-
New Feature
-
Resolution: Unresolved
-
Major
-
None
-
Redhat Linux
I am trying to start jenkins using a CA signed certificate but I am getting this error
Running from: /usr/lib/jenkins/jenkins.war
Apr 01, 2014 9:56:01 AM winstone.Logger logInternal
INFO: Winstone shutdown successfully
Apr 01, 2014 9:56:01 AM winstone.Logger logInternal
SEVERE: Container startup failed
java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory
at winstone.Launcher.spawnListener(Launcher.java:209)
at winstone.Launcher.<init>(Launcher.java:149)
at winstone.Launcher.main(Launcher.java:354)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at Main._main(Main.java:293)
at Main.main(Main.java:98)
Caused by: java.io.IOException: DerValue.getBigInteger, not an int 48
at sun.security.util.DerValue.getBigInteger(DerValue.java:511)
at winstone.HttpsConnectorFactory.readPEMRSAPrivateKey(HttpsConnectorFactory.java:171)
at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:90)
at winstone.Launcher.spawnListener(Launcher.java:207)
... 8 more
Open ssl was used to generate the key and csr, then the CA gave us back the cert. What could be causing this error?
JENKINS_ARGS="--httpsCertificate=/var/lib/jenkins/cert/cci-jenkins_uncc_edu_cert.cer --httpsPrivateKey=/var/lib/jenkins/cert/cci-jenkins.key"
[JENKINS-22448] Add support for PKCS #8 private keys
TJ Bryant
added a comment - No I gave up because it was too much trouble. I decided to run Jenkins in tomcat and let apache handle the ssl. That was much easier.
TJ Bryant
added a comment - No I gave up because it was too much trouble. I decided to run Jenkins in tomcat and let apache handle the ssl. That was much easier. From the Server Fault question, answer, and solution regarding startssl this seems to be an issue with the certificates in a format Java (or maybe Jetty) cannot handle (please correct me if I'm wrong).
For this reason, and because the reporter has given up on the issue, resolving as Won't Fix as there seems to be little that can be done about it in Jenkins.
Sudhakar Shanmugam
added a comment - After updating the renewed SSL cert into java keystore for HTTPS auth, Jenkins
startup failed with below error. Still it works with the old expired SSL cert.
I have verified the verified the java keystore and key cert password, I was
able to list the keystore content and view the content of the .pfx used in the
keystore using the passwords.
Please assist to fix this error.
svmftadm 19916 1 99 05:49 pts/0 00:00:09
/opt/mft/shared/software/jdk/jdk1.7.0_51/bin/java
-Djavax.net.ssl.trustStore=/opt/mft/admin/certs/ldapTrustStore
-Djavax.net.ssl.keyStore=/opt/mft/admin/certs/ldapTrustStore
-Djavax.net.ssl.keyStorePassword=xyz -jar /opt/mft/jenkins/jenkins.war
--httpPort=-1 --httpsPort=9443 --httpsKeyStore=/opt/mft/jenkins/jenkins.jks
--httpsKeyStorePassword=xyz
lx0001[/opt/mft/jenkins]> cat jenkins.log
Running from: /apps/mft/jenkins/jenkins.war
webroot: EnvVars.masterEnvVars.get("JENKINS_HOME")
Oct 10, 2014 5:36:02 AM winstone.Logger logInternal
INFO: Beginning extraction from war file
Oct 10, 2014 5:36:02 AM winstone.Logger logInternal
INFO: Winstone shutdown successfully
Oct 10, 2014 5:36:02 AM winstone.Logger logInternal
SEVERE: Container startup failed
java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory
at winstone.Launcher.spawnListener(Launcher.java:209)
at winstone.Launcher.<init>(Launcher.java:149)
at winstone.Launcher.main(Launcher.java:354)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at Main._main(Main.java:293)
at Main.main(Main.java:98)
Caused by: winstone.WinstoneException: Error getting the SSL context object
at
winstone.HttpsConnectorFactory.getSSLContext(HttpsConnectorFactory.java:218)
at
winstone.HttpsConnectorFactory.createConnector(HttpsConnectorFactory.java:127)
at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:116)
at winstone.Launcher.spawnListener(Launcher.java:207)
... 8 more
Sudhakar Shanmugam
added a comment - After updating the renewed SSL cert into java keystore for HTTPS auth, Jenkins
startup failed with below error. Still it works with the old expired SSL cert.
I have verified the verified the java keystore and key cert password, I was
able to list the keystore content and view the content of the .pfx used in the
keystore using the passwords.
Please assist to fix this error.
svmftadm 19916 1 99 05:49 pts/0 00:00:09
/opt/mft/shared/software/jdk/jdk1.7.0_51/bin/java
-Djavax.net.ssl.trustStore=/opt/mft/admin/certs/ldapTrustStore
-Djavax.net.ssl.keyStore=/opt/mft/admin/certs/ldapTrustStore
-Djavax.net.ssl.keyStorePassword=xyz -jar /opt/mft/jenkins/jenkins.war
--httpPort=-1 --httpsPort=9443 --httpsKeyStore=/opt/mft/jenkins/jenkins.jks
--httpsKeyStorePassword=xyz
lx0001 [/opt/mft/jenkins] > cat jenkins.log
Running from: /apps/mft/jenkins/jenkins.war
webroot: EnvVars.masterEnvVars.get("JENKINS_HOME")
Oct 10, 2014 5:36:02 AM winstone.Logger logInternal
INFO: Beginning extraction from war file
Oct 10, 2014 5:36:02 AM winstone.Logger logInternal
INFO: Winstone shutdown successfully
Oct 10, 2014 5:36:02 AM winstone.Logger logInternal
SEVERE: Container startup failed
java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory
at winstone.Launcher.spawnListener(Launcher.java:209)
at winstone.Launcher.<init>(Launcher.java:149)
at winstone.Launcher.main(Launcher.java:354)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at Main._main(Main.java:293)
at Main.main(Main.java:98)
Caused by: winstone.WinstoneException: Error getting the SSL context object
at
winstone.HttpsConnectorFactory.getSSLContext(HttpsConnectorFactory.java:218)
at
winstone.HttpsConnectorFactory.createConnector(HttpsConnectorFactory.java:127)
at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:116)
at winstone.Launcher.spawnListener(Launcher.java:207)
... 8 more Please direct your requests for assistance somewhere else. This is an issue tracker, not a support forum.
Paolo Giarrusso
added a comment - Let me question the analysis by Daniel Beck.
Is there any evidence that Jenkins supports PEM-formatted keys as claimed? Say, a regression test? The exception is thrown by Jenkins code that implements by hand parsing of key files, and that code has some TODOs that suggest it's not a correctness champion, and there's no link to what spec it is implementing. In fact, it's surprising that Jenkins code implements such low-level certificate parsing instead of using some library.
1. Jenkins documents supporting PEM keys.
2. I have what looks like such a key generated with openssl.
3. Jenkins fails on that key as documented in this issue.
--httpsPrivateKey = the location of the PEM-encoded SSL private key. (the one that starts with '-----BEGIN RSA PRIVATE KEY-----')
I created a key with openssl:
openssl req -nodes -newkey rsa:2048 -keyout kamino.key -out kamino-req.pem -subj $OMITTED
the file starts with
-----BEGIN PRIVATE KEY-----
Paolo Giarrusso
added a comment - Let me question the analysis by Daniel Beck.
Is there any evidence that Jenkins supports PEM-formatted keys as claimed? Say, a regression test? The exception is thrown by Jenkins code that implements by hand parsing of key files, and that code has some TODOs that suggest it's not a correctness champion, and there's no link to what spec it is implementing. In fact, it's surprising that Jenkins code implements such low-level certificate parsing instead of using some library.
https://github.com/jenkinsci/winstone/blob/f42497acd05d2ab69ae40875cfab0f9675777ef4/src/java/winstone/HttpsConnectorFactory.java#L148
1. Jenkins documents supporting PEM keys.
2. I have what looks like such a key generated with openssl.
3. Jenkins fails on that key as documented in this issue.
--httpsPrivateKey = the location of the PEM-encoded SSL private key.
(the one that starts with '-----BEGIN RSA PRIVATE KEY-----' )
I created a key with openssl:
openssl req -nodes -newkey rsa:2048 -keyout kamino.key -out kamino-req.pem -subj $OMITTED
the file starts with
-----BEGIN PRIVATE KEY-----
blaisorblade To clarify, you're getting the same exception with your key generated like that? Could you post the exception stack trace/error message, which version of Jenkins you're using, and the key you generated?
Paolo Giarrusso
added a comment - danielbeck Thanks a lot for the prompt answer!
Essentially yes, I'm getting essentially the same exception, but the line numbers are slightly different, so below's the actual data. I won't post the real private key since it's used in production after being certified by an external authority, but I've regenerated another one with the same command, self-signed it, and reproduced the same error.
I'm running Jenkins LTS from a recent official Docker image (running Jenkins ver. 1.596.2). The openssl I used is from the host, openssl 1.0.1f-1ubuntu2.11 from Ubuntu 14.04 LTS.
Jenkins output:
# docker run --name myjenkins-ssl-bad-2 -p 8443:8443 -v /var/jenkins_home jenkins-ssl-bad-2 /usr/share/jenkins/ref/init.groovy.d/tcp-slave-angent-port.groovy /usr/share/jenkins/ref/init.groovy.d/tcp-slave-angent-port.groovy -> init.groovy.d/tcp-slave-angent-port.groovy copy init.groovy.d/tcp-slave-angent-port.groovy to JENKINS_HOME Running from: /usr/share/jenkins/jenkins.war webroot: EnvVars.masterEnvVars.get("JENKINS_HOME") May 11, 2015 8:29:43 PM winstone.Logger logInternal INFO: Beginning extraction from war file May 11, 2015 8:29:44 PM winstone.Logger logInternal INFO: Winstone shutdown successfully May 11, 2015 8:29:44 PM winstone.Logger logInternal SEVERE: Container startup failed java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory at winstone.Launcher.spawnListener(Launcher.java:209) at winstone.Launcher.<init>(Launcher.java:149) at winstone.Launcher.main(Launcher.java:354) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at Main._main(Main.java:293) at Main.main(Main.java:98) Caused by: java.io.IOException: DerValue.getBigInteger, not an int 48 at sun.security.util.DerValue.getBigInteger(DerValue.java:511) at winstone.HttpsConnectorFactory.readPEMRSAPrivateKey(HttpsConnectorFactory.java:173) at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:89) at winstone.Launcher.spawnListener(Launcher.java:207) ... 8 more
OpenSSL output, on the host:
# openssl req -nodes -newkey rsa:2048 -keyout kamino-foo.key -out kamino-req-foo.pem -subj '/O=Universitaet Tuebingen/L=Tuebingen/ST=Baden-Wuerttemberg/C=DE/CN=kamino.informatik.uni-tuebingen.de/emailAddress=paolo.giarrusso@uni-tuebingen.de' Generating a 2048 bit RSA private key ........+++ ...................................................................................+++ writing new private key to 'kamino-foo.key' ----- # openssl x509 -req -days 365 -in kamino-req-foo.pem -signkey kamino-foo.key -out kamino-foo.crt Signature ok subject=/O=Universitaet Tuebingen/L=Tuebingen/ST=Baden-Wuerttemberg/C=DE/CN=kamino.informatik.uni-tuebingen.de/emailAddress=paolo.giarrusso@uni-tuebingen.de Getting Private key # cat kamino-foo.key -----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQD7QaxOVQYuiUHU jGkvfrn49FMadPMrK32sG8oeRAAbjC9hi6PXxEXXzZR29VpQ9TWApxNWmqs0GJWF +pLfnr0iXX7OdThFPKVjgVIXVA1SbB23vE2lKOTu9FmJoTz8DANP4lqEj4GdVpNj I8+o6QtfdoLXs4P8l+NA/0UeVPS9HZ0qR8SDKIFf5Ila2w68t8u5Hr9I0hWwd4wY G7qT04JKeV9uTLo2q7EtGJEDB4nSY8H9S2MRgTpQzVO1C2l7Um00623TRRWyutgv seMA98SzFbbEloofUgRsG5wk1h6wuNFOcE6LT/0wOa3PaQePcu4PS1IKbmixD375 IbcAUXpzAgMBAAECggEAIPCrNlnPRaqZBtShtahXmVvuyTkr6Cz7fOTnyq//k5z9 WTyFbnQ8893v6OihvptnOEavMlt0to/Cip4fQ1H8WdUIGukjR3B7/l+l84kBdhzW iJAXXd/Oo8VFN9X7uM+aX469b0OhKo9/IzA+uVZUN1/CJ6VRWHxRPuQ4m5FnxKMq x32TA9a25sHHyosu3DJSpKscVbQttz0yZxQvzM/2BK9iCOBoFfLbJQy9cYs048Va 82oKv2KMUsOUlyjP9EUbaJLj9CUqgEbSAYPe0+tFzSTN29KlOZFYwnnJ32tQy3wN YagZdgCr+8939sqlVVNFK3BxNaoPk+5YcSkq3AqWgQKBgQD+qmoRhHkGVlBuafVB 7bPURgNJ9RwUsfDyI978q4bVg/EA7z1/KchYrLHh91bPv+PsWeeYb5gMVufRiyYE MOo3kF38TETdb/7AUAnxfXRAWm98FMQL3awTYafCRvGC3c7I501m9+a4Tg9w1tzZ VgmDVOFpl1P9u4cuBZ2kWA9lbQKBgQD8kq+e7i/gLYz/Zo87qkXJ8+Om4cJL+ej+ 5E8hCTNTA2RqKxVmPiQlu8Gp2lSHF+ouhik1nTllmCvYIWR3+EKO2+crt1rWXtJu Y4h4MbF4LW2l7kID2gDtHPgDETl1e8SVlL0IDKxtgnqxGss5MJMOSE9Pt2pZ21/n Ii/PwsrTXwKBgQCqs13/ufVJmye0qw97jrKgkgF4XHTjJlckZ4j7gpoRmqw7/SES kNY7Ih7mIV2uSaikb6r+kaawdrxSx9vGqWcFsZ5eFF2AtKZlEAFqPrZiwHvEB0NV 1NOX9jh10Anot3b5UZmfcIHVfnV5JHzKrZIY1xd1KLti84VsAtWlKGXBjQKBgQDz OTLkIs153YOlQ5d1RqCUPUgiIc+gqJYGN8g3sQt6yo59auXdosPejnON5NF3ksES cmHm3nQycJrwNB/zI+C8f+mbAKP6Qi/02+bEkF4ts9mea9WordwserQfCAxEJZ8G yMhMox+9CWSrfnjrpupGW738r008IPS2uQY/1X7KkwKBgHPYfesm1y4Ho972Xf+z Ccfpebx9a36seBN1aWvJ4eOaJchXXKShSVjsuEiHDQ0mJSSm+5RLalZhhbq6s4ZW wAhxfD6d8GY5AefyYCVcd6bq+Y2ctcyLKJl2h8FcOCabC+zMYQe4lG8RoJnzyzoN AAZBBjPLW4u/tuBaXFeG/z1S -----END PRIVATE KEY----- # cat kamino-req-foo.pem -----BEGIN CERTIFICATE REQUEST----- MIIDAzCCAesCAQAwgb0xHzAdBgNVBAoMFlVuaXZlcnNpdGFldCBUdWViaW5nZW4x EjAQBgNVBAcMCVR1ZWJpbmdlbjEbMBkGA1UECAwSQmFkZW4tV3VlcnR0ZW1iZXJn MQswCQYDVQQGEwJERTErMCkGA1UEAwwia2FtaW5vLmluZm9ybWF0aWsudW5pLXR1 ZWJpbmdlbi5kZTEvMC0GCSqGSIb3DQEJARYgcGFvbG8uZ2lhcnJ1c3NvQHVuaS10 dWViaW5nZW4uZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD7QaxO VQYuiUHUjGkvfrn49FMadPMrK32sG8oeRAAbjC9hi6PXxEXXzZR29VpQ9TWApxNW mqs0GJWF+pLfnr0iXX7OdThFPKVjgVIXVA1SbB23vE2lKOTu9FmJoTz8DANP4lqE j4GdVpNjI8+o6QtfdoLXs4P8l+NA/0UeVPS9HZ0qR8SDKIFf5Ila2w68t8u5Hr9I 0hWwd4wYG7qT04JKeV9uTLo2q7EtGJEDB4nSY8H9S2MRgTpQzVO1C2l7Um00623T RRWyutgvseMA98SzFbbEloofUgRsG5wk1h6wuNFOcE6LT/0wOa3PaQePcu4PS1IK bmixD375IbcAUXpzAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAOhegn5Ss59rR zltrDfOKxJEeuqb87ze0GNCGblkVXkpErEByLLJHN+q9qk0rVo4tXtliHpaHA1ZA 0IwMYOffWLnC8bHIINFO9IlTAmVMi2Gul0oxKORmbBzYOonl2Xr2Kwq/N0naYKgx q4jNmwkopdPKmgmUIpGHGASTHKDkDBeAVatWj2s3TrzSaFeg0n3JxKSmg0au3KPp nKUphtEhGfyIRsuhi+GAx8N428qFpvqllrFZAiQFCxqrgBcetPcsFZTSqXgJovTo ZodZ4nzdYnkKJSyxYTQw7aiNVLvuikqq3oyRy7oTDmnjayx4GDeRzD4ZQUsK5V5u O4N3jKS36Q== -----END CERTIFICATE REQUEST----- # cat kamino-foo.crt -----BEGIN CERTIFICATE----- MIID+DCCAuACCQDs4UelTd8M0TANBgkqhkiG9w0BAQsFADCBvTEfMB0GA1UECgwW VW5pdmVyc2l0YWV0IFR1ZWJpbmdlbjESMBAGA1UEBwwJVHVlYmluZ2VuMRswGQYD VQQIDBJCYWRlbi1XdWVydHRlbWJlcmcxCzAJBgNVBAYTAkRFMSswKQYDVQQDDCJr YW1pbm8uaW5mb3JtYXRpay51bmktdHVlYmluZ2VuLmRlMS8wLQYJKoZIhvcNAQkB FiBwYW9sby5naWFycnVzc29AdW5pLXR1ZWJpbmdlbi5kZTAeFw0xNTA1MTEyMDI2 MTJaFw0xNjA1MTAyMDI2MTJaMIG9MR8wHQYDVQQKDBZVbml2ZXJzaXRhZXQgVHVl YmluZ2VuMRIwEAYDVQQHDAlUdWViaW5nZW4xGzAZBgNVBAgMEkJhZGVuLVd1ZXJ0 dGVtYmVyZzELMAkGA1UEBhMCREUxKzApBgNVBAMMImthbWluby5pbmZvcm1hdGlr LnVuaS10dWViaW5nZW4uZGUxLzAtBgkqhkiG9w0BCQEWIHBhb2xvLmdpYXJydXNz b0B1bmktdHVlYmluZ2VuLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEA+0GsTlUGLolB1IxpL365+PRTGnTzKyt9rBvKHkQAG4wvYYuj18RF182UdvVa UPU1gKcTVpqrNBiVhfqS3569Il1+znU4RTylY4FSF1QNUmwdt7xNpSjk7vRZiaE8 /AwDT+JahI+BnVaTYyPPqOkLX3aC17OD/JfjQP9FHlT0vR2dKkfEgyiBX+SJWtsO vLfLuR6/SNIVsHeMGBu6k9OCSnlfbky6NquxLRiRAweJ0mPB/UtjEYE6UM1TtQtp e1JtNOtt00UVsrrYL7HjAPfEsxW2xJaKH1IEbBucJNYesLjRTnBOi0/9MDmtz2kH j3LuD0tSCm5osQ9++SG3AFF6cwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCLEUiK +DwZTaGnrN+CF4vpfFiW89g9v/GwtFWiaKfv7dBdNpOz9MwQiNoewadyLW9JW+pz 5fqDYpFppW9aIPHHkpsatKDoyGJM9rK/qBL2beXT9SeitLZFLDvI0dY57G1z3AWw ZHvb1ic3bic9FVqCPOQwTZm/qCBKuyhSg2cyKdNi5DpUwEu4K3nbZy7zvwhflc4g V0L+J4Wv6FJzwnluuBaTWv7oRiu4gVs63AuUnL45YrLHjeOcbXeeLEEDsW344igX V1ArM2gJFdMZHCaU5mLd1LYa/6o5wFV5RAVwdIWEGwMeGhMypldUCXHR80AFv60l F5LEX7BrToWVzWg9 -----END CERTIFICATE-----
Should you want to reproduce the same environment through Docker, see below for the configuration I used — but I'm not sure that's helpful, so feel free to ignore what's below.
Docker configuration and setup command-line. Warning: I'm a Docker beginner, so I'm not sure this will work just so — the first line refers to the `jenkins` image provided here, though it should pull the right one from the remote repository.
# cat Dockerfile FROM jenkins COPY kamino-foo.crt /var/lib/jenkins/kamino.informatik.uni-tuebingen.de.crt COPY kamino-foo.key /var/lib/jenkins/kamino.informatik.uni-tuebingen.de.key USER root RUN chown jenkins /var/lib/jenkins/kamino.informatik.uni-tuebingen.de.* USER jenkins ENV JENKINS_OPTS --httpPort=-1 --httpsPort=8443 --httpsCertificate=/var/lib/jenkins/kamino.informatik.uni-tuebingen.de.crt --httpsPrivateKey=/var/lib/jenkins/kamino.informatik.uni-tuebingen.de.key EXPOSE 8443 # docker build -t jenkins-ssl-bad-2 .
Information about relevant Docker images:
# docker images jenkins latest 235c3abb5af0 2 weeks ago 662 MB jenkins-ssl-bad-2 latest cee95cb7e808 7 minutes ago 662.1 MB
Paolo Giarrusso
added a comment - danielbeck Thanks a lot for the prompt answer!
Essentially yes, I'm getting essentially the same exception, but the line numbers are slightly different, so below's the actual data. I won't post the real private key since it's used in production after being certified by an external authority, but I've regenerated another one with the same command, self-signed it, and reproduced the same error.
I'm running Jenkins LTS from a recent official Docker image (running Jenkins ver. 1.596.2). The openssl I used is from the host, openssl 1.0.1f-1ubuntu2.11 from Ubuntu 14.04 LTS.
Jenkins output:
# docker run --name myjenkins-ssl-bad-2 -p 8443:8443 -v / var /jenkins_home jenkins-ssl-bad-2
/usr/share/jenkins/ref/init.groovy.d/tcp-slave-angent-port.groovy
/usr/share/jenkins/ref/init.groovy.d/tcp-slave-angent-port.groovy -> init.groovy.d/tcp-slave-angent-port.groovy
copy init.groovy.d/tcp-slave-angent-port.groovy to JENKINS_HOME
Running from: /usr/share/jenkins/jenkins.war
webroot: EnvVars.masterEnvVars.get( "JENKINS_HOME" )
May 11, 2015 8:29:43 PM winstone.Logger logInternal
INFO: Beginning extraction from war file
May 11, 2015 8:29:44 PM winstone.Logger logInternal
INFO: Winstone shutdown successfully
May 11, 2015 8:29:44 PM winstone.Logger logInternal
SEVERE: Container startup failed
java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory
at winstone.Launcher.spawnListener(Launcher.java:209)
at winstone.Launcher.<init>(Launcher.java:149)
at winstone.Launcher.main(Launcher.java:354)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at Main._main(Main.java:293)
at Main.main(Main.java:98)
Caused by: java.io.IOException: DerValue.getBigInteger, not an int 48
at sun.security.util.DerValue.getBigInteger(DerValue.java:511)
at winstone.HttpsConnectorFactory.readPEMRSAPrivateKey(HttpsConnectorFactory.java:173)
at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:89)
at winstone.Launcher.spawnListener(Launcher.java:207)
... 8 more
OpenSSL output, on the host:
# openssl req -nodes -newkey rsa:2048 -keyout kamino-foo.key -out kamino-req-foo.pem -subj '/O=Universitaet Tuebingen/L=Tuebingen/ST=Baden-Wuerttemberg/C=DE/CN=kamino.informatik.uni-tuebingen.de/emailAddress=paolo.giarrusso@uni-tuebingen.de'
Generating a 2048 bit RSA private key
........+++
...................................................................................+++
writing new private key to 'kamino-foo.key'
-----
# openssl x509 -req -days 365 -in kamino-req-foo.pem -signkey kamino-foo.key -out kamino-foo.crt
Signature ok
subject=/O=Universitaet Tuebingen/L=Tuebingen/ST=Baden-Wuerttemberg/C=DE/CN=kamino.informatik.uni-tuebingen.de/emailAddress=paolo.giarrusso@uni-tuebingen.de
Getting Private key
# cat kamino-foo.key
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQD7QaxOVQYuiUHU
jGkvfrn49FMadPMrK32sG8oeRAAbjC9hi6PXxEXXzZR29VpQ9TWApxNWmqs0GJWF
+pLfnr0iXX7OdThFPKVjgVIXVA1SbB23vE2lKOTu9FmJoTz8DANP4lqEj4GdVpNj
I8+o6QtfdoLXs4P8l+NA/0UeVPS9HZ0qR8SDKIFf5Ila2w68t8u5Hr9I0hWwd4wY
G7qT04JKeV9uTLo2q7EtGJEDB4nSY8H9S2MRgTpQzVO1C2l7Um00623TRRWyutgv
seMA98SzFbbEloofUgRsG5wk1h6wuNFOcE6LT/0wOa3PaQePcu4PS1IKbmixD375
IbcAUXpzAgMBAAECggEAIPCrNlnPRaqZBtShtahXmVvuyTkr6Cz7fOTnyq //k5z9
WTyFbnQ8893v6OihvptnOEavMlt0to/Cip4fQ1H8WdUIGukjR3B7/l+l84kBdhzW
iJAXXd/Oo8VFN9X7uM+aX469b0OhKo9/IzA+uVZUN1/CJ6VRWHxRPuQ4m5FnxKMq
x32TA9a25sHHyosu3DJSpKscVbQttz0yZxQvzM/2BK9iCOBoFfLbJQy9cYs048Va
82oKv2KMUsOUlyjP9EUbaJLj9CUqgEbSAYPe0+tFzSTN29KlOZFYwnnJ32tQy3wN
YagZdgCr+8939sqlVVNFK3BxNaoPk+5YcSkq3AqWgQKBgQD+qmoRhHkGVlBuafVB
7bPURgNJ9RwUsfDyI978q4bVg/EA7z1/KchYrLHh91bPv+PsWeeYb5gMVufRiyYE
MOo3kF38TETdb/7AUAnxfXRAWm98FMQL3awTYafCRvGC3c7I501m9+a4Tg9w1tzZ
VgmDVOFpl1P9u4cuBZ2kWA9lbQKBgQD8kq+e7i/gLYz/Zo87qkXJ8+Om4cJL+ej+
5E8hCTNTA2RqKxVmPiQlu8Gp2lSHF+ouhik1nTllmCvYIWR3+EKO2+crt1rWXtJu
Y4h4MbF4LW2l7kID2gDtHPgDETl1e8SVlL0IDKxtgnqxGss5MJMOSE9Pt2pZ21/n
Ii/PwsrTXwKBgQCqs13/ufVJmye0qw97jrKgkgF4XHTjJlckZ4j7gpoRmqw7/SES
kNY7Ih7mIV2uSaikb6r+kaawdrxSx9vGqWcFsZ5eFF2AtKZlEAFqPrZiwHvEB0NV
1NOX9jh10Anot3b5UZmfcIHVfnV5JHzKrZIY1xd1KLti84VsAtWlKGXBjQKBgQDz
OTLkIs153YOlQ5d1RqCUPUgiIc+gqJYGN8g3sQt6yo59auXdosPejnON5NF3ksES
cmHm3nQycJrwNB/zI+C8f+mbAKP6Qi/02+bEkF4ts9mea9WordwserQfCAxEJZ8G
yMhMox+9CWSrfnjrpupGW738r008IPS2uQY/1X7KkwKBgHPYfesm1y4Ho972Xf+z
Ccfpebx9a36seBN1aWvJ4eOaJchXXKShSVjsuEiHDQ0mJSSm+5RLalZhhbq6s4ZW
wAhxfD6d8GY5AefyYCVcd6bq+Y2ctcyLKJl2h8FcOCabC+zMYQe4lG8RoJnzyzoN
AAZBBjPLW4u/tuBaXFeG/z1S
-----END PRIVATE KEY-----
# cat kamino-req-foo.pem
-----BEGIN CERTIFICATE REQUEST-----
MIIDAzCCAesCAQAwgb0xHzAdBgNVBAoMFlVuaXZlcnNpdGFldCBUdWViaW5nZW4x
EjAQBgNVBAcMCVR1ZWJpbmdlbjEbMBkGA1UECAwSQmFkZW4tV3VlcnR0ZW1iZXJn
MQswCQYDVQQGEwJERTErMCkGA1UEAwwia2FtaW5vLmluZm9ybWF0aWsudW5pLXR1
ZWJpbmdlbi5kZTEvMC0GCSqGSIb3DQEJARYgcGFvbG8uZ2lhcnJ1c3NvQHVuaS10
dWViaW5nZW4uZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD7QaxO
VQYuiUHUjGkvfrn49FMadPMrK32sG8oeRAAbjC9hi6PXxEXXzZR29VpQ9TWApxNW
mqs0GJWF+pLfnr0iXX7OdThFPKVjgVIXVA1SbB23vE2lKOTu9FmJoTz8DANP4lqE
j4GdVpNjI8+o6QtfdoLXs4P8l+NA/0UeVPS9HZ0qR8SDKIFf5Ila2w68t8u5Hr9I
0hWwd4wYG7qT04JKeV9uTLo2q7EtGJEDB4nSY8H9S2MRgTpQzVO1C2l7Um00623T
RRWyutgvseMA98SzFbbEloofUgRsG5wk1h6wuNFOcE6LT/0wOa3PaQePcu4PS1IK
bmixD375IbcAUXpzAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAOhegn5Ss59rR
zltrDfOKxJEeuqb87ze0GNCGblkVXkpErEByLLJHN+q9qk0rVo4tXtliHpaHA1ZA
0IwMYOffWLnC8bHIINFO9IlTAmVMi2Gul0oxKORmbBzYOonl2Xr2Kwq/N0naYKgx
q4jNmwkopdPKmgmUIpGHGASTHKDkDBeAVatWj2s3TrzSaFeg0n3JxKSmg0au3KPp
nKUphtEhGfyIRsuhi+GAx8N428qFpvqllrFZAiQFCxqrgBcetPcsFZTSqXgJovTo
ZodZ4nzdYnkKJSyxYTQw7aiNVLvuikqq3oyRy7oTDmnjayx4GDeRzD4ZQUsK5V5u
O4N3jKS36Q==
-----END CERTIFICATE REQUEST-----
# cat kamino-foo.crt
-----BEGIN CERTIFICATE-----
MIID+DCCAuACCQDs4UelTd8M0TANBgkqhkiG9w0BAQsFADCBvTEfMB0GA1UECgwW
VW5pdmVyc2l0YWV0IFR1ZWJpbmdlbjESMBAGA1UEBwwJVHVlYmluZ2VuMRswGQYD
VQQIDBJCYWRlbi1XdWVydHRlbWJlcmcxCzAJBgNVBAYTAkRFMSswKQYDVQQDDCJr
YW1pbm8uaW5mb3JtYXRpay51bmktdHVlYmluZ2VuLmRlMS8wLQYJKoZIhvcNAQkB
FiBwYW9sby5naWFycnVzc29AdW5pLXR1ZWJpbmdlbi5kZTAeFw0xNTA1MTEyMDI2
MTJaFw0xNjA1MTAyMDI2MTJaMIG9MR8wHQYDVQQKDBZVbml2ZXJzaXRhZXQgVHVl
YmluZ2VuMRIwEAYDVQQHDAlUdWViaW5nZW4xGzAZBgNVBAgMEkJhZGVuLVd1ZXJ0
dGVtYmVyZzELMAkGA1UEBhMCREUxKzApBgNVBAMMImthbWluby5pbmZvcm1hdGlr
LnVuaS10dWViaW5nZW4uZGUxLzAtBgkqhkiG9w0BCQEWIHBhb2xvLmdpYXJydXNz
b0B1bmktdHVlYmluZ2VuLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEA+0GsTlUGLolB1IxpL365+PRTGnTzKyt9rBvKHkQAG4wvYYuj18RF182UdvVa
UPU1gKcTVpqrNBiVhfqS3569Il1+znU4RTylY4FSF1QNUmwdt7xNpSjk7vRZiaE8
/AwDT+JahI+BnVaTYyPPqOkLX3aC17OD/JfjQP9FHlT0vR2dKkfEgyiBX+SJWtsO
vLfLuR6/SNIVsHeMGBu6k9OCSnlfbky6NquxLRiRAweJ0mPB/UtjEYE6UM1TtQtp
e1JtNOtt00UVsrrYL7HjAPfEsxW2xJaKH1IEbBucJNYesLjRTnBOi0/9MDmtz2kH
j3LuD0tSCm5osQ9++SG3AFF6cwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCLEUiK
+DwZTaGnrN+CF4vpfFiW89g9v/GwtFWiaKfv7dBdNpOz9MwQiNoewadyLW9JW+pz
5fqDYpFppW9aIPHHkpsatKDoyGJM9rK/qBL2beXT9SeitLZFLDvI0dY57G1z3AWw
ZHvb1ic3bic9FVqCPOQwTZm/qCBKuyhSg2cyKdNi5DpUwEu4K3nbZy7zvwhflc4g
V0L+J4Wv6FJzwnluuBaTWv7oRiu4gVs63AuUnL45YrLHjeOcbXeeLEEDsW344igX
V1ArM2gJFdMZHCaU5mLd1LYa/6o5wFV5RAVwdIWEGwMeGhMypldUCXHR80AFv60l
F5LEX7BrToWVzWg9
-----END CERTIFICATE-----
Should you want to reproduce the same environment through Docker, see below for the configuration I used — but I'm not sure that's helpful, so feel free to ignore what's below.
Docker configuration and setup command-line. Warning: I'm a Docker beginner, so I'm not sure this will work just so — the first line refers to the `jenkins` image provided here , though it should pull the right one from the remote repository.
# cat Dockerfile
FROM jenkins
COPY kamino-foo.crt / var /lib/jenkins/kamino.informatik.uni-tuebingen.de.crt
COPY kamino-foo.key / var /lib/jenkins/kamino.informatik.uni-tuebingen.de.key
USER root
RUN chown jenkins / var /lib/jenkins/kamino.informatik.uni-tuebingen.de.*
USER jenkins
ENV JENKINS_OPTS --httpPort=-1 --httpsPort=8443 --httpsCertificate=/ var /lib/jenkins/kamino.informatik.uni-tuebingen.de.crt --httpsPrivateKey=/ var /lib/jenkins/kamino.informatik.uni-tuebingen.de.key
EXPOSE 8443
# docker build -t jenkins-ssl-bad-2 .
Information about relevant Docker images:
# docker images
jenkins latest 235c3abb5af0 2 weeks ago 662 MB
jenkins-ssl-bad-2 latest cee95cb7e808 7 minutes ago 662.1 MB
I have the same issue on jenkins-1.617 and win 2k8
C:\users\Administrator> net start jenkins
The Jenkins service is starting.
The Jenkins service could not be started.
A system error has occurred.
System error 1067 has occurred.
The process terminated unexpectedly.
jenkins.err.log contains the following lines
Jun 18, 2015 7:34:37 PM winstone.Logger logInternal
INFO: Beginning extraction from war file
Jun 18, 2015 7:34:37 PM winstone.Logger logInternal
INFO: Winstone shutdown successfully
Jun 18, 2015 7:34:37 PM winstone.Logger logInternal
SEVERE: Container startup failed
java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory
at winstone.Launcher.spawnListener(Launcher.java:209)
at winstone.Launcher.<init>(Launcher.java:149)
at winstone.Launcher.main(Launcher.java:354)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at Main._main(Main.java:293)
at Main.main(Main.java:98)
Caused by: java.io.IOException: DerValue.getBigInteger, not an int 48
at sun.security.util.DerValue.getBigInteger(Unknown Source)
at winstone.HttpsConnectorFactory.readPEMRSAPrivateKey(HttpsConnectorFactory.java:173)
at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:89)
at winstone.Launcher.spawnListener(Launcher.java:207)
... 8 more
P.S.
With GoDaddy certificate it works fine in the same environment.
TJ Bryant
added a comment - I couldn't figure out how to fix it. I had to switch to using a tomcat container to run jenkins.
TJ Bryant
added a comment - I couldn't figure out how to fix it. I had to switch to using a tomcat container to run jenkins. Paolo Giarrusso
added a comment - alex_hha: I managed to fix it by switching to a keytool certificate store (see SuperUser link), though that's a pain, but I wish I'd switched to a nginx proxy — especially if you want to SSL more services, it's more convenient to do it all in nginx rather than once for each service. (An Apache proxy would also work, it'd just be more resource hungry).
Googling "nginx ssl proxy" leads me to an HOWTO for Jenkins somehow, https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-with-ssl-as-a-reverse-proxy-for-jenkins.
Paolo Giarrusso
added a comment - alex_hha : I managed to fix it by switching to a keytool certificate store (see SuperUser link), though that's a pain, but I wish I'd switched to a nginx proxy — especially if you want to SSL more services, it's more convenient to do it all in nginx rather than once for each service. (An Apache proxy would also work, it'd just be more resource hungry).
Googling "nginx ssl proxy" leads me to an HOWTO for Jenkins somehow, https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-with-ssl-as-a-reverse-proxy-for-jenkins . Could anyone point me where I can get all available values for the httpsKeyManagerType option? For e.g. can I use PKCS12 (in Tomcat/JIRA I Could) or JKS only? And how can I specify cipher suite to disable RC4. With default settings I got the following results on SSLLABS - 
Thanks in advance
andrew finkenstadt
added a comment - Using http://stackoverflow.com/questions/17733536/how-do-i-convert-a-private-key-to-an-rsa-private-key seems to have done the trick. Namely:
Newer versions of OpenSSL say BEGIN PRIVATE KEY because they contain the private key + an OID that identifies the key type. To get the old style key you can do this:
openssl rsa -in server.key -out server_new.key
andrew finkenstadt
added a comment - Using http://stackoverflow.com/questions/17733536/how-do-i-convert-a-private-key-to-an-rsa-private-key seems to have done the trick. Namely:
Newer versions of OpenSSL say BEGIN PRIVATE KEY because they contain the private key + an OID that identifies the key type. To get the old style key you can do this:
openssl rsa -in server.key -out server_new.key The post dated by Jul 18 '13. So about which version of openssl they are talking about?
I'm using
- openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
Is it newer enough? 
Paolo Giarrusso
added a comment - I'd bet yes, otherwise you probably wouldn't have this issue.
But to verify, according to that StackOverflow post, if the key starts with
-----BEGIN PRIVATE KEY-----
it's from the "new" format, while if starts with
-----BEGIN RSA PRIVATE KEY-----
it's from the old format (though the post has the wrong capitalization). I verified that my key used indeed the new format, and is indeed from a "new" openssl:
# openssl version OpenSSL 1.0.1f 6 Jan 2014
(Warning: For the old format, I'd guess you could also find DSA there instead of RSA, depending on the key algorithm).
I found a more complete description of the situation in this post: http://stackoverflow.com/q/20065304/53974. The "new" format is PKCS #8, the "old" format is PKCS #1. In the old format, the key algorithm (RSA or DSA) is described in the header; in the new format, this info is not in the header but in an extra field in the base64 content. While parsing the content, Jenkins produced the exception we see because of this extra field. That post links to further details.
Issue Summary/Possible Diagnosis
To sum up the issue (as we understand), Jenkins only accepts the PKCS #1 format, and OpenSSL used to produce that by default, but now produces PKCS#8, and Jenkins cannot handle the latter format. There is a workaround which fits this hypothesis, that worked (up to now) for the only user who tested it. More experiments are needed to confirm the explanation.
Acks
Kudos to afinkenstadt for finding the essential bit of info, and the workaround (I haven't tried to verify it). I've just put together a summary. Caveat: I'm no PKCS format expert.
Paolo Giarrusso
added a comment - I'd bet yes, otherwise you probably wouldn't have this issue.
But to verify, according to that StackOverflow post, if the key starts with
-----BEGIN PRIVATE KEY-----
it's from the "new" format, while if starts with
-----BEGIN RSA PRIVATE KEY-----
it's from the old format (though the post has the wrong capitalization). I verified that my key used indeed the new format, and is indeed from a "new" openssl:
# openssl version
OpenSSL 1.0.1f 6 Jan 2014
(Warning: For the old format, I'd guess you could also find DSA there instead of RSA, depending on the key algorithm).
I found a more complete description of the situation in this post: http://stackoverflow.com/q/20065304/53974 . The "new" format is PKCS #8, the "old" format is PKCS #1. In the old format, the key algorithm (RSA or DSA) is described in the header; in the new format, this info is not in the header but in an extra field in the base64 content. While parsing the content, Jenkins produced the exception we see because of this extra field. That post links to further details.
Issue Summary/Possible Diagnosis
To sum up the issue (as we understand), Jenkins only accepts the PKCS #1 format, and OpenSSL used to produce that by default, but now produces PKCS#8, and Jenkins cannot handle the latter format. There is a workaround which fits this hypothesis, that worked (up to now) for the only user who tested it. More experiments are needed to confirm the explanation.
Acks
Kudos to afinkenstadt for finding the essential bit of info, and the workaround (I haven't tried to verify it). I've just put together a summary. Caveat: I'm no PKCS format expert. andrew finkenstadt
added a comment - afinkenstadt in ~/projects ⚡ openssl version OpenSSL 0.9.8zd 8 Jan 2015
andrew finkenstadt
added a comment -
afinkenstadt in ~/projects
⚡ openssl version
OpenSSL 0.9.8zd 8 Jan 2015
# head -2 jenkins.example.net.key -----BEGIN PRIVATE KEY----- MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC5WDBnZaE4HtmG
So as you can see I have the new key format and at the same time I can't use self signed certificate in jenkins. It works only if I converted certificate and key to PKCS12 and then import it to JKS storage. Something like the following one
# cat rootca.pem jenkins.example.net.crt > chain.pem # openssl pkcs12 -export -in chain.pem -inkey jenkins.example.net.key > jenkins.example.net.p12 # keytool -importkeystore -srckeystore jenkins.example.net.p12 -destkeystore jenkins.example.net.jks -srcstoretype pkcs12
Paolo Giarrusso
added a comment - So as you can see I have the new key format and at the same time I can't use self signed certificate in jenkins.
You sound surprised, but that's what we figured. The key format is too new — Jenkins only understands the old one (or JKS).
Paolo Giarrusso
added a comment -
So as you can see I have the new key format and at the same time I can't use self signed certificate in jenkins.
You sound surprised, but that's what we figured. The key format is too new — Jenkins only understands the old one (or JKS). I don't think so. Because I have 2 certificates (X509 format), one of them from StartSSL and another one from GoDaddy and they both works with jenkins. And I have been used the same openssl version and commands to generate csr/private key. Something like the following
# openssl req -nodes -sha256 -newkey rsa:4096 -keyout jenkins.example.net.key -out jenkins.example.net.csr
and the following ones for self signed certificate
# openssl req -new -x509 -extensions v3_ca -keyout private/rootca.key -out rootca.crt -days 3650 -config ./openssl.conf # openssl req -new -nodes -out jenkins.example.net.csr -keyout jenkins.example.net.key -config ./openssl.conf # openssl ca -out jenkins.example.net.crt -config ./openssl.conf -infiles jenkins.example.net.csr
Paolo Giarrusso
added a comment - If the working certificate also use the "new format" (BEGIN PRIVATE KEY), then the current hypothesis seems insufficient. However, could you still see what happens if you convert the key to the "old format" and use the result, as suggested by andrew finkenstadt's post?
openssl rsa -in jenkins.example.net.key -out jenkins_new.example.net.key
However, (I guess) Jenkins shouldn't contain its own code to parse keys anyway, it should at best just integrate some third-party library for it (hoping there's a library you can use without too much expertise).
For now, fixing docs seems more urgent.
Paolo Giarrusso
added a comment - If the working certificate also use the "new format" (BEGIN PRIVATE KEY), then the current hypothesis seems insufficient. However, could you still see what happens if you convert the key to the "old format" and use the result, as suggested by andrew finkenstadt's post?
openssl rsa -in jenkins.example.net.key -out jenkins_new.example.net.key
However, (I guess) Jenkins shouldn't contain its own code to parse keys anyway, it should at best just integrate some third-party library for it (hoping there's a library you can use without too much expertise).
For now, fixing docs seems more urgent. It works with the old key format! I have converted the key on centos 5 box with the following openssl version
# openssl version OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
But as before it has very low result on ssl labs. So the question - is it possible to enable Forward Secrecy, disable RC4 and enable support of strong Diffie-Hellman (DH) key exchange (1024+) ? Or the only way is for using some sort of reverse proxy such as nginx/haproxy/apache?
Paolo Giarrusso
added a comment - alex_hha Good question, but that belongs to a separate bug.
Googling leads to https://issues.jenkins-ci.org/browse/JENKINS-23925, but even after the "workaround" there (switching away from Java 6) RC4 looks enabled. Jenkins's default servlet container doesn't seem to document extensive SSL configuration support (see http://winstone.sourceforge.net/#https).
After some googling, I'd guess that either changing servlet container (to some with good HTTPS support) or reverse proxying seems a better idea, at least because it's done often and well documented — I couldn't even find how to disable RC4 with Jenkins, while I've run into how to configure nginx without looking for it.
(Again, I'm just another user bitten from the issue).
Paolo Giarrusso
added a comment - alex_hha Good question, but that belongs to a separate bug.
Googling leads to https://issues.jenkins-ci.org/browse/JENKINS-23925 , but even after the "workaround" there (switching away from Java 6) RC4 looks enabled. Jenkins's default servlet container doesn't seem to document extensive SSL configuration support (see http://winstone.sourceforge.net/#https ).
After some googling, I'd guess that either changing servlet container (to some with good HTTPS support) or reverse proxying seems a better idea, at least because it's done often and well documented — I couldn't even find how to disable RC4 with Jenkins, while I've run into how to configure nginx without looking for it.
(Again, I'm just another user bitten from the issue). I think it would be great if someone from developers will say anything
P.S.
My jenkins ships with JAVA_VERSION="1.8.0_20".
even after the "workaround" there (switching away from Java 6) RC4 looks enabled.
If the problem is not just outdated Java (remember that Java 7 already is old as well, should to be newest version of that), please reopen. It shouldn't be too difficult to implement.
So it looks like for Java you can just configure that rather than your application.
http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#DisabledAlgorithms
Here's a guide for a different application: http://www.papercut.com/kb/Main/SSLCipherConfiguration
Do these help?
OMG, the "bloody" java
I will try it and will let you know
P.S.
in tomcat for e.g. it's configuring in very simple way
<Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol" scheme="https" secure="true" clientAuth="false" useBodyEncodingForURI="true" SSLEnabled="true" SSLHonorCipherOrder="true" SSLDisableCompression="true" SSLCertificateFile="/etc/pki/jira/jira.example.net.crt" SSLCertificateKeyFile="/etc/pki/jira/jira.example.net.key" SSLCACertificateFile="/etc/pki/jira/ca.pem" SSLCertificateChainFile="/etc/pki/jira/sub.class1.server.ca.pem" SSLCipherSuite="kEECDH+AES128:kEECDH:kEDH:-3DES:kRSA+AES128:kEDH+3DES:DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!MD5:!EXPORT:!LOW:!SEED:!CAMELLIA:!IDEA:!PSK:!SRP:!SSLv2" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2" />
I'm using the official jenkins docker container to run my jenkins master. Just tried add key and certificate and I'm getting what appears to be the same error.
Would using openssl to convert the key or cert to a different format help?
{{SEVERE: Container startup failed
java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory
at winstone.Launcher.spawnListener(Launcher.java:209)
at winstone.Launcher.<init>(Launcher.java:149)
at winstone.Launcher.main(Launcher.java:354)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at Main._main(Main.java:293)
at Main.main(Main.java:98)
Caused by: java.io.IOException: DerValue.getBigInteger, not an int 48
at sun.security.util.DerValue.getBigInteger(DerValue.java:511)
at winstone.HttpsConnectorFactory.readPEMRSAPrivateKey(HttpsConnectorFactory.java:173)
at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:89)
at winstone.Launcher.spawnListener(Launcher.java:207)
... 8 more
}}
solved with jenkins docker container by converting everything to a keystore
first added a password to my key
openssl rsa -des3 -in key.pem -out key.encrypted.pem
then converted to pkcs12
openssl pkcs12 -inkey key.encrypted.pem -in cert.pem -export -out keys.encrypted.pkcs12
then created a keystore (password for keystore should be same as password for key)
keytool -importkeystore -srckeystore keys.encrypted.pkcs12 -srcstoretype pkcs12 -destkeystore keystore
then updated Dockerfile to include keystore and a reference to it in JENKINS_OPTS
{{FROM jenkins
USER root
RUN apt-get update && apt-get install -y jq
USER jenkins
COPY keystore /var/lib/jenkins/keystore
ENV JENKINS_OPTS --httpPort=8080 --httpsPort=8443 --httpsKeyStore=/var/lib/jenkins/keystore --httpsKeyStorePassword=whateverpasswordyouspecified
EXPOSE 8443}}
.
Julien Pivotto
added a comment - The problem is that Jenkins expects a RSA key, not a private key
Convert /var/lib/jenkins/cert/cci-jenkins.key into a plain RSA key:
cp /var/lib/jenkins/cert/cci-jenkins.key /var/lib/jenkins/cert/cci-jenkins.key.full openssl rsa -in /var/lib/jenkins/cert/cci-jenkins.key.full -out /var/lib/jenkins/cert/cci-jenkins.key
http://stackoverflow.com/questions/17733536/how-to-convert-a-private-key-to-an-rsa-private-key
Julien Pivotto
added a comment - The problem is that Jenkins expects a RSA key, not a private key
Convert /var/lib/jenkins/cert/cci-jenkins.key into a plain RSA key:
cp / var /lib/jenkins/cert/cci-jenkins.key / var /lib/jenkins/cert/cci-jenkins.key.full
openssl rsa -in / var /lib/jenkins/cert/cci-jenkins.key.full -out / var /lib/jenkins/cert/cci-jenkins.key
http://stackoverflow.com/questions/17733536/how-to-convert-a-private-key-to-an-rsa-private-key 
Have you tried the resolution on http://serverfault.com/questions/569866/jenkins-wont-serve-with-ca-signed-certificate ?