How To Secure Self-Hosted Bamboo and Crucible with Let’s Encrypt SSL Certificates
erics, Posted September 14th, 2023 at 6:26:30am
Summary
In this blog we explore how to use certificates from Let’s Encrypt to secure self-hosted Bamboo and Crucible.
Process To Follow
- Install Certbot
- Ensure that external DNS resolves to the correct IP address
ping example.yourdomain.com - Ensure that Port 80 is open from the outside to that IP address so that Let’s Encrypt can validate the domain
- Ensure nothing is listening on Port 80
netstat -pan | grep 80 | grep LISTEN | wc -l - Generate the new certificate via Let’s Encrypt
- Create the new Java keystore for use with Bamboo and Crucible
- Copy the new keystore into place and set ownership and permissions
- Restart the services
- Test
Install Certbot
You must first install Python >= 3
I like using pip to install certbot, but urge you to use any method that is the easiest and most familiar:
https://certbot.eff.org/instructions?ws=other&os=pip
Run certbot help to confirm that it has been installed properly
Generate the Let’s Encrypt Certificate
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
shell> sudo -i shell# touch ~/ssl shell# chmod 755 ~/ssl shell# cat >> ~/ssl <<EOF #!/bin/sh certbot certonly \ --standalone \ --renew-by-default \ --agree-tos \ -v \ --debug \ --email admin@yourdomain.com \ -d example.yourdomain.com EOF OPEN Port 80 on your firewall now. shell# ~/ssl CLOSE Port 80 on your firewall now. shell# ls -l /etc/letsencrypt/live/example.yourdomain.com/ total 4 lrwxrwxrwx 1 root root 45 Sep 13 12:38 cert.pem -> ../../archive/example.yourdomain.com/cert2.pem lrwxrwxrwx 1 root root 46 Sep 13 12:38 chain.pem -> ../../archive/example.yourdomain.com/chain2.pem lrwxrwxrwx 1 root root 50 Sep 13 12:38 fullchain.pem -> ../../archive/example.yourdomain.com/fullchain2.pem lrwxrwxrwx 1 root root 48 Sep 13 12:38 privkey.pem -> ../../archive/example.yourdomain.com/privkey2.pem |
Create The New Java Keystore
This step will result in two new files being created: example.p12 and example.jks
IMPORTANT:
- the name/alias MUST be “tomcat” (no quotes)
- the password MUST be “changeit” (no quotes), unless you modify the config xml settings which is beyond the scope of this blog post.
- when you list out the new example.jks keystore using keytool, ensure that it says PrivateKeyEntry next to the alias tomcat.
- ignore the warning at the end because Apache Tomcat requires the JKS keystore format, not the PKCS12 format – do NOT convert!
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
shell> sudo -i shell# openssl pkcs12 -export -in /etc/letsencrypt/live/example.yourdomain.com/cert.pem -inkey /etc/letsencrypt/live/example.yourdomain.com/privkey.pem -name tomcat -out example.p12 -password pass:changeit shell# keytool -importkeystore -deststorepass changeit -destkeystore example.jks -srckeystore example.p12 -srcstoretype PKCS12 -srcstorepass changeit shell# keytool -list -keystore example.jks Enter keystore password: changeit Keystore type: jks Keystore provider: SUN Your keystore contains 1 entry tomcat, Sep 13, 2023, PrivateKeyEntry, Certificate fingerprint (SHA-256): 02:F7:E8:07:F1:03:EA:97:3F:30:56:73:5F:06:0E:44:9E:FD:16:85:D1:73:E0:3A:46:52:15:47:FF:28:F9:1F Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore bamboo.jks -destkeystore bamboo.jks -deststoretype pkcs12". |
Copy The Java Keystore Into Place
This step will copy the new keystore (bamboo.jks)into place for both bamboo and Crucible as ~/.keystore for each user. Ownership and permissions must also be set.
|
1 2 3 4 5 6 7 8 9 10 11 |
shell> sudo -i BAMBOO STEPS shell# cp example.jks ~bamboo/.keystore shell# chown bamboo ~bamboo/.keystore shell# chmod 664 ~bamboo/.keystore CRUCIBLE STEPS shell# cp example.jks ~crucible/.keystore shell# chown crucible ~crucible/.keystore shell# chmod 664 ~crucible/.keystore |
Restart Bamboo and Crucible
This step will restart the processes, so they read in the new certificate.
|
1 2 3 4 5 6 7 8 9 10 11 |
shell> sudo -i BAMBOO STEPS shell# su - bamboo -c ./current/bin/stop-bamboo.sh shell# su - bamboo -c ./current/bin/start-bamboo.sh shell# tail -f ~bamboo/current/logs/catalina.out CRUCIBLE STEPS shell# su - crucible -c ./current/bin/stop.sh shell# su - crucible -c ./current/bin/start.sh shell# tail -f ~crucible/instances/default/var/log/fisheye.out |
Test Bamboo and Crucible
Use the openssl command to test the new certs:
|
1 2 3 4 5 6 7 |
BAMBOO STEPS shell> openssl s_client -state -debug -showcerts -verify 0 -connect bamboo.continuent.com:8443 ^C CRUCIBLE STEPS shell> openssl s_client -state -debug -showcerts -verify 0 -connect bamboo.continuent.com:6443 ^C |
Categories: How-To's, Technology Bamboo, Crucible, howto, https, keytool, openssl, security, ssl, tips
Leave Your Comment
All fields marked with "*" are required.