Starting with Jenkins CLI

I previously wrote How to Install Jenkins Slave as Windows Service in this blog. It has been one of the most accessed articles on this site. Though the article worked for people who visited here, I thought of taking it to the next level. What if I come up with a way to easily install Jenkins Slave as Windows Service by running scripts? It would save so much time and effort without mistakes.

Before working on the whole script, I want to make sure Jenkins CLI works. Jenkins CLI is different from REST API of Jenkins and it needs some preliminary preparation.

Jenkins CLI

Jenkins CLI is available from Manage Jenkins -> Tools and Actions -> Jenkins CLI.

When I click Jenkins CLI, there is a list of commands available.

I’m going to try to see if help works for sanity check. Before running the command java -jar jenkins-cli.jar -s https://jenkins.linux-mint.local/ help , make sure to install Java and download jenkins-cli.jar from the Jenkins CLI page. When I ran it, I get the following error.

javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
<SNIP>
at hudson.cli.FullDuplexHttpStream.(FullDuplexHttpStream.java:73)
at hudson.cli.CLI.plainHttpConnection(CLI.java:361)
at hudson.cli.CLI._main(CLI.java:299)
at hudson.cli.CLI.main(CLI.java:96)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
<SNIP>
… 20 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
… 25 more

This is because the SSL cert of the Jenkins master server is not trusted by Java. Let’s download the cert and get Java to trust it.

Download SSL Cert

Using openssl, we will download the SSL certificate as a file. Execute the following command.

openssl s_client -showcerts -connect jenkins.linux-mint.local:443 < /dev/null | openssl x509 -outform DER > jenkins.linux-mint.local.cer

Don’t mind some seemingly error message. Now you get a file jenkins.linux-mint.cer.

Trust the Cert

When you have Java on your system, you have a file called cacerts. Basically, you import the SSL cert you just downloaded into the cacerts file. Where is the file? Let’s find out. Execute the following command to locate cacerts.

sudo find /Library/Java -name cacerts

My system right now is a Mac and I happen to have the file at the following location.

/Library/Java/JavaVirtualMachines/jdk-14.0.2.jdk/Contents/Home/lib/security/cacerts

Execute the following command to import the SSL cert into cacerts. You wil be prompted if you really want to import it and type yes.

sudo keytool -import -v -trustcacerts -alias jenkins -file jenkins.linux-mint.local.cer -keystore /Library/Java/JavaVirtualMachines/jdk-14.0.2.jdk/Contents/Home/lib/security/cacerts -keypass changeit -storepass changeit

To check if it has been imported successfully, execute the following command. Enter the default password changeit if you haven’t changed.

keytool -list -keystore /Library/Java/JavaVirtualMachines/jdk-14.0.2.jdk/Contents/Home/lib/security/cacerts -alias jenkins

If you want to remove the certificate, you can execute the following command. (Do not execute it if you want to avoid the error I talked about earlier.)

keytool -delete -alias jenkins -keystore /Library/Java/JavaVirtualMachines/jdk-14.0.2.jdk/Contents/Home/lib/security/cacerts

Try Jenkins CLI

First, you need to generate API token for your user. Follow the steps below.

  1. Login to Jenkins master.
  2. Click on your username around the upper right corner.
  3. Click Configure.
  4. Click Add new Token button.
  5. Copy the generated token in clipboard.

Now try to execute the following command.

java -jar jenkins-cli.jar -s https://jenkins.linux-mint.local/ -auth [Your User]:[Your Token] help

Now you don’t get the error and you will see the list of available commands.

  add-job-to-view
    Adds jobs to view.
  build
    Builds a job, and optionally waits until its completion.
  cancel-quiet-down
    Cancel the effect of the "quiet-down" command.
   Resume using a node for performing builds, to cancel out the earlier "offline-node" command.
<SNIP>
  wait-node-online
    Wait for a node to become online.
  who-am-i
    Reports your credential and permissions.

Recap

I personally like using REST API of Jenkins better than Jenkins CLI but what I am planning to do may require Jenkins CLI. SSL protected Jenkins makes it harder to deal with it via its API but this makes it possible. Remember Java has its own keystore separate from the OS where it resides.

Author: admin

A software engineer in greater Seattle area

Leave a Reply

Your email address will not be published. Required fields are marked *