Official Power Up Hosting Blog

Everything about Linux, Windows, and hosting ;)

Selvakumar
Author

I am an Online Marketer and technology lover. I like to learn new things and share that with people.

Share


Our Newsletter


Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

Tags


Twitter


Official Power Up Hosting Blog

(Simple) Methods to Configure GoCD with SSL Certificates on Ubuntu 16.04

SelvakumarSelvakumar

GoCD is an Open source tool for testing and releasing the software projects.

It takes care from code test to the deployment stage. Everything will be automated and it ensures the continuous delivery of software.

Here are the features of GoCD.

  • It can compare the builds.
  • It can visualize complex workflows.
  • The build version tracking can be automated.

The GoCD is the best tool which saves time.

You should have configured the GoCD on your Server.

Here:

In this article, We will make the GoCD use the Trusted Let's Encrypt SSL certificate to prevent the browsing warnings when accessing the web interface through your browser.

In this article, we are going to look at the two different configurations to use the SSL certificate.

First One is we will configure the Nginx to use the SSL certificate for the encryption.

Here, the Nginx will work as the Reverse Proxy that will forward the connections to the GoCD HTTP point.

This method is the best method for using the Let's Encrypt for SSL certificate.

In the second method, we will use the SSL certificate from Let's Encrypt directly at the GoCD endpoint.

When we do this, the Default SSL certificate used by GoCD will be removed.

GoCD uses the Java Keystore SSL certificate repository. The main problem here is they are not compatible with the Lets Encrypt SSL certificate.

We will solve this issue by using a script which will convert the certificate to the expected format.

This conversion process will be conducted each time when the certificate is renewed.

This method does not require another web server. So, the resources will be saved.

If you have minimal resources, then this method is the best one for you.

Prerequisites

You should have installed the GoCD server on your Ubuntu 16.04 server. If you have not installed, install now.

It requires the minimum of 2GB RAM and 2 GB storage. Also, it requires dedicated partition for the artifact storage.

  • The server has to be configured according to the Ubuntu initial server setup guide.

  • Install and configure GoCD on Ubuntu 16.04

You should have a domain name pointing to your server in order to get the SSL certificate from Let's Encrypt.

Both methods follow the different procedure. Based on the resources available for you, you can choose any of the methods.

Configuring the Nginx as Reverse Proxy for GoCD

In this method, you will be using Nginx as Reverse Proxy for the GoCD. Here, in this method, Nginx will handle the encrypted traffic.

The traffic will be decrypted and sent to the GoCD Back End as usual HTTP traffic.

You have to configure the Nginx with SSL certificate.

  • To install the Latest version of Nginx on your server, refer this article.

  • To Install the SSL certificate on Nginx server, refer this article.

You can easily access the GoCD using https://your_domain:8154. At the same time, you can also see the Nginx page by removing the port number and access the domain alone.

Here, We are going to configure the Nginx to work as a reverse proxy for the GoCD.

Nginx Configuration to Proxy the GoCD HTTP Web Interface

We have done configuring the Nginx to use SSL for the domain.

Now:

We have to make the Nginx proxy the traffic to the GoCD working at the port 8153.

For that, Open the Nginx configuration block where you have configured the web server to use the SSL certificate from Lets Encrypt.

$ sudo nano /etc/nginx/sites-available/default

Find the server block. Above the server block, open a new upstream section.

Name that Section as GoCD for the easy recognization. Inside that block, you have to specify the address which will be accessed by Nginx to communicate the GoCD's HTTP interface.

The block will look like the following.

        /etc/nginx/sites-available/default
upstream gocd {
server 127.0.0.1:8153;
}

server {
. . .

After that, come to the server block.

In that, you have to comment out the try files directive and add the following lines proxy_pass http://gocd; and include proxy_params;

After adding the lines, the server block will look like this.

    /etc/nginx/sites-available/default
. . .
 
server
. . .

location / {
    #try_files $uri $uri/ =404;
    proxy_pass http://gocd;
    include proxy_params;
}

. . .

Once you are done with the above-mentioned changes, save and close the files.

Now:

Check for the Nginx configuration syntax errors using the below command.

$ sudo nginx -t

If you did not get any error, restart the Nginx using the below command.

$ sudo systemctl restart nginx

After that, you can access the GoCD web GUI using your domain name with https://.

At last, you have to update the site URL.

Change the GoCD site URL

After restarting the Nginx, your next task is to make changes in the GoCD URL setting which is used by the GoCD to construct links.

Visit your domain first.

https://mysite.com

In the menu section, you can see the Admin menu, click on it.

From the Dorp down list, open the server configuration menu.

The Server Management section will open. In that, you have to edit the site URL to remove the Port number.

After that, Scroll down to the bottom and click on save to save the changes.

Once you are done with this step, your site will proxy the requests to the site through Nginx to the GoCD.

Configure the GoCD to use the Let's Encrypt SSL Certificate.

In case, if you want to configure the GoCD to use Let's encrypt SSL certificate, then follow the procedures.

The Let's encrypt SSL certificate file format is entirely different from the GoCD Native SSL certificate file format.

We will convert the Let's Encrypt SSL certificate file into the new format using a script.

So that, when each time, the certificate is renewed, it will be automatically converted.

If you want to manage the SSL process from the GoCD itself, you have to download the Let's encrypt SSL certificate without the web server.

For that, you have to install a client and the client will install the certificate for you.

You have to use the Certbot to do this job for you.

Once you have followed all the above tutorials, still the GoCD will be accessible from its own SSL on https://mydomian:8154.

Your Let's encrypt SSL certificate will be at /etc/letsencrypt/live/your_domain directory.

The Certification Conversion Script

The GoCD uses the Java Keystore to manage the SSL certificate.

But:

The Let's Encrypt SSL certificate is entirely a different format.

So, you have to convert the file to the GoCD supporting format.

For that, we will be creating a script. The procedure for the certificate conversion is very hard.

First, Open convert_certs_for_gocd.sh file at /usr/local/bin.

$ sudo nano /usr/local/bin/convert_certs_for_gocd.sh

In that file, you have to paste the below code. In the base_domain, you have to set your GoCD server domain name.

/usr/local/bin/convert_certs_for_gocd.sh
#!/bin/bash

base_domain="example.com"
le_directory="/etc/letsencrypt/live/${base_domain}"
working_dir="$(mktemp -d)"
gocd_pass="serverKeystorepa55w0rd"


clean_up () {
rm -rf "${working_dir}"
}

# Use this to echo to standard error
error () {
printf "%s: %s\n" "$(basename "${BASH_SOURCE}")" "${1}"     >&2
clean_up
exit 1
}

trap 'error "An unexpected error occurred."' ERR

copy_cert_files () {
cp "${le_directory}/fullchain.pem" "${working_dir}"
cp "${le_directory}/privkey.pem" "${working_dir}"
}

convert_to_pkcs12 () {
openssl_pkcs12_args=(
    "pkcs12"
    "-inkey" "${working_dir}/privkey.pem"
    "-in" "${working_dir}/fullchain.pem"
    "-export"
    "-out" "${working_dir}/${base_domain}.crt.pkcs12"
    "-passout" "pass:${gocd_pass}"
)
openssl "${openssl_pkcs12_args[@]}"
}

import_to_keytool () {
keytool_args=(
    "-importkeystore"
    "-srckeystore"     "${working_dir}/${base_domain}.crt.pkcs12"
    "-srcstoretype" "PKCS12"
    "-srcstorepass" "${gocd_pass}"
    "-destkeystore" "${working_dir}/keystore"
    "-srcalias" "1"
    "-destalias" "cruise"
    "-deststorepass" "${gocd_pass}"
    "-destkeypass" "${gocd_pass}"
)
keytool "${keytool_args[@]}"
}

install_new_keystore () {
cp /etc/go/keystore /etc/go/keystore.bak
mv "${working_dir}/keystore" "/etc/go/keystore"
chown go:go /etc/go/keystore
systemctl restart go-server
}

if (( EUID != 0 )); then
error "This script requires root privileges"
fi

copy_cert_files && convert_to_pkcs12 && import_to_keytool && install_new_keystore && clean_up

We are setting up a few variables, in the beginning, to make the script easier to work with.

You have to set the domain for the certificate and set the variable for us to work with the script easily.

Converting the certificate using the script

As we have the script, we have to use that to convert the certificate.

Now:

You have to mark the script as executable to make it executable directly without an interpreter.

$ sudo chmod +x /usr/local/bin/convert_certs_for_gocd.sh

In order to do the initial conversion, you have to call the script using sudo.

After installing the generated key store file, then you have to restart the GoCD process.

$ sudo /usr/local/bin/convert_certs_for_gocd.sh

The GoCD restart process will take some time. After the script is complete running, the server port will take some more time to listen.

You can watch some applications using the port by typing.

$ sudo watch netstat -plnt

You will get the following output when GoCD starts listening to the ports 8153 and 8154.

Output
Every 2.0s: netstat -plnt                                                    
Thu Jul 27 20:16:20 2017

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign 
Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               
LISTEN      1736/sshd
tcp6       0      0 :::22                   :::*                    
LISTEN      1736/sshd
tcp6       0      0 :::8153                 :::*                    
LISTEN      8942/java
tcp6       0      0 :::8154                 :::*                    
LISTEN      8942/java

Now, press the CTRL+C to exit from the display.

Once the application starts listening for connections, we can check the GoCD connection by visiting your GoCD domain port 8154. (You can use https to access the port)

$ https://example.com:8154

When you visited the website for the first time, you should have seen the warning " Your Connection is not Private".

Now:

This time when you access the URL, you won't be having any issues.

The https will appear in green color.

Now, we have converted the certificate successfully. Also, we have to check whether the cert bot is calling the script every-time when the renewal comes.

You have to open a renewal configuration file at the following location /etc/letsencrypt/renewal.

$ sudo nano /etc/letsencrypt/renewal/example.com.conf

Look for the [renewalparams] section of the file. Add the following lines in that section.

       /etc/letsencrypt/renewal/example.com.conf
. . .
[renewalparams]
. . .
renew_hook = /usr/local/bin/convert_certs_for_gocd.sh
Selvakumar
Author

Selvakumar

I am an Online Marketer and technology lover. I like to learn new things and share that with people.

Comments