Red Hat Bugzilla – Bug 1312278
Jenkins template has hardcoded SSL certificate and password
Last modified: 2017-03-08 13:43 EST
Description of problem:
Jenkins templates shipped with the installer have hardcoded certificates and password. This is insecure, this kind of data should be generated when an app is created from template.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. check template files
2. import them into OpenShift during installation and deploy an app
jenkins deployed with hardcoded certificate and password equal to "password"
certificates are generated (or the default router cert is used) as well as the admin password
There is no good way to generate a cert from within a template today. This is the best we can do to make it usable out of the box. Users concerned about security should of course substitute their own certificate.
The password is settable via a parameter on the template, so again this can be set by users who care.
Why would you need to include a broken SSL certificate prone to MITM attachs for the route if the Router already has one (which may actually be a normal signed certificate)?
It's entirely possible that cert is no longer needed to ensure good jenkins behavior. Michal, can you see if we can remove the cert from the jenkins template route definition?
Sorry for the delay, I'm going to check this out today.
Taking a look. I can see the hard coded cert & key, but AFAICS there is no hardcoded password now.
that's true, the jenkins admin password is now randomly generated.
Commit pushed to master at https://github.com/openshift/origin
Fix bug 1312278 Jenkins template has hardcoded SSL certificate.
Remove expired www.example.com certificate and key from route objects in templates across examples/ and test/ excluding test/old-start-configs.
In some cases this may alter the precise 'insecure certificate' error that users would see by default when accessing these apps. Previously they'd have got an expired www.example.com cert; now they'll get the default router cert, which currently by default is self-signed and not wildcarded.
This has been merged into ose and is in OSE v220.127.116.11 or newer.
1.Create jenkins server using jenkins template
$ oc new-app jenkins-ephemeral
$ oc new-app jenkins-persistent
2.Access jenkins webconsole via route url
Actual results: jenkins server is ready, could access jenkins webconsole via route url
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.