I have a Jenkins instance from which I need to call other services/endpoints which reside behind a load balancer. This load balancer requires and does SSL client certificate validation.
Is it possible to make Jenkins use an SSL client certificate for the calls it makes towards those endpoints residing behind that load balancer? Something like below:
Jenkins call ---present_SSL_client_cert---> LB(verify client cert) ---> endpoint
Thank you in advance!
To get Jenkins to use a client cert for other endpoints start Jenkins with
JAVA_OPTS="-Djavax.net.ssl.keyStorePassword=changeme -Djavax.net.ssl.keyStoreType=pkcs12 -Djavax.net.ssl.keyStore=/cert/jenkins.p12"
I used a normal client cert:
openssl req -nodes -newkey rsa:4096 -days 365 -keyout cert/jenkins.key -out cert/jenkins.csr -subj "/C=DE/ST=somewhere/L=inCity/O=someOrg/OU=someBla/CN=jenkins"
signed it:
openssl x509 -req -days 365 -in ../jenkins/cert/jenkins.csr -CA ca/ca.crt -CAkey ca/ca.key -out ../jenkins/cert/jenkins.crt -passin env:CA_KEY
and converted it to PKCS12:
openssl pkcs12 -nodes -export -in cert/jenkins.crt -inkey cert/jenkins.key -out cert/jenkins.p12 -certfile ../nginx/ca/ca.crt -passout pass:changeme
It was important use a non empty keyStorePassword, otherwise Jenkins threw an Exception java.security.UnrecoverableKeyException: Get Key failed: null
Furthermore I added the server cert to the Java keystore:
keytool -import -alias server.domain.de -keystore /usr/local/openjdk-8/jre/lib/security/cacerts -file /root/server.crt -noprompt -storepass changeit
I've tested this setup with jenkins:lts docker container and keycloak, both behind an nginx reverse proxy using client cert auth.
Using env-variables like JENKINS_HTTPS_KEYSTORE which one can sometime see for configuring Jenkins to use https itself did NOT work for client auth. I did not investigate further, but I assume the plugin OpenId Connect Authentication Plugin which I used did not honor this variable and uses basic java functionality.
