• Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • cli
    • None

      Using jenkins-cli with public key authentication.

      jenkins-cli -s http://localhost:8080 help

      works.

      Using jenkins-cli with public key authentication.

      jenkins-cli -s https://jenkins.example.com help

      fails with a 403.

      Exception in thread "main" java.io.IOException: Server returned HTTP response code: 403 for URL: https://jenkins.example.com/cli
      at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1403)
      at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
      at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:61)
      at hudson.cli.CLI.<init>(CLI.java:110)
      at hudson.cli.CLI.<init>(CLI.java:82)
      at hudson.cli.CLI._main(CLI.java:250)
      at hudson.cli.CLI.main(CLI.java:199)

      Apache configuration is a simple vhost with ProxyPass/ProxyPassReverse at the root.

          [JENKINS-16531] jenkins-cli with apache+ssl fails with 403

          Sidnei da Silva created issue -

          Apparently this might be related to SNI (or the lack thereof) on the client side.

          Since this host has multiple SSL vhosts with the same IP, the following config setting was added:

          SSLStrictSNIVHostCheck on

          ... which causes non-SNI clients to be rejected (http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslstrictsnivhostcheck)

          Changing it to:

          SSLStrictSNIVHostCheck off

          ... gets rid of the 403. However the client instead will hang.

          Seems similar to JENKINS-11560 and JENKINS-16345, though the SNI problem could be considered a separate issue.

          Sidnei da Silva added a comment - Apparently this might be related to SNI (or the lack thereof) on the client side. Since this host has multiple SSL vhosts with the same IP, the following config setting was added: SSLStrictSNIVHostCheck on ... which causes non-SNI clients to be rejected ( http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslstrictsnivhostcheck ) Changing it to: SSLStrictSNIVHostCheck off ... gets rid of the 403. However the client instead will hang. Seems similar to JENKINS-11560 and JENKINS-16345 , though the SNI problem could be considered a separate issue.
          R. Tyler Croy made changes -
          Workflow Original: JNJira [ 147354 ] New: JNJira + In-Review [ 176882 ]
          Jesse Glick made changes -
          Link New: This issue relates to JENKINS-41745 [ JENKINS-41745 ]

            Unassigned Unassigned
            sidnei Sidnei da Silva
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: