Install Jenkins on Rocky Linux 10 / AlmaLinux 10

Jenkins is an open-source automation server used for building, testing, and deploying software through CI/CD pipelines. It supports hundreds of plugins and integrates with nearly every tool in the DevOps ecosystem.

This guide covers installing Jenkins LTS on Rocky Linux 10 and AlmaLinux 10, including Java 21 setup, firewall configuration, the initial setup wizard, and configuring Nginx as a reverse proxy with free Let’s Encrypt SSL. For the official installation reference, see the Jenkins Linux installation documentation.

Prerequisites

• A server running Rocky Linux 10 or AlmaLinux 10 with at least 2GB RAM (4GB recommended for production)
• Root or sudo access
• A domain name pointed to your server IP (for SSL setup)
• Ports 8080 (Jenkins), 80, and 443 (Nginx) available

Step 1: Install Java 21 (OpenJDK)

Jenkins requires Java 21 or later. Install OpenJDK 21 from the default Rocky Linux / AlmaLinux repositories along with fontconfig, which Jenkins needs for rendering certain UI elements.

sudo dnf install -y java-21-openjdk fontconfig

Confirm that Java 21 is installed and active:

java -version

The output should show OpenJDK 21 as the active runtime:

openjdk version "21.0.7" 2025-04-15 LTS
OpenJDK Runtime Environment (Red_Hat-21.0.7.0.6-1.el10) (build 21.0.7+6-LTS)
OpenJDK 64-Bit Server VM (Red_Hat-21.0.7.0.6-1.el10) (build 21.0.7+6-LTS, mixed mode, sharing)

If you have multiple Java versions installed, set Java 21 as the default with alternatives:

sudo alternatives --config java

Step 2: Add the Jenkins LTS Repository

Jenkins provides an official stable (LTS) RPM repository. Download the repo file and import the GPG key to enable package verification.

sudo wget -O /etc/yum.repos.d/jenkins.repo https://pkg.jenkins.io/rpm-stable/jenkins.repo

Import the Jenkins GPG signing key so dnf can verify package integrity:

sudo rpm --import https://pkg.jenkins.io/rpm-stable/repodata/repomd.xml.key

Step 3: Install Jenkins on Rocky Linux 10 / AlmaLinux 10

With the repository configured, install Jenkins LTS:

sudo dnf install -y jenkins

Verify the installed Jenkins version:

rpm -qi jenkins | grep -i version

You should see the current LTS version (2.541.x at the time of writing):

Version     : 2.541.3

Step 4: Start and Enable Jenkins Service

Enable Jenkins to start on boot and start the service immediately:

sudo systemctl daemon-reload
sudo systemctl enable --now jenkins

Confirm the service is running without errors:

sudo systemctl status jenkins

The status should show active (running) with the Jenkins process listening on port 8080:

● jenkins.service - Jenkins Continuous Integration Server
     Loaded: loaded (/usr/lib/systemd/system/jenkins.service; enabled; preset: disabled)
     Active: active (running) since Fri 2026-03-21 10:15:32 UTC; 5s ago
   Main PID: 12345 (java)
      Tasks: 48 (limit: 23456)
     Memory: 512.0M
        CPU: 15.234s
     CGroup: /system.slice/jenkins.service
             └─12345 /usr/bin/java -Djava.awt.headless=true -jar /usr/share/java/jenkins.war ...

Step 5: Configure Firewall for Jenkins

Jenkins listens on TCP port 8080 by default. Open this port in firewalld so you can access the web interface:

sudo firewall-cmd --permanent --add-port=8080/tcp
sudo firewall-cmd --reload

Verify that port 8080 is open:

sudo firewall-cmd --list-ports

The output should include 8080/tcp in the list of allowed ports.

If you plan to use the Nginx reverse proxy setup covered later in this guide, also open HTTP and HTTPS ports:

sudo firewall-cmd --permanent --add-service=http --add-service=https
sudo firewall-cmd --reload

Step 6: Complete the Jenkins Setup Wizard

Open your browser and navigate to http://your-server-ip:8080. Jenkins displays a page asking for the initial admin password.

Retrieve the auto-generated admin password from the server:

sudo cat /var/lib/jenkins/secrets/initialAdminPassword

The command returns a 32-character string – copy and paste it into the browser to unlock Jenkins.

On the next screen, select Install suggested plugins to install the most commonly used plugins including Git, Pipeline, and Credentials. This takes a few minutes depending on your internet connection.

After the plugins finish installing, Jenkins prompts you to create the first admin user. Fill in the username, password, full name, and email address. Then confirm the Jenkins URL and click Save and Finish.

Jenkins is now ready. You can start creating jobs and pipelines. If you want to manage users and roles in Jenkins, install the Role-Based Authorization Strategy plugin from the plugin manager.

Step 7: Configure Nginx Reverse Proxy with SSL

Running Jenkins behind Nginx with SSL is the recommended production setup. It terminates TLS at Nginx and proxies requests to Jenkins on localhost:8080. This section covers installing Nginx, obtaining a free Let’s Encrypt certificate with Certbot, and configuring the reverse proxy.

Install Nginx and Certbot

Install Nginx from the default repositories and Certbot with the Nginx plugin for automated SSL certificate management:

sudo dnf install -y nginx certbot python3-certbot-nginx

Start and enable Nginx:

sudo systemctl enable --now nginx

Configure SELinux for the Reverse Proxy

On Rocky Linux 10 and AlmaLinux 10, SELinux is enforcing by default. Nginx needs the httpd_can_network_connect boolean enabled to proxy requests to Jenkins on port 8080. Without this, SELinux blocks the connection and you get a 502 Bad Gateway error.

sudo setsebool -P httpd_can_network_connect 1

Verify the boolean is set:

getsebool httpd_can_network_connect

The output should confirm the boolean is enabled:

httpd_can_network_connect --> on

Create the Nginx Virtual Host

Create a new Nginx server block for your Jenkins domain. Replace jenkins.example.com with your actual domain name throughout.

sudo vi /etc/nginx/conf.d/jenkins.conf

Add the following reverse proxy configuration:

upstream jenkins {
    keepalive 32;
    server 127.0.0.1:8080;
}

server {
    listen 80;
    server_name jenkins.example.com;

    # Redirect all HTTP to HTTPS
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name jenkins.example.com;

    # SSL certificates managed by Certbot
    ssl_certificate /etc/letsencrypt/live/jenkins.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/jenkins.example.com/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    access_log /var/log/nginx/jenkins.access.log;
    error_log /var/log/nginx/jenkins.error.log;

    # Allow large file uploads for Jenkins plugins and artifacts
    client_max_body_size 100m;

    location / {
        proxy_pass http://jenkins;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port $server_port;

        # WebSocket support for Jenkins CLI and live console output
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        proxy_request_buffering off;
    }
}

Obtain a Let’s Encrypt SSL Certificate

Before obtaining the certificate, temporarily comment out or remove the HTTPS server block in your Nginx config (the one listening on 443) so Nginx can start with just the HTTP block. Certbot needs Nginx running to complete the HTTP challenge.

Test the Nginx configuration and reload:

sudo nginx -t && sudo systemctl reload nginx

Run Certbot to obtain the certificate. Replace the domain and email with your own:

sudo certbot --nginx -d jenkins.example.com --non-interactive --agree-tos -m [email protected]

Certbot automatically obtains the certificate, updates the Nginx config with SSL directives, and sets up automatic renewal via a systemd timer. Verify the renewal timer is active:

sudo systemctl list-timers | grep certbot

You should see the certbot-renew.timer scheduled to run periodically.

Update Jenkins URL

After enabling SSL, update the Jenkins URL setting to use HTTPS. Go to Manage Jenkins – System and change the Jenkins URL to https://jenkins.example.com/. This ensures Jenkins generates correct URLs in build notifications and API responses.

If you are running Jenkins in a Docker container, the reverse proxy configuration is the same – just point the upstream to the container’s mapped port.

Step 8: Verify the Complete Setup

Run these checks to confirm everything is working:

Check that Jenkins is running and listening on port 8080:

sudo ss -tlnp | grep 8080

The output confirms Jenkins is bound to port 8080:

LISTEN 0      50                 *:8080            *:*    users:(("java",pid=12345,fd=8))

Verify Nginx is proxying correctly by checking the HTTPS endpoint:

curl -sI https://jenkins.example.com | head -5

A successful response shows HTTP 200 with Jenkins-specific headers:

HTTP/2 200
date: Fri, 21 Mar 2026 10:30:00 GMT
x-content-type-options: nosniff
x-jenkins: 2.541.3
x-jenkins-session: abc12345

For Debian-based systems, the installation process differs slightly – see our guide on installing Jenkins on Ubuntu 24.04 / Debian 13 for the apt-based setup.

Conclusion

Jenkins LTS is now running on Rocky Linux 10 / AlmaLinux 10 behind an Nginx reverse proxy with Let’s Encrypt SSL. The setup uses Java 21, has SELinux properly configured for reverse proxying, and firewall rules in place for both direct and proxied access.

For production hardening, configure Jenkins backup jobs for /var/lib/jenkins, set up Jenkins behind Nginx with additional security headers, enable role-based access control, and monitor Jenkins with Prometheus or your preferred monitoring stack. Keep Jenkins and plugins updated regularly – the LTS release line receives security patches every few weeks. See the Jenkins LTS changelog to track updates.