Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-12629

Using jenkins-cli connecting to HTTPS port fails due to hostname mismatch in certificate

XMLWordPrintable

      We have Jenkins setup to use only HTTPS port with arguments "--httpPort=-1 --httpsPort=8080" that starts server with self signed certificate.

      Using web browser is all ok but when connecting with jenkins-cli.jar it fails due to hostname not being the same as server actual hostname.

      Steps to reproduce (using bash):

      JENKINS_HOST=foo.bar.host
JENKINS_PORT=8080
JENKINS_URL=https://${JENKINS_HOST}:${JENKINS_PORT}

# Get HTTPS certificate for java
openssl s_client -connect ${JENKINS_HOST}:${JENKINS_PORT} </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ${JENKINS_HOST}.cer
keytool -import -noprompt -trustcacerts -alias ${JENKINS_HOST} -file ${JENKINS_HOST}.cer -keystore myKeystore -storepass 123456
keytool -list -v -keystore myKeystore -storepass 123456

# Get jenkins-cli
wget --no-check-certificate ${JENKINS_URL}/jnlpJars/jenkins-cli.jar

# Test access
alias jcli="java -Djavax.net.ssl.trustStore=myKeystore -Djavax.net.ssl.trustStorePassword=123456 -jar jenkins-cli.jar -s ${JENKINS_URL,,}"
jcli help

      Error displayed:

      Exception in thread "main" java.io.IOException: Failed to connect to https://foo.bar.host:8080/
        at hudson.cli.CLI.getCliTcpPort(CLI.java:211)
        at hudson.cli.CLI.<init>(CLI.java:115)
        at hudson.cli.CLI._main(CLI.java:375)
        at hudson.cli.CLI.main(CLI.java:314)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name mat
ching localhost found
        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
        at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
        at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source)
        at hudson.cli.CLI.getCliTcpPort(CLI.java:209)
        ... 3 more
Caused by: java.security.cert.CertificateException: No name matching localhost found
        at sun.security.util.HostnameChecker.matchDNS(Unknown Source)
        at sun.security.util.HostnameChecker.match(Unknown Source)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source)
        at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
        ... 15 more

      I think the root cause is related to how the self-certificate is being generated that should be using the machine actual hostname in the CN part instead of "Test site":

      Owner: CN=Test site, OU=Unknown, O=Unknown, C=Unknown
Issuer: CN=Test site, OU=Unknown, O=Unknown, C=Unknown

          [JENKINS-12629] Using jenkins-cli connecting to HTTPS port fails due to hostname mismatch in certificate

          Jose Sa created issue -
          Jose Sa made changes -
          Priority Original: Critical [ 2 ] New: Major [ 3 ]
          SCM/JIRA link daemon made changes -
          Resolution New: Fixed [ 1 ]
          Status Original: Open [ 1 ] New: Resolved [ 5 ]
          Matt Certain made changes -
          Resolution Original: Fixed [ 1 ]
          Status Original: Resolved [ 5 ] New: Reopened [ 4 ]
          SCM/JIRA link daemon made changes -
          Resolution New: Fixed [ 1 ]
          Status Original: Reopened [ 4 ] New: Resolved [ 5 ]
          Stephen Connolly made changes -
          Labels New: lts-candidate
          Oliver Gondža made changes -
          Labels Original: lts-candidate New: 1.509.4-fixed
          Daniel Beck made changes -
          Labels Original: 1.509.4-fixed New: 1.509.4-fixed lts-candidate
          Oliver Gondža made changes -
          Labels Original: 1.509.4-fixed lts-candidate New: 1.509.4-fixed 1.532.2-fixed
          R. Tyler Croy made changes -
          Workflow Original: JNJira [ 142995 ] New: JNJira + In-Review [ 190380 ]
          Jenkins IRC Bot made changes -
          Component/s New: _unsorted [ 19622 ]
          Component/s Original: security [ 15508 ]

            Unassigned Unassigned
            josesa Jose Sa
            Votes:
            3 Vote for this issue
            Watchers:
            13 Start watching this issue

              Created:
              Updated:
              Resolved: