• Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • cli
    • None

      Using jenkins-cli with public key authentication.

      jenkins-cli -s http://localhost:8080 help

      works.

      Using jenkins-cli with public key authentication.

      jenkins-cli -s https://jenkins.example.com help

      fails with a 403.

      Exception in thread "main" java.io.IOException: Server returned HTTP response code: 403 for URL: https://jenkins.example.com/cli
      at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1403)
      at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
      at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:61)
      at hudson.cli.CLI.<init>(CLI.java:110)
      at hudson.cli.CLI.<init>(CLI.java:82)
      at hudson.cli.CLI._main(CLI.java:250)
      at hudson.cli.CLI.main(CLI.java:199)

      Apache configuration is a simple vhost with ProxyPass/ProxyPassReverse at the root.

          [JENKINS-16531] jenkins-cli with apache+ssl fails with 403

          Apparently this might be related to SNI (or the lack thereof) on the client side.

          Since this host has multiple SSL vhosts with the same IP, the following config setting was added:

          SSLStrictSNIVHostCheck on

          ... which causes non-SNI clients to be rejected (http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslstrictsnivhostcheck)

          Changing it to:

          SSLStrictSNIVHostCheck off

          ... gets rid of the 403. However the client instead will hang.

          Seems similar to JENKINS-11560 and JENKINS-16345, though the SNI problem could be considered a separate issue.

          Sidnei da Silva added a comment - Apparently this might be related to SNI (or the lack thereof) on the client side. Since this host has multiple SSL vhosts with the same IP, the following config setting was added: SSLStrictSNIVHostCheck on ... which causes non-SNI clients to be rejected ( http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslstrictsnivhostcheck ) Changing it to: SSLStrictSNIVHostCheck off ... gets rid of the 403. However the client instead will hang. Seems similar to JENKINS-11560 and JENKINS-16345 , though the SNI problem could be considered a separate issue.

            Unassigned Unassigned
            sidnei Sidnei da Silva
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: