使用StartSSL配置Jenkins-添加颁发者链 [英] Configuring Jenkins with StartSSL - adding the issuer chain
问题描述
我无法正确配置Jenkins使用StartSSL证书. 我正在使用命令行参数运行它,该命令行参数指定了私钥和我的证书的路径,如Jenkins Wiki上所示(在底部:
I am unable to correctly configure Jenkins to use a StartSSL certificate. I'm running it with command line arguments that specify paths to the private key and my certificate as shown on the Jenkins Wiki (at the bottom: https://wiki.jenkins-ci.org/display/JENKINS/Starting+and+Accessing+Jenkins).
- 我已经从StartSSL获得了私钥和证书
- 我已将它们放置在特定的文件夹中
- 我正在按以下方式运行Jenkins:
java -jar jenkins.war --httpPort=-1 --httpsPort=8080 --httpsCertificate=<mydomain.crt file> --httpsPrivateKey=<my private key file>
Jenkins成功启动.在Firefox中打开https://mydomain:8080/表示该连接不受信任:
Jenkins starts successfully. Opening https://mydomain:8080/ in Firefox says that the connection is untrusted:
mydomain:8080 uses an invalid security certificate.
The certificate is not trusted because no issuer chain was provided.
(Error code: sec_error_unknown_issuer)
我尝试在各种SSL检查器网站上验证mydomain:8080:
I've tried verifying mydomain:8080 on various SSL checker websites:
OK mydomain resolves to xxx.xxx.xxx.xxx
OK The certificate was issued by StartCom.
OK The certificate will expire in XXX days.
OK The hostname (mydomain) is correctly listed in the certificate.
Not OK The certificate is not trusted in all web browsers.
You may need to install an Intermediate/chain certificate
to link it to a trusted root certificate.
StartSSL没有设置Jenkins的明确说明.我已经尝试过针对其他类型的服务器进行类似教程的跟进,并将中间授权文件从StartCom复制到统一证书(如此处所述的ca.pem和sub.class1.server.ca.pem:
StartSSL does not have explicit instructions for setting up Jenkins. I've tried following up on similar tutorials for other kinds of servers, and copied the intermediate authority files from StartCom into a unified certificate (ca.pem and sub.class1.server.ca.pem as noted here: http://www.startssl.com/?app=42).
但是,这没有任何改变.
However, this did not change anything.
像www.sslshopper.com/ssl-checker.html这样的SSL检查器仍然报告该网站不受信任. 此外,出于相同原因,GitHub图像缓存服务未从Jenkins呈现构建状态图标.
SSL checkers like www.sslshopper.com/ssl-checker.html still report that the website is untrusted. Also, the GitHub image caching service is not rendering the build status icon from Jenkins for the same reason.
如何将颁发者链正确添加到我的证书中?
How do I add the issuer chain correctly to my certificate?
推荐答案
我遇到了类似的问题,经过一番研究,让一切值得信赖的是:
I had a similar problem and after some research what got everything to be trusted was :
-
使用您提到的链接将中间机构证书和
<mydomain.crt file>合并为1个称为merged.cer的统一证书
Merged the intermediate authority certificate and
<mydomain.crt file>into 1 unified certificate calledmerged.cerusing the link you mentioned
(来源: https://serverfault.com/questions /569866/jenkins-wont-serve-with-ca-signed-certificate )
openssl pkcs12 -inkey /location/to/key.pem -in /location/to/merged.cer -export -out keys.pkcs12
keytool -importkeystore -srckeystore keys.pkcs12 -srcstoretype pkcs12 -destkeystore jenkins.jks
注意:merged.cer使用的密钥应与<my private key file>
NOTE: the key to use for the merged.cer should be the same as <my private key file>
然后按照Jenkins Wiki来使用KeyStore而不是证书
Then follow the Jenkins Wiki to use the KeyStore instead of the certificate
java -jar jenkins.war --httpPort=-1 --httpsPort=8080 --httpsKeyStore=/path/to/jenkins.jks --httpsPrivateKey=<my private key file>
这篇关于使用StartSSL配置Jenkins-添加颁发者链的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
