Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-43210

Windows Agent can't connect to Master through JNLP

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Blocker Blocker
    • core, remoting
    • Jenkins Core 2.32.2.7 running on RHEL 6.8 with JDK 8u121
      Windows Slaves Plugin 1.3.1
      Windows Server 2012 with latest patches and JDK 8u121
      Apache Reverse Proxy with "nocanon" option set

      When executing 

      java -Xmx1g -jar slave.jar -jnlpUrl http://dfvvt01seuops.somebank.somenet/jenkins-iteb/computer/DFVIASTWHUDSON2/slave-agent.jnlp

      I get

      Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main createEngine
      INFORMATION: Setting up slave: DFVIASTWHUDSON2
      Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener <init>
      INFORMATION: Jenkins agent is running in headless mode.
      Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
      INFORMATION: Locating server among http://dfvvt01seuops.somebank.somenet/jenkins-iteb/
      Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
      INFORMATION: Agent discovery successful
      {{ Agent address: dfvvt01seuops.somebank.somenet}}
      {{ Agent port: 50000}}
      {{ Identity: 13:74:a6:18:f1:96:9c:cb:69:57:26:b1:a2:17:f2:c9}}
      Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
      INFORMATION: Handshaking
      Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
      INFORMATION: Connecting to dfvvt01seuops.somebank.somenet:50000
      Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
      INFORMATION: Trying protocol: JNLP4-connect
      Mõr 30, 2017 9:29:36 AM org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer onRecv
      SCHWERWIEGEND: [JNLP4-connect connection to dfvvt01seuops.somebank.somenet/10.241.209.26:50000]
      javax.net.ssl.SSLHandshakeException: General SSLEngine problem
      {{ at sun.security.ssl.Handshaker.checkThrown(Unknown Source)}}
      {{ at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)}}
      {{ at sun.security.ssl.SSLEngineImpl.writeAppRecord(Unknown Source)}}
      {{ at sun.security.ssl.SSLEngineImpl.wrap(Unknown Source)}}
      {{ at javax.net.ssl.SSLEngine.wrap(Unknown Source)}}
      {{ at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.processRead(SSLEngineFilterLayer.java:392)}}
      {{ at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.onRecv(SSLEngineFilterLayer.java:117)}}
      {{ at org.jenkinsci.remoting.protocol.ProtocolStack$Ptr.onRecv(ProtocolStack.java:669)}}
      {{ at org.jenkinsci.remoting.protocol.NetworkLayer.onRead(NetworkLayer.java:136)}}
      {{ at org.jenkinsci.remoting.protocol.impl.BIONetworkLayer.access$2200(BIONetworkLayer.java:48)}}
      {{ at org.jenkinsci.remoting.protocol.impl.BIONetworkLayer$Reader.run(BIONetworkLayer.java:283)}}
      {{ at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)}}
      {{ at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)}}
      {{ at hudson.remoting.Engine$1$1.run(Engine.java:94)}}
      {{ at java.lang.Thread.run(Unknown Source)}}
      Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
      {{ at sun.security.ssl.Alerts.getSSLException(Unknown Source)}}
      {{ at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)}}
      {{ at sun.security.ssl.Handshaker.fatalSE(Unknown Source)}}
      {{ at sun.security.ssl.Handshaker.fatalSE(Unknown Source)}}
      {{ at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)}}
      {{ at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)}}
      {{ at sun.security.ssl.Handshaker.processLoop(Unknown Source)}}
      {{ at sun.security.ssl.Handshaker$1.run(Unknown Source)}}
      {{ at sun.security.ssl.Handshaker$1.run(Unknown Source)}}
      {{ at java.security.AccessController.doPrivileged(Native Method)}}
      {{ at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source)}}
      {{ at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.processRead(SSLEngineFilterLayer.java:382)}}
      {{ ... 9 more}}
      Caused by: java.security.cert.CertificateException: Public key of the first certificate in chain (subject: C=US, OU=jenkins.io, O=instances, CN=74df086770b5c378864b03273a8576ae) is
      {{ not in the list of trusted keys}}
      {{ at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkPublicKey(PublicKeyMatchingX509ExtendedTrustManager.java:216)}}
      {{ at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkServerTrusted(PublicKeyMatchingX509ExtendedTrustManager.java:263)}}
      {{ at org.jenkinsci.remoting.protocol.cert.DelegatingX509ExtendedTrustManager.checkServerTrusted(DelegatingX509ExtendedTrustManager.java:148)}}
      {{ ... 17 more}}Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
      INFORMATION: Protocol JNLP4-connect encountered an unexpected exception
      java.util.concurrent.ExecutionException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
      {{ at org.jenkinsci.remoting.util.SettableFuture.get(SettableFuture.java:223)}}
      {{ at hudson.remoting.Engine.innerRun(Engine.java:385)}}
      {{ at hudson.remoting.Engine.run(Engine.java:287)}}
      Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
      {{ at sun.security.ssl.Handshaker.checkThrown(Unknown Source)}}
      {{ at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)}}
      {{ at sun.security.ssl.SSLEngineImpl.writeAppRecord(Unknown Source)}}
      {{ at sun.security.ssl.SSLEngineImpl.wrap(Unknown Source)}}
      {{ at javax.net.ssl.SSLEngine.wrap(Unknown Source)}}
      {{ at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.processRead(SSLEngineFilterLayer.java:392)}}
      {{ at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.onRecv(SSLEngineFilterLayer.java:117)}}
      {{ at org.jenkinsci.remoting.protocol.ProtocolStack$Ptr.onRecv(ProtocolStack.java:669)}}
      {{ at org.jenkinsci.remoting.protocol.NetworkLayer.onRead(NetworkLayer.java:136)}}
      {{ at org.jenkinsci.remoting.protocol.impl.BIONetworkLayer.access$2200(BIONetworkLayer.java:48)}}
      {{ at org.jenkinsci.remoting.protocol.impl.BIONetworkLayer$Reader.run(BIONetworkLayer.java:283)}}
      {{ at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)}}
      {{ at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)}}
      {{ at hudson.remoting.Engine$1$1.run(Engine.java:94)}}
      {{ at java.lang.Thread.run(Unknown Source)}}
      Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
      {{ at sun.security.ssl.Alerts.getSSLException(Unknown Source)}}
      {{ at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)}}
      {{ at sun.security.ssl.Handshaker.fatalSE(Unknown Source)}}
      {{ at sun.security.ssl.Handshaker.fatalSE(Unknown Source)}}
      {{ at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)}}
      {{ at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)}}
      {{ at sun.security.ssl.Handshaker.processLoop(Unknown Source)}}
      {{ at sun.security.ssl.Handshaker$1.run(Unknown Source)}}
      {{ at sun.security.ssl.Handshaker$1.run(Unknown Source)}}
      {{ at java.security.AccessController.doPrivileged(Native Method)}}
      {{ at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source)}}
      {{ at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.processRead(SSLEngineFilterLayer.java:382)}}
      {{ ... 9 more}}
      Caused by: java.security.cert.CertificateException: Public key of the first certificate in chain (subject: C=US, OU=jenkins.io, O=instances, CN=74df086770b5c378864b03273a8576ae) is
      {{ not in the list of trusted keys}}
      {{ at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkPublicKey(PublicKeyMatchingX509ExtendedTrustManager.java:216)}}
      {{ at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkServerTrusted(PublicKeyMatchingX509ExtendedTrustManager.java:263)}}
      {{ at org.jenkinsci.remoting.protocol.cert.DelegatingX509ExtendedTrustManager.checkServerTrusted(DelegatingX509ExtendedTrustManager.java:148)}}
      {{ ... 17 more}}Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
      INFORMATION: Connecting to dfvvt01seuops.somebank.somenet:50000
      Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
      INFORMATION: Server reports protocol JNLP4-plaintext not supported, skipping
      Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
      INFORMATION: Trying protocol: JNLP3-connect
      Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
      INFORMATION: Protocol JNLP3-connect encountered an unexpected exception
      java.util.concurrent.ExecutionException: org.jenkinsci.remoting.protocol.impl.ConnectionRefusalException: JNLP3-connect: Incorrect challenge response from master
      {{ at java.util.concurrent.FutureTask.report(Unknown Source)}}
      {{ at java.util.concurrent.FutureTask.get(Unknown Source)}}
      {{ at hudson.remoting.Engine.innerRun(Engine.java:385)}}
      {{ at hudson.remoting.Engine.run(Engine.java:287)}}
      Caused by: org.jenkinsci.remoting.protocol.impl.ConnectionRefusalException: JNLP3-connect: Incorrect challenge response from master
      {{ at org.jenkinsci.remoting.engine.JnlpProtocol3Handler.sendHandshake(JnlpProtocol3Handler.java:213)}}
      {{ at org.jenkinsci.remoting.engine.JnlpProtocol3Handler.sendHandshake(JnlpProtocol3Handler.java:123)}}
      {{ at org.jenkinsci.remoting.engine.LegacyJnlpProtocolHandler$2.call(LegacyJnlpProtocolHandler.java:162)}}
      {{ at org.jenkinsci.remoting.engine.LegacyJnlpProtocolHandler$2.call(LegacyJnlpProtocolHandler.java:158)}}
      {{ at java.util.concurrent.FutureTask.run(Unknown Source)}}
      {{ at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)}}
      {{ at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)}}
      {{ at hudson.remoting.Engine$1$1.run(Engine.java:94)}}
      {{ at java.lang.Thread.run(Unknown Source)}}Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
      INFORMATION: Connecting to dfvvt01seuops.somebank.somenet:50000
      Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
      INFORMATION: Trying protocol: JNLP2-connect
      Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
      INFORMATION: Protocol JNLP2-connect encountered an unexpected exception
      java.util.concurrent.ExecutionException: org.jenkinsci.remoting.protocol.impl.ConnectionRefusalException: Server didn't accept the handshake:
      {{ at java.util.concurrent.FutureTask.report(Unknown Source)}}
      {{ at java.util.concurrent.FutureTask.get(Unknown Source)}}
      {{ at hudson.remoting.Engine.innerRun(Engine.java:385)}}
      {{ at hudson.remoting.Engine.run(Engine.java:287)}}
      Caused by: org.jenkinsci.remoting.protocol.impl.ConnectionRefusalException: Server didn't accept the handshake:
      {{ at org.jenkinsci.remoting.engine.JnlpProtocol2Handler.sendHandshake(JnlpProtocol2Handler.java:134)}}
      {{ at org.jenkinsci.remoting.engine.LegacyJnlpProtocolHandler$2.call(LegacyJnlpProtocolHandler.java:162)}}
      {{ at org.jenkinsci.remoting.engine.LegacyJnlpProtocolHandler$2.call(LegacyJnlpProtocolHandler.java:158)}}
      {{ at java.util.concurrent.FutureTask.run(Unknown Source)}}
      {{ at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)}}
      {{ at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)}}
      {{ at hudson.remoting.Engine$1$1.run(Engine.java:94)}}
      {{ at java.lang.Thread.run(Unknown Source)}}Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
      INFORMATION: Connecting to dfvvt01seuops.somebank.somenet:50000
      Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
      INFORMATION: Trying protocol: JNLP-connect
      Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
      INFORMATION: Protocol JNLP-connect encountered an unexpected exception
      java.util.concurrent.ExecutionException: org.jenkinsci.remoting.protocol.impl.ConnectionRefusalException: Server didn't accept the handshake:
      {{ at java.util.concurrent.FutureTask.report(Unknown Source)}}
      {{ at java.util.concurrent.FutureTask.get(Unknown Source)}}
      {{ at hudson.remoting.Engine.innerRun(Engine.java:385)}}
      {{ at hudson.remoting.Engine.run(Engine.java:287)}}
      Caused by: org.jenkinsci.remoting.protocol.impl.ConnectionRefusalException: Server didn't accept the handshake:
      {{ at org.jenkinsci.remoting.engine.JnlpProtocol1Handler.sendHandshake(JnlpProtocol1Handler.java:121)}}
      {{ at org.jenkinsci.remoting.engine.LegacyJnlpProtocolHandler$2.call(LegacyJnlpProtocolHandler.java:162)}}
      {{ at org.jenkinsci.remoting.engine.LegacyJnlpProtocolHandler$2.call(LegacyJnlpProtocolHandler.java:158)}}
      {{ at java.util.concurrent.FutureTask.run(Unknown Source)}}
      {{ at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)}}
      {{ at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)}}
      {{ at hudson.remoting.Engine$1$1.run(Engine.java:94)}}
      {{ at java.lang.Thread.run(Unknown Source)}}Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener error
      SCHWERWIEGEND: The server rejected the connection: None of the protocols were accepted
      java.lang.Exception: The server rejected the connection: None of the protocols were accepted
      {{ at hudson.remoting.Engine.onConnectionRejected(Engine.java:484)}}
      {{ at hudson.remoting.Engine.innerRun(Engine.java:448)}}
      {{ at hudson.remoting.Engine.run(Engine.java:287)}} 

      I don't care for the JNLP3 and JNLP4 issues right now (because I don't need encryption at the moment), but I would expect at least JNLP2 to work. Looks like JENKINS-39232 is not fixed after all.

      Related: JENKINS-39232, JENKINS-40668

          [JENKINS-43210] Windows Agent can't connect to Master through JNLP

          Oleg Nenashev added a comment -

          Does the issue still happen with disabled JNLP3 ?

          Oleg Nenashev added a comment - Does the issue still happen with disabled JNLP3 ?

          Oleg Nenashev added a comment -

          bcygan ping

          Oleg Nenashev added a comment - bcygan ping

          Oleg Nenashev added a comment -

          No response from the requester. I assume it was a JNLP3 issue, hence closing with "Won't fix". The protocol is deprecated

          Oleg Nenashev added a comment - No response from the requester. I assume it was a JNLP3 issue, hence closing with "Won't fix". The protocol is deprecated

          bcygan added a comment -

          I could track this down to happening with JDK Mixed Mode on the Windows Client side. When I used pure 64 bit mode, the problem went away. Couldn't narrow it down because of changing environments.

          bcygan added a comment - I could track this down to happening with JDK Mixed Mode on the Windows Client side. When I used pure 64 bit mode, the problem went away. Couldn't narrow it down because of changing environments.

          Also if you are running Jenkins behind a proxy, ensure you have the system property `-Dhudson.TcpSlaveAgentListener.hostName=<MASTER_HOSTNAME_OR_IP>` set up on the Jenkins master. See https://wiki.jenkins.io/display/JENKINS/Features+controlled+by+system+properties

          Allan BURDAJEWICZ added a comment - Also if you are running Jenkins behind a proxy, ensure you have the system property `-Dhudson.TcpSlaveAgentListener.hostName=<MASTER_HOSTNAME_OR_IP>` set up on the Jenkins master. See https://wiki.jenkins.io/display/JENKINS/Features+controlled+by+system+properties

          We have currently also this issue with different versions of Jenkins 107.x, 121.x, 138.x with the JNLP v4 - all other protocols are disabled.
          As soon this problem occurs it does not matter if down- or upgrade the Jenkins instance, however it will occur every time.
          When we just enabled the JNLP v3 the Slave did not connect to the master and the container died after some seconds because of `no supported JNLP protocol`.
          We also tried your property allan_burdajewicz, but this does not changed the behavior.

          This issue does just occur with Jenkins instances we create since this summer, so there must be a change between May and July - maybe in the 107er versions.

          We know, when we deploy an older Jenkins version (like <=89x) it will work, but we do not know from where we get this Jenkins.io cert.
          Because the CN is not correct and we already set the Jenkins.io cert in the truststore, so it should be allowed and trusted.
          I think Jenkins generates this cert itself -> Can you oleg_nenashev answer the question where this cert is generated and why?
          Is this a problem by updateing on a specific version of a plugin? Or is it a "problem" of Jenkins itself?

          For me, this issue is not solved.

          Following we add our configuration/logs:

           

          INFO: Trying protocol: JNLP4-connect
          Sep 19, 2018 11:25:02 AM org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer onRecv
          SEVERE: [JNLP4-connect connection to vjkm01.pnet.ch/172.18.15.26:33529] 
          javax.net.ssl.SSLHandshakeException: General SSLEngine problem
                      at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529)
                      at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
                      at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214)
                      at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186)
                      at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
                      at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.processRead(SSLEngineFilterLayer.java:392)
                      at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.onRecv(SSLEngineFilterLayer.java:117)
                      at org.jenkinsci.remoting.protocol.ProtocolStack$Ptr.onRecv(ProtocolStack.java:669)
                      at org.jenkinsci.remoting.protocol.impl.AckFilterLayer.onRecv(AckFilterLayer.java:255)
                      at org.jenkinsci.remoting.protocol.ProtocolStack$Ptr.onRecv(ProtocolStack.java:669)
                      at org.jenkinsci.remoting.protocol.NetworkLayer.onRead(NetworkLayer.java:136)
                      at org.jenkinsci.remoting.protocol.impl.BIONetworkLayer.access$2200(BIONetworkLayer.java:48)
                      at org.jenkinsci.remoting.protocol.impl.BIONetworkLayer$Reader.run(BIONetworkLayer.java:283)
                      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
                      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
                      at hudson.remoting.Engine$1.lambda$newThread$0(Engine.java:93)
                      at java.lang.Thread.run(Thread.java:748)
          Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
                      at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
                      at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
                      at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:330)
                      at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
                      at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
                      at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
                      at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
                      at sun.security.ssl.Handshaker$1.run(Handshaker.java:992)
                      at sun.security.ssl.Handshaker$1.run(Handshaker.java:989)
                      at java.security.AccessController.doPrivileged(Native Method)
                      at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467)
                      at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.processRead(SSLEngineFilterLayer.java:382)
                      ... 11 more
          Caused by: java.security.cert.CertificateException: Public key of the first certificate in chain (subject: C=US, OU=jenkins.io, O=instances, CN=9dd32b243d0da3c30cff1c129ec3be8c) is not in the list of trusted keys
                      at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkPublicKey(PublicKeyMatchingX509ExtendedTrustManager.java:217)
                      at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkServerTrusted(PublicKeyMatchingX509ExtendedTrustManager.java:263)
                      at org.jenkinsci.remoting.protocol.cert.DelegatingX509ExtendedTrustManager.checkServerTrusted(DelegatingX509ExtendedTrustManager.java:148)
                      at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1601)
                      ... 18 more
          Sep 19, 2018 11:25:02 AM hudson.remoting.jnlp.Main$CuiListener status
          INFO: Protocol JNLP4-connect encountered an unexpected exception
          java.util.concurrent.ExecutionException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
                      at org.jenkinsci.remoting.util.SettableFuture.get(SettableFuture.java:223)
                      at hudson.remoting.Engine.innerRun(Engine.java:614)
                      at hudson.remoting.Engine.run(Engine.java:474)
          Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
                      at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529)
                      at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
                      at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214)
                      at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186)
                      at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
                      at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.processRead(SSLEngineFilterLayer.java:392)
                      at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.onRecv(SSLEngineFilterLayer.java:117)
                      at org.jenkinsci.remoting.protocol.ProtocolStack$Ptr.onRecv(ProtocolStack.java:669)
                      at org.jenkinsci.remoting.protocol.impl.AckFilterLayer.onRecv(AckFilterLayer.java:255)
                      at org.jenkinsci.remoting.protocol.ProtocolStack$Ptr.onRecv(ProtocolStack.java:669)
                      at org.jenkinsci.remoting.protocol.NetworkLayer.onRead(NetworkLayer.java:136)
                      at org.jenkinsci.remoting.protocol.impl.BIONetworkLayer.access$2200(BIONetworkLayer.java:48)
                      at org.jenkinsci.remoting.protocol.impl.BIONetworkLayer$Reader.run(BIONetworkLayer.java:283)
                      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
                      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
                      at hudson.remoting.Engine$1.lambda$newThread$0(Engine.java:93)
                      at java.lang.Thread.run(Thread.java:748)
          Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
                      at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
                      at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
                      at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:330)
                      at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
                      at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
                      at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
                      at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
                      at sun.security.ssl.Handshaker$1.run(Handshaker.java:992)
                      at sun.security.ssl.Handshaker$1.run(Handshaker.java:989)
                      at java.security.AccessController.doPrivileged(Native Method)
                      at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467)
                      at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.processRead(SSLEngineFilterLayer.java:382)
                      ... 11 more
          Caused by: java.security.cert.CertificateException: Public key of the first certificate in chain (subject: C=US, OU=jenkins.io, O=instances, CN=9dd32b243d0da3c30cff1c129ec3be8c) is not in the list of trusted keys
                      at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkPublicKey(PublicKeyMatchingX509ExtendedTrustManager.java:217)
                      at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkServerTrusted(PublicKeyMatchingX509ExtendedTrustManager.java:263)
                      at org.jenkinsci.remoting.protocol.cert.DelegatingX509ExtendedTrustManager.checkServerTrusted(DelegatingX509ExtendedTrustManager.java:148)
                      at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1601)
                      ... 18 more
          Sep 19, 2018 11:25:02 AM hudson.remoting.jnlp.Main$CuiListener status
          INFO: Connecting to vjkm01.pnet.ch:33529
          Sep 19, 2018 11:25:02 AM hudson.remoting.jnlp.Main$CuiListener status
          INFO: Server reports protocol JNLP4-plaintext not supported, skipping
          Sep 19, 2018 11:25:02 AM hudson.remoting.jnlp.Main$CuiListener status
          INFO: Server reports protocol JNLP3-connect not supported, skipping
          Sep 19, 2018 11:25:02 AM hudson.remoting.jnlp.Main$CuiListener status
          INFO: Server reports protocol JNLP2-connect not supported, skipping
          Sep 19, 2018 11:25:02 AM hudson.remoting.jnlp.Main$CuiListener status
          INFO: Server reports protocol JNLP-connect not supported, skipping
          Sep 19, 2018 11:25:02 AM hudson.remoting.jnlp.Main$CuiListener error
          SEVERE: The server rejected the connection: None of the protocols were accepted
          java.lang.Exception: The server rejected the connection: None of the protocols were accepted
                      at hudson.remoting.Engine.onConnectionRejected(Engine.java:675)
                      at hudson.remoting.Engine.innerRun(Engine.java:639)
                      at hudson.remoting.Engine.run(Engine.java:474)
          
          

           

          docker-compose configuration for Jenkins (startup conf / Java opts):

           

              environment:
                - JAVA_OPTS="-Djava.awt.headless=true -Dhudson.model.DirectoryBrowserSupport.CSP='' -Dhudson.model.DownloadService.noSignatureCheck=true"
                - JENKINS_OPTS="--requestHeaderSize=16384"
          

           

           

          Matthias Baldi added a comment - We have currently also this issue with different versions of Jenkins 107.x, 121.x, 138.x with the JNLP v4 - all other protocols are disabled. As soon this problem occurs it does not matter if down- or upgrade the Jenkins instance, however it will occur every time. When we just enabled the JNLP v3 the Slave did not connect to the master and the container died after some seconds because of `no supported JNLP protocol`. We also tried your property allan_burdajewicz , but this does not changed the behavior. This issue does just occur with Jenkins instances we create since this summer, so there must be a change between May and July - maybe in the 107er versions. We know, when we deploy an older Jenkins version (like <=89x) it will work, but we do not know from where we get this Jenkins.io cert. Because the CN is not correct and we already set the Jenkins.io cert in the truststore, so it should be allowed and trusted. I think Jenkins generates this cert itself -> Can you oleg_nenashev answer the question where this cert is generated and why? Is this a problem by updateing on a specific version of a plugin? Or is it a "problem" of Jenkins itself? For me, this issue is not solved. Following we add our configuration/logs:   INFO: Trying protocol: JNLP4-connect Sep 19, 2018 11:25:02 AM org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer onRecv SEVERE: [JNLP4-connect connection to vjkm01.pnet.ch/172.18.15.26:33529] javax.net.ssl.SSLHandshakeException: General SSLEngine problem at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529) at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214) at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186) at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.processRead(SSLEngineFilterLayer.java:392) at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.onRecv(SSLEngineFilterLayer.java:117) at org.jenkinsci.remoting.protocol.ProtocolStack$Ptr.onRecv(ProtocolStack.java:669) at org.jenkinsci.remoting.protocol.impl.AckFilterLayer.onRecv(AckFilterLayer.java:255) at org.jenkinsci.remoting.protocol.ProtocolStack$Ptr.onRecv(ProtocolStack.java:669) at org.jenkinsci.remoting.protocol.NetworkLayer.onRead(NetworkLayer.java:136) at org.jenkinsci.remoting.protocol.impl.BIONetworkLayer.access$2200(BIONetworkLayer.java:48) at org.jenkinsci.remoting.protocol.impl.BIONetworkLayer$Reader.run(BIONetworkLayer.java:283) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at hudson.remoting.Engine$1.lambda$newThread$0(Engine.java:93) at java.lang. Thread .run( Thread .java:748) Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:330) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) at sun.security.ssl.Handshaker$1.run(Handshaker.java:992) at sun.security.ssl.Handshaker$1.run(Handshaker.java:989) at java.security.AccessController.doPrivileged(Native Method) at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467) at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.processRead(SSLEngineFilterLayer.java:382) ... 11 more Caused by: java.security.cert.CertificateException: Public key of the first certificate in chain (subject: C=US, OU=jenkins.io, O=instances, CN=9dd32b243d0da3c30cff1c129ec3be8c) is not in the list of trusted keys at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkPublicKey(PublicKeyMatchingX509ExtendedTrustManager.java:217) at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkServerTrusted(PublicKeyMatchingX509ExtendedTrustManager.java:263) at org.jenkinsci.remoting.protocol.cert.DelegatingX509ExtendedTrustManager.checkServerTrusted(DelegatingX509ExtendedTrustManager.java:148) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1601) ... 18 more Sep 19, 2018 11:25:02 AM hudson.remoting.jnlp.Main$CuiListener status INFO: Protocol JNLP4-connect encountered an unexpected exception java.util.concurrent.ExecutionException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem at org.jenkinsci.remoting.util.SettableFuture.get(SettableFuture.java:223) at hudson.remoting.Engine.innerRun(Engine.java:614) at hudson.remoting.Engine.run(Engine.java:474) Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529) at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214) at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186) at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.processRead(SSLEngineFilterLayer.java:392) at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.onRecv(SSLEngineFilterLayer.java:117) at org.jenkinsci.remoting.protocol.ProtocolStack$Ptr.onRecv(ProtocolStack.java:669) at org.jenkinsci.remoting.protocol.impl.AckFilterLayer.onRecv(AckFilterLayer.java:255) at org.jenkinsci.remoting.protocol.ProtocolStack$Ptr.onRecv(ProtocolStack.java:669) at org.jenkinsci.remoting.protocol.NetworkLayer.onRead(NetworkLayer.java:136) at org.jenkinsci.remoting.protocol.impl.BIONetworkLayer.access$2200(BIONetworkLayer.java:48) at org.jenkinsci.remoting.protocol.impl.BIONetworkLayer$Reader.run(BIONetworkLayer.java:283) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at hudson.remoting.Engine$1.lambda$newThread$0(Engine.java:93) at java.lang. Thread .run( Thread .java:748) Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:330) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) at sun.security.ssl.Handshaker$1.run(Handshaker.java:992) at sun.security.ssl.Handshaker$1.run(Handshaker.java:989) at java.security.AccessController.doPrivileged(Native Method) at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467) at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.processRead(SSLEngineFilterLayer.java:382) ... 11 more Caused by: java.security.cert.CertificateException: Public key of the first certificate in chain (subject: C=US, OU=jenkins.io, O=instances, CN=9dd32b243d0da3c30cff1c129ec3be8c) is not in the list of trusted keys at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkPublicKey(PublicKeyMatchingX509ExtendedTrustManager.java:217) at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkServerTrusted(PublicKeyMatchingX509ExtendedTrustManager.java:263) at org.jenkinsci.remoting.protocol.cert.DelegatingX509ExtendedTrustManager.checkServerTrusted(DelegatingX509ExtendedTrustManager.java:148) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1601) ... 18 more Sep 19, 2018 11:25:02 AM hudson.remoting.jnlp.Main$CuiListener status INFO: Connecting to vjkm01.pnet.ch:33529 Sep 19, 2018 11:25:02 AM hudson.remoting.jnlp.Main$CuiListener status INFO: Server reports protocol JNLP4-plaintext not supported, skipping Sep 19, 2018 11:25:02 AM hudson.remoting.jnlp.Main$CuiListener status INFO: Server reports protocol JNLP3-connect not supported, skipping Sep 19, 2018 11:25:02 AM hudson.remoting.jnlp.Main$CuiListener status INFO: Server reports protocol JNLP2-connect not supported, skipping Sep 19, 2018 11:25:02 AM hudson.remoting.jnlp.Main$CuiListener status INFO: Server reports protocol JNLP-connect not supported, skipping Sep 19, 2018 11:25:02 AM hudson.remoting.jnlp.Main$CuiListener error SEVERE: The server rejected the connection: None of the protocols were accepted java.lang.Exception: The server rejected the connection: None of the protocols were accepted at hudson.remoting.Engine.onConnectionRejected(Engine.java:675) at hudson.remoting.Engine.innerRun(Engine.java:639) at hudson.remoting.Engine.run(Engine.java:474)   docker-compose configuration for Jenkins (startup conf / Java opts):   environment: - JAVA_OPTS= "-Djava.awt.headless= true -Dhudson.model.DirectoryBrowserSupport.CSP='' -Dhudson.model.DownloadService.noSignatureCheck= true " - JENKINS_OPTS= "--requestHeaderSize=16384"    

          Peter Carenza added a comment -

          I am also having this issue with the current Jenkins release, but only from a docker container.(exposed ports 8084:8080, 50000:50000).

          The standalone version from whence we derived the container works perfectly well. We are currently only using JNLP4.

          Peter Carenza added a comment - I am also having this issue with the current Jenkins release, but only from a docker container.(exposed ports 8084:8080, 50000:50000). The standalone version from whence we derived the container works perfectly well. We are currently only using JNLP4.

          I have exactly same issue using docker image jenkins:jenkins:2.154-slim version and using swarm client plugin 3.14 on a Windows slave in a VM.

          I have also tried swarm-client command line options -disableSslVerification without success.

          See attachement : jenkins-43210-issue.txt

           

          Stéphane Rzetelny added a comment - I have exactly same issue using docker image jenkins:jenkins:2.154-slim version and using swarm client plugin 3.14 on a Windows slave in a VM. I have also tried swarm-client command line options -disableSslVerification without success. See attachement :  jenkins-43210-issue.txt  

          Thomas Heidrich added a comment - - edited

          In reference to my code comment, why is the certificate of the JNLP4-Protocol being generated during runtime and not changable by configuration? How is the agent supposed to validate the certificate? Am I missing something? My agents always report the following during JNLP4 connection attempts:

          Caused by: java.security.cert.CertificateException: Public key of the first certificate in chain (subject: C=US, OU=jenkins.io, O=instances, CN=deadbeefdeadbeefdeadbeef) is not in the list of trusted keys
          

          JNLP3 works fine though, but I want the newer secure stuff.

          Is the public key supposed to be transferred in the encrypted and authenticated transfer of slave-agent.jnlp?

          UPDATED: Interesting, debugging the agent revealed that the publicKey seems to be transferred, but in my case, this doesn't seem to work.

          INFORMATION: Agent discovery successful
            Agent address: jenkins.mycorp
            Agent port:    50000
            Identity:      null
          

          RESOLVED:
          My reverse proxy dropped the header X-Instance-Identity which is being used in the remoting lib to transfer the public key to the agents. The following Apache directive is a bad idea in case one wants to use agents.

          Header unset X-Instance-Identity
          

          Thomas Heidrich added a comment - - edited In reference to my code comment , why is the certificate of the JNLP4-Protocol being generated during runtime and not changable by configuration? How is the agent supposed to validate the certificate? Am I missing something? My agents always report the following during JNLP4 connection attempts: Caused by: java.security.cert.CertificateException: Public key of the first certificate in chain (subject: C=US, OU=jenkins.io, O=instances, CN=deadbeefdeadbeefdeadbeef) is not in the list of trusted keys JNLP3 works fine though, but I want the newer secure stuff. Is the public key supposed to be transferred in the encrypted and authenticated transfer of slave-agent.jnlp? UPDATED: Interesting, debugging the agent revealed that the publicKey seems to be transferred, but in my case, this doesn't seem to work. INFORMATION: Agent discovery successful Agent address: jenkins.mycorp Agent port: 50000 Identity: null RESOLVED: My reverse proxy dropped the header X-Instance-Identity which is being used in the remoting lib to transfer the public key to the agents. The following Apache directive is a bad idea in case one wants to use agents. Header unset X-Instance-Identity

          Matthias Baldi added a comment - - edited

          gnuheidix thank you for the information.
          We checked our Apache config too, but it seems, that our proxy do not reject this headers, so it have to be an other problem.
          But a workaround is for us currently to deploy first an old Jenkins version and then we can update it without any problems to the newest one.

          I tried it shortly again with the newest version of Jenkins (2.150.1) and one Slave on the same maschine. Both tests with Docker containers were successful on Windows and on Linux.
          As soon I can test it, I will try something with a proxy and over multiple servers, maybe it will work now.

          And I will update the plugins, maybe it is not an issue of Jenkins itself, it could be, that we hit it because of a plugin update.

          Matthias Baldi added a comment - - edited gnuheidix thank you for the information. We checked our Apache config too, but it seems, that our proxy do not reject this headers, so it have to be an other problem. But a workaround is for us currently to deploy first an old Jenkins version and then we can update it without any problems to the newest one. I tried it shortly again with the newest version of Jenkins (2.150.1) and one Slave on the same maschine. Both tests with Docker containers were successful on Windows and on Linux. As soon I can test it, I will try something with a proxy and over multiple servers, maybe it will work now. And I will update the plugins, maybe it is not an issue of Jenkins itself, it could be, that we hit it because of a plugin update.

            bcygan bcygan
            bcygan bcygan
            Votes:
            3 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated: