When deploying Jenkins in a secure environment - like behind a corporate firewall or proxy, it’s often creates problems in plugin installations or updates. Because Jenkins fetches plugin metadata and files from dynamic CDN URLs, which makes it hard to whitelist exact endpoints on your proxy or firewall.
In this guide, I’ll walk you through how to host your own Jenkins update center mirror using a static URL, making it possible to fetch and install plugins without opening up your network to all of Jenkins' CDNs.
The Problem
Jenkins plugin updates rely on URLs that resolve to CDNs or change frequently. In a restricted environment:
- Your Jenkins host may have no direct internet access.
- All outbound traffic must go through a proxy or firewall.
- Whitelisting all possible cdn endpoints is not feasible.
Solution: Generate your own update-center.json file, sign it with your own certificate, and serve it from a local or approved static host. Then configure Jenkins to use this static URL as the update site.
Step-by-Step Solution
Step 1: Prepare the update-center.json on Any Internet-Connected Machine
- Clone the Nirzak/jenkins-update-center repo: (Thanks to lewark)
git clone https://github.com/Nirzak/jenkins-update-center.git cd jenkins-update-center - Remove any existing certificates: (Skip this step if you want to use the repo certificate)
rm -rf rootCA/update-center.crt rootCA/update-center.key - Edit the
mirrors.jsonfile and replace the content with:
{ "jenkins": "https://archives.jenkins.io/" } Here, I used archives.jenkins.io as the mirror. you can also use any other mirror url if you want. You need to allow the mirror url from your proxy or firewall.
- Generate a new self-signed cert and key:
openssl genrsa -out rootCA/update-center.key 2048 openssl req -new -x509 -days 3650 -key rootCA/update-center.key -out rootCA/update-center.crt - Install required Python packages:
pip3 install -r requirements.txt - Generate the custom update center:
python3 generator.py Your generated update-center.json will be available in the <current_directory>/updates/jenkins directory.
Step 2: Setup on Jenkins Host
Copy the generated
update-center.jsonandupdate-center.crtto your Jenkins host.Create the required directory:
mkdir -p ${JENKINS_HOME}/update-center-rootCAs - Move the cert file:
cp rootCA/update-center.crt ${JENKINS_HOME}/update-center-rootCAs Step 3: Host the update-center.json
Use Python’s built-in HTTP server (or any simple web server to serve the file):
cd path/to/update-center.json nohup python3 -m http.server 8000 & This will serve the file at:
http://your-host:8000/update-center.json Step 4: Configure Jenkins to Use the New Update Site
- Open Jenkins UI.
- Navigate to: Manage Jenkins → Manage Plugins → Advanced.
- In the Update Site URL field, enter:
http://your-host:8000/update-center.json - Click Submit to save.
All done!
Now go to the Available or Updates tab under Manage Plugins, and you should be able to install or update any plugin if you allow the mirror from your proxy or firewall. Now you don't need to allow all the other cdn mirror urls from your proxy since it's only using a static url.
Top comments (0)