Deploying SSL on a build server
For various reasons, I’ve decided to run my own build server. Getting Jenkins running on a Digital Ocean droplet is relatively quick and easy, but the default installation is not very secure. Anyone can do anything in Jenkins and everything is served over plain text. The first problem is easy to fix, but I had my doubts about the second.
Turns out? Not so bad.
I’ve been following Let’s Encrypt for a while but have not had any need to use them. This project gave me a chance to give it a spin. My droplet’s OS didn’t seem to have a package for it, but getting the utility just required cloning a git repository. With that downloaded, I had my first certificate created in just a few minutes. I took their advice and created a certificate using their test server, which caused the security notice to appear in Chrome. This was expected, but while inspecting the security settings, I noticed that I was using outdated cipher suites.
I decided to use Nginx to handle the SSL termination because it seemed easier than trying to get Jenkins to do it. I also figured it would be a decent way to introduce myself to it. I followed a basic guide on how to set up Nginx to reverse proxy to Jenkins. It worked, in that I was able to access Jenkins through the proxy, but the security settings led to the warning about outdated cipher suites.
Then I stumbled upon an article discussing cipher suites, and it had a link to an SSL configuration generator run by Mozilla. Using the values suggested by this tool helped fix the warning, and after I regenerated by certificate using the real Let’s Encrypt server, Chrome reports no issues with the secure connection.
Jenkins was still available through other non-secure ports, but a quick application of the UncomplicatedFirewall shut that down. Now I’ve got a working and reasonably secure build server, all within a few hours.
Now I just need to fix the broken builds ;)