First install certbot: (instrcution fotr ubuntu below)
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx
We are going to use this command to issue the certificate:
sudo certbot -d subdomain.yourdomain.tld --manual --preferred-challenges dns certonly
Right after you run the command, it will ask give you a token to add a TXT record to your domain, something like this:
Please deploy a DNS TXT record under the name
_acme-challenge.subdomain.yourdomain.tld with the following value:
<some_token>
Add the txt record under the domain _acme-challenge.subdomain.yourdomain.tld And boom you get the certification in a subfolder of /etc/letsencrypt/live/ Use the certificate in an nxinx server. Note that the certificate is generated with the name fullchain.pem and the certification key is with the name privkey.pem
Now let's say you want to setup https for your jenkins instance. Let's use nginx for the https server.
Create a file under /etc/nginx/conf.d for with any name, say jenkins.conf
Add the content below:
The upstream block is the one which uses the running jenkins in localhost:8080
We redirect port 80 to https (see the second block)
the server_name entry corresponds to the host header which the nginx will allow.
Finally the line proxy_pass http://jenkins;
forward the https request to the jenkins instance.
upstream jenkins {
server 127.0.0.1:8080 fail_timeout=0;
}
server {
listen 80;
server_name subdomain.yourdomain.tld;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name subdomain.yourdomain.tld;
ssl_certificate /etc/letsencrypt/live/subdomain.yourdomain.tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/subdomain.yourdomain.tld/privkey.pem;
location / {
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect http:// https://;
proxy_pass http://jenkins;
# Required for new HTTP-based CLI
proxy_http_version 1.1;
proxy_request_buffering off;
proxy_buffering off; # Required for HTTP-based CLI to work over SSL
# workaround for https://issues.jenkins-ci.org/browse/JENKINS-45651
add_header 'X-SSH-Endpoint' 'jenkins.domain.tld:50022' always;
}
}
Check nginx config: sudo nginx -t Reload nginx: sudo nginx -s reload Don't forget to allow both http and https traffic into your host (for instance by changing ingress rule on AWS)
References: Let's encrypt DNS verification: https://serverfault.com/questions/750902/how-to-use-lets-encrypt-dns-challenge-validation Jenkins https: https://wiki.jenkins.io/display/JENKINS/Jenkins+behind+an+NGinX+reverse+proxy