|
||||
echo 'JAVA_ARGS="$JAVA_ARGS -Djavax.net.ssl.trustStore=$JENKINS_HOME/keystore/cacerts"' >> /etc/default/jenkins
|
||||
|
||||
rc-service jenkins restart
|
||||
```
|
||||
|
||||
3. Lancer le script `/root/install-java-cert.sh forge.cadoles.com:443`. Le mot de passe par défaut du keystore est `changeit`.
|
||||
Loading…
Reference in New Issue