Jenkins on Letsencrypt? What is my webroot?


#1
$ sudo cat /etc/apache2/sites-available/000-default.conf 
[sudo] password for kus: 
<VirtualHost *:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	ServerName jenkins.liftrocket.com
	ServerAdmin kushaldeveloper@gmail.com
	#DocumentRoot /var/www/html
        ProxyPass / http://localhost:8080/
        ProxyPassReverse / http://localhost:8080
        ProxyRequests Off 
        <Proxy http://jenkins.liftrocket.com:8080/*>
                Order deny,allow 
                Allow from all 
        </Proxy>

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:trace8

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

If I do sudo certbot --authenticator webroot --installer apache I get to the question about the web root.

Now in jenkins.liftrocket.com/systeminfo, I see that my webroot is /var/cache/jenkins/war

sun.java.command	/usr/share/jenkins/jenkins.war --webroot=/var/cache/jenkins/war --httpPort=8080

I am on debian stretch 9.3 with apache weekly jenkins updates (am open to switching to other things if needed). It is a $5 box on digital ocean.


#2

The request should never make it to Jenkins, you should intercept it when it arrives at Apache and handle it there.

One way to do this could be to change:

    #DocumentRoot /var/www/html
    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080
    ProxyRequests Off

to

    DocumentRoot /var/www/html
    ProxyPass "/.well-known/acme-challenge" "!"
    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080
    ProxyRequests Off 

and then /.well-known/acme-challenge should be served from /var/www/html/.well-known/acme-challenge/, so for Certbot you would use --authenticator webroot -w /var/www/html.


#3

Thank you very much, _az! I would also like to thank @ccppuu for guiding me to the forum.

:pray:


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.