CloudBees Flow Self-Signed Server Certificate Fails Security Scan

On this page

Description

You might need to replace the self-signed CloudBees Flow server certificate if it fails the security scan.

If you are using a certificate authority (CA) certificate or an intermediate CA certificate instead and it has expired, see CA Server Certificate Expires for details about updating it.

There are three relevant configuration entries in the server/conf/commander.properties file:

COMMANDER_HTTPS_PORT=8443
COMMANDER_KEYSTORE=file:conf/keystore
COMMANDER_KEYSTORE_PASSWORD=abcdef

Where:

  • COMMANDER_HTTPS_PORT configures the SSL port

  • COMMANDER_KEYSTORE is the location of the java keystore where the CloudBees Flow HTTP server finds its host certificate

  • COMMANDER_KEYSTORE_PASSWORD is the password to the keystore

Workaround

Follow these steps to generate and inject a self-signed certificate for 1 year.

  1. Back up the keystore file.

  2. Delete the original key.

    user@USER /cygdrive/c/ProgramData/ElectricCloud/ElectricCommander/conf
    $ "c:/Program Files/ElectricCloud/ElectricCommander/jre/bin/keytool" -delete -alias jetty -keystore keystore -keypass passkey
    Enter keystore password: abcdef
  3. Generate and inject a new certificate.

    user@USER /cygdrive/c/ProgramData/ElectricCloud/ElectricCommander/conf
    $ "c:/Program Files/ElectricCloud/ElectricCommander/jre/bin/keytool" -keystore keystore -alias jetty -genkey -keyalg RSA -sigalg MD5withRSA -validity 365
    Enter keystore password: abcdef
    What is your first and last name?
      [Unknown]:  localhost
    What is the name of your organizational unit?
      [Unknown]: <Enter>
    What is the name of your organization?
      [Unknown]: <Enter>
    What is the name of your City or Locality?
      [Unknown]: <Enter>
    What is the name of your State or Province?
      [Unknown]: <Enter>
    What is the two-letter country code for this unit?
      [Unknown]: <Enter>
    Is CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
      [no]:  yes
    Enter key password for <jetty>
      (RETURN if same as keystore password): <Enter>
    . Restart the server.
    +

    Your new certificate will look similar to this:

    user@USER /cygdrive/c/ProgramData/ElectricCloud/ElectricCommander/conf
    $ "c:/Program Files/ElectricCloud/ElectricCommander/jre/bin/keytool" -list -v -keystore keystore_orig -keypass passkey
    Enter keystore password: abcdef
    Keystore type: JKS
    Keystore provider: SUN
    Your keystore contains 1 entry
    Alias name: jetty
    Creation date: Jan 31, 2012
    Entry type: PrivateKeyEntry
    Certificate chain length: 1
    Certificate[1]:
    Owner: CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
    Issuer: CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
    
    Serial number: 4f28603f
    Valid from: Tue Jan 31 13:42:23 PST 2012 until: Wed Jan 30 13:42:23 PST 2013
    Certificate fingerprints:
    MD5:  38:50:CD:29:8C:16:3A:78:29:0F:45:56:E0:CA:42:D9
    SHA1: 9B:A3:E4:EA:A7:C0:3A:ED:BF:63:24:18:F0:08:78:22:59:85:BC:8A
    Signature algorithm name: MD5withRSA
    Version: 3
    *******************************************
    *******************************************
Copyright © 2010-2020 CloudBees, Inc.Online version published by CloudBees, Inc. under the Creative Commons Attribution-ShareAlike 4.0 license.CloudBees and CloudBees DevOptics are registered trademarks and CloudBees Core, CloudBees Flow, CloudBees Flow Deploy, CloudBees Flow DevOps Insight, CloudBees Flow DevOps Foresight, CloudBees Flow Release, CloudBees Accelerator, CloudBees Accelerator ElectricInsight, CloudBees Accelerator Electric Make, CloudBees CodeShip, CloudBees Jenkins Enterprise, CloudBees Jenkins Platform, CloudBees Jenkins Operations Center, and DEV@cloud are trademarks of CloudBees, Inc. Most CloudBees products are commonly referred to by their short names — Accelerator, Automation Platform, Flow, Deploy, Foresight, Release, Insight, and eMake — throughout various types of CloudBees product-specific documentation. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Jenkins is a registered trademark of the non-profit Software in the Public Interest organization. Used with permission. See here for more info about the Jenkins project. The registered trademark Jenkins® is used pursuant to a sublicense from the Jenkins project and Software in the Public Interest, Inc. Read more at www.cloudbees.com/jenkins/about. Apache, Apache Ant, Apache Maven, Ant and Maven are trademarks of The Apache Software Foundation. Used with permission. No endorsement by The Apache Software Foundation is implied by the use of these marks.Other names may be trademarks of their respective owners. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this content, and CloudBees was aware of a trademark claim, the designations have been printed in caps or initial caps. While every precaution has been taken in the preparation of this content, the publisher and authors assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.