CloudBees CD/RO self-signed server certificate fails security scan

2 minute readTroubleshooting

Description

You might need to replace the self-signed CloudBees CD/RO server certificate if it fails the security scan.

If you are using a certificate authority (CA) certificate or an intermediate CA certificate instead and it has expired, see CA Server Certificate Expires for details about updating it.

There are three relevant configuration entries in the server/conf/commander.properties file:

COMMANDER_HTTPS_PORT=8443 COMMANDER_KEYSTORE=file:conf/keystore COMMANDER_KEYSTORE_PASSWORD=abcdef

Where:

  • COMMANDER_HTTPS_PORT configures the SSL port

  • COMMANDER_KEYSTORE is the location of the java keystore where the CloudBees CD/RO HTTP server finds its host certificate

  • COMMANDER_KEYSTORE_PASSWORD is the password to the keystore

Workaround

Follow these steps to generate and inject a self-signed certificate for 1 year.

  1. Back up the keystore file.

  2. Delete the original key.

    user@USER /cygdrive/c/ProgramData/cloudbees/sda/conf $ "c:/Program Files/cloudbees/sda/jre/bin/keytool" -delete -alias jetty -keystore keystore -keypass passkey Enter keystore password: abcdef
  3. Generate and inject a new certificate.

    user@USER /cygdrive/c/ProgramData/cloudbees/sda/conf $ "c:/Program Files/cloudbees/sda/jre/bin/keytool" -keystore keystore -alias jetty -genkey -keyalg RSA -sigalg MD5withRSA -validity 365 Enter keystore password: abcdef What is your first and last name? [Unknown]: localhost What is the name of your organizational unit? [Unknown]: <Enter> What is the name of your organization? [Unknown]: <Enter> What is the name of your City or Locality? [Unknown]: <Enter> What is the name of your State or Province? [Unknown]: <Enter> What is the two-letter country code for this unit? [Unknown]: <Enter> Is CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct? [no]: yes Enter key password for <jetty> (RETURN if same as keystore password): <Enter> . Restart the server.

    Your new certificate will look similar to this:

    user@USER /cygdrive/c/ProgramData/cloudbees/sda/conf $ "c:/Program Files/cloudbees/sda/jre/bin/keytool" -list -v -keystore keystore_orig -keypass passkey Enter keystore password: abcdef Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: jetty Creation date: Jan 31, 2012 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Issuer: CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Serial number: 4f28603f Valid from: Tue Jan 31 13:42:23 PST 2012 until: Wed Jan 30 13:42:23 PST 2013 Certificate fingerprints: MD5: 38:50:CD:29:8C:16:3A:78:29:0F:45:56:E0:CA:42:D9 SHA1: 9B:A3:E4:EA:A7:C0:3A:ED:BF:63:24:18:F0:08:78:22:59:85:BC:8A Signature algorithm name: MD5withRSA Version: 3 ******************************************* *******************************************