I previously wrote How to Install Jenkins Slave as Windows Service in this blog. It has been one of the most accessed articles on this site. Though the article worked for people who visited here, I thought of taking it to the next level. What if I come up with a way to easily install Jenkins Slave as Windows Service by running scripts? It would save so much time and effort without mistakes.
Before working on the whole script, I want to make sure Jenkins CLI works. Jenkins CLI is different from REST API of Jenkins and it needs some preliminary preparation.
Jenkins CLI is available from Manage Jenkins -> Tools and Actions -> Jenkins CLI.
When I click Jenkins CLI, there is a list of commands available.
I’m going to try to see if help works for sanity check. Before running the command
java -jar jenkins-cli.jar -s https://jenkins.linux-mint.local/ help , make sure to install Java and download
jenkins-cli.jar from the Jenkins CLI page. When I ran it, I get the following error.
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) <SNIP> at hudson.cli.FullDuplexHttpStream.(FullDuplexHttpStream.java:73) at hudson.cli.CLI.plainHttpConnection(CLI.java:361) at hudson.cli.CLI._main(CLI.java:299) at hudson.cli.CLI.main(CLI.java:96) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439) <SNIP> … 20 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434) … 25 more
This is because the SSL cert of the Jenkins master server is not trusted by Java. Let’s download the cert and get Java to trust it.
Download SSL Cert
Using openssl, we will download the SSL certificate as a file. Execute the following command.
openssl s_client -showcerts -connect jenkins.linux-mint.local:443 < /dev/null | openssl x509 -outform DER > jenkins.linux-mint.local.cer
Don’t mind some seemingly error message. Now you get a file
Trust the Cert
When you have Java on your system, you have a file called
cacerts. Basically, you import the SSL cert you just downloaded into the
cacerts file. Where is the file? Let’s find out. Execute the following command to locate
sudo find /Library/Java -name cacerts
My system right now is a Mac and I happen to have the file at the following location.
Execute the following command to import the SSL cert into
cacerts. You wil be prompted if you really want to import it and type yes.
sudo keytool -import -v -trustcacerts -alias jenkins -file jenkins.linux-mint.local.cer -keystore /Library/Java/JavaVirtualMachines/jdk-14.0.2.jdk/Contents/Home/lib/security/cacerts -keypass changeit -storepass changeit
To check if it has been imported successfully, execute the following command. Enter the default password
changeit if you haven’t changed.
keytool -list -keystore /Library/Java/JavaVirtualMachines/jdk-14.0.2.jdk/Contents/Home/lib/security/cacerts -alias jenkins
If you want to remove the certificate, you can execute the following command. (Do not execute it if you want to avoid the error I talked about earlier.)
keytool -delete -alias jenkins -keystore /Library/Java/JavaVirtualMachines/jdk-14.0.2.jdk/Contents/Home/lib/security/cacerts
Try Jenkins CLI
First, you need to generate API token for your user. Follow the steps below.
- Login to Jenkins master.
- Click on your username around the upper right corner.
- Click Configure.
- Click Add new Token button.
- Copy the generated token in clipboard.
Now try to execute the following command.
java -jar jenkins-cli.jar -s https://jenkins.linux-mint.local/ -auth [Your User]:[Your Token] help
Now you don’t get the error and you will see the list of available commands.
add-job-to-view Adds jobs to view. build Builds a job, and optionally waits until its completion. cancel-quiet-down Cancel the effect of the "quiet-down" command. Resume using a node for performing builds, to cancel out the earlier "offline-node" command. <SNIP> wait-node-online Wait for a node to become online. who-am-i Reports your credential and permissions.
I personally like using REST API of Jenkins better than Jenkins CLI but what I am planning to do may require Jenkins CLI. SSL protected Jenkins makes it harder to deal with it via its API but this makes it possible. Remember Java has its own keystore separate from the OS where it resides.