[JENKINS-43210] Windows Agent can't connect to Master through JNLP

Type: Bug
Resolution: Unresolved
Priority: Blocker
Component/s: core, remoting
Labels:
- slave
- windows
Environment:
Jenkins Core 2.32.2.7 running on RHEL 6.8 with JDK 8u121
Windows Slaves Plugin 1.3.1
Windows Server 2012 with latest patches and JDK 8u121
Apache Reverse Proxy with "nocanon" option set

Similar Issues:
Powered by SuggestiMate

Show

When executing

java -Xmx1g -jar slave.jar -jnlpUrl http://dfvvt01seuops.somebank.somenet/jenkins-iteb/computer/DFVIASTWHUDSON2/slave-agent.jnlp

I get

Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main createEngine
INFORMATION: Setting up slave: DFVIASTWHUDSON2
Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener <init>
INFORMATION: Jenkins agent is running in headless mode.
Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Locating server among http://dfvvt01seuops.somebank.somenet/jenkins-iteb/
Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Agent discovery successful
{{ Agent address: dfvvt01seuops.somebank.somenet}}
{{ Agent port: 50000}}
{{ Identity: 13:74:a6:18:f1:96:9c:cb:69:57:26:b1:a2:17:f2:c9}}
Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Handshaking
Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Connecting to dfvvt01seuops.somebank.somenet:50000
Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Trying protocol: JNLP4-connect
Mõr 30, 2017 9:29:36 AM org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer onRecv
SCHWERWIEGEND: [JNLP4-connect connection to dfvvt01seuops.somebank.somenet/10.241.209.26:50000]
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
{{ at sun.security.ssl.Handshaker.checkThrown(Unknown Source)}}
{{ at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)}}
{{ at sun.security.ssl.SSLEngineImpl.writeAppRecord(Unknown Source)}}
{{ at sun.security.ssl.SSLEngineImpl.wrap(Unknown Source)}}
{{ at javax.net.ssl.SSLEngine.wrap(Unknown Source)}}
{{ at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.processRead(SSLEngineFilterLayer.java:392)}}
{{ at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.onRecv(SSLEngineFilterLayer.java:117)}}
{{ at org.jenkinsci.remoting.protocol.ProtocolStack$Ptr.onRecv(ProtocolStack.java:669)}}
{{ at org.jenkinsci.remoting.protocol.NetworkLayer.onRead(NetworkLayer.java:136)}}
{{ at org.jenkinsci.remoting.protocol.impl.BIONetworkLayer.access$2200(BIONetworkLayer.java:48)}}
{{ at org.jenkinsci.remoting.protocol.impl.BIONetworkLayer$Reader.run(BIONetworkLayer.java:283)}}
{{ at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)}}
{{ at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)}}
{{ at hudson.remoting.Engine$1$1.run(Engine.java:94)}}
{{ at java.lang.Thread.run(Unknown Source)}}
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
{{ at sun.security.ssl.Alerts.getSSLException(Unknown Source)}}
{{ at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)}}
{{ at sun.security.ssl.Handshaker.fatalSE(Unknown Source)}}
{{ at sun.security.ssl.Handshaker.fatalSE(Unknown Source)}}
{{ at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)}}
{{ at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)}}
{{ at sun.security.ssl.Handshaker.processLoop(Unknown Source)}}
{{ at sun.security.ssl.Handshaker$1.run(Unknown Source)}}
{{ at sun.security.ssl.Handshaker$1.run(Unknown Source)}}
{{ at java.security.AccessController.doPrivileged(Native Method)}}
{{ at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source)}}
{{ at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.processRead(SSLEngineFilterLayer.java:382)}}
{{ ... 9 more}}
Caused by: java.security.cert.CertificateException: Public key of the first certificate in chain (subject: C=US, OU=jenkins.io, O=instances, CN=74df086770b5c378864b03273a8576ae) is
{{ not in the list of trusted keys}}
{{ at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkPublicKey(PublicKeyMatchingX509ExtendedTrustManager.java:216)}}
{{ at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkServerTrusted(PublicKeyMatchingX509ExtendedTrustManager.java:263)}}
{{ at org.jenkinsci.remoting.protocol.cert.DelegatingX509ExtendedTrustManager.checkServerTrusted(DelegatingX509ExtendedTrustManager.java:148)}}
{{ ... 17 more}}Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Protocol JNLP4-connect encountered an unexpected exception
java.util.concurrent.ExecutionException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
{{ at org.jenkinsci.remoting.util.SettableFuture.get(SettableFuture.java:223)}}
{{ at hudson.remoting.Engine.innerRun(Engine.java:385)}}
{{ at hudson.remoting.Engine.run(Engine.java:287)}}
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
{{ at sun.security.ssl.Handshaker.checkThrown(Unknown Source)}}
{{ at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)}}
{{ at sun.security.ssl.SSLEngineImpl.writeAppRecord(Unknown Source)}}
{{ at sun.security.ssl.SSLEngineImpl.wrap(Unknown Source)}}
{{ at javax.net.ssl.SSLEngine.wrap(Unknown Source)}}
{{ at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.processRead(SSLEngineFilterLayer.java:392)}}
{{ at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.onRecv(SSLEngineFilterLayer.java:117)}}
{{ at org.jenkinsci.remoting.protocol.ProtocolStack$Ptr.onRecv(ProtocolStack.java:669)}}
{{ at org.jenkinsci.remoting.protocol.NetworkLayer.onRead(NetworkLayer.java:136)}}
{{ at org.jenkinsci.remoting.protocol.impl.BIONetworkLayer.access$2200(BIONetworkLayer.java:48)}}
{{ at org.jenkinsci.remoting.protocol.impl.BIONetworkLayer$Reader.run(BIONetworkLayer.java:283)}}
{{ at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)}}
{{ at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)}}
{{ at hudson.remoting.Engine$1$1.run(Engine.java:94)}}
{{ at java.lang.Thread.run(Unknown Source)}}
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
{{ at sun.security.ssl.Alerts.getSSLException(Unknown Source)}}
{{ at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)}}
{{ at sun.security.ssl.Handshaker.fatalSE(Unknown Source)}}
{{ at sun.security.ssl.Handshaker.fatalSE(Unknown Source)}}
{{ at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)}}
{{ at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)}}
{{ at sun.security.ssl.Handshaker.processLoop(Unknown Source)}}
{{ at sun.security.ssl.Handshaker$1.run(Unknown Source)}}
{{ at sun.security.ssl.Handshaker$1.run(Unknown Source)}}
{{ at java.security.AccessController.doPrivileged(Native Method)}}
{{ at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source)}}
{{ at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.processRead(SSLEngineFilterLayer.java:382)}}
{{ ... 9 more}}
Caused by: java.security.cert.CertificateException: Public key of the first certificate in chain (subject: C=US, OU=jenkins.io, O=instances, CN=74df086770b5c378864b03273a8576ae) is
{{ not in the list of trusted keys}}
{{ at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkPublicKey(PublicKeyMatchingX509ExtendedTrustManager.java:216)}}
{{ at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkServerTrusted(PublicKeyMatchingX509ExtendedTrustManager.java:263)}}
{{ at org.jenkinsci.remoting.protocol.cert.DelegatingX509ExtendedTrustManager.checkServerTrusted(DelegatingX509ExtendedTrustManager.java:148)}}
{{ ... 17 more}}Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Connecting to dfvvt01seuops.somebank.somenet:50000
Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Server reports protocol JNLP4-plaintext not supported, skipping
Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Trying protocol: JNLP3-connect
Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Protocol JNLP3-connect encountered an unexpected exception
java.util.concurrent.ExecutionException: org.jenkinsci.remoting.protocol.impl.ConnectionRefusalException: JNLP3-connect: Incorrect challenge response from master
{{ at java.util.concurrent.FutureTask.report(Unknown Source)}}
{{ at java.util.concurrent.FutureTask.get(Unknown Source)}}
{{ at hudson.remoting.Engine.innerRun(Engine.java:385)}}
{{ at hudson.remoting.Engine.run(Engine.java:287)}}
Caused by: org.jenkinsci.remoting.protocol.impl.ConnectionRefusalException: JNLP3-connect: Incorrect challenge response from master
{{ at org.jenkinsci.remoting.engine.JnlpProtocol3Handler.sendHandshake(JnlpProtocol3Handler.java:213)}}
{{ at org.jenkinsci.remoting.engine.JnlpProtocol3Handler.sendHandshake(JnlpProtocol3Handler.java:123)}}
{{ at org.jenkinsci.remoting.engine.LegacyJnlpProtocolHandler$2.call(LegacyJnlpProtocolHandler.java:162)}}
{{ at org.jenkinsci.remoting.engine.LegacyJnlpProtocolHandler$2.call(LegacyJnlpProtocolHandler.java:158)}}
{{ at java.util.concurrent.FutureTask.run(Unknown Source)}}
{{ at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)}}
{{ at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)}}
{{ at hudson.remoting.Engine$1$1.run(Engine.java:94)}}
{{ at java.lang.Thread.run(Unknown Source)}}Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Connecting to dfvvt01seuops.somebank.somenet:50000
Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Trying protocol: JNLP2-connect
Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Protocol JNLP2-connect encountered an unexpected exception
java.util.concurrent.ExecutionException: org.jenkinsci.remoting.protocol.impl.ConnectionRefusalException: Server didn't accept the handshake:
{{ at java.util.concurrent.FutureTask.report(Unknown Source)}}
{{ at java.util.concurrent.FutureTask.get(Unknown Source)}}
{{ at hudson.remoting.Engine.innerRun(Engine.java:385)}}
{{ at hudson.remoting.Engine.run(Engine.java:287)}}
Caused by: org.jenkinsci.remoting.protocol.impl.ConnectionRefusalException: Server didn't accept the handshake:
{{ at org.jenkinsci.remoting.engine.JnlpProtocol2Handler.sendHandshake(JnlpProtocol2Handler.java:134)}}
{{ at org.jenkinsci.remoting.engine.LegacyJnlpProtocolHandler$2.call(LegacyJnlpProtocolHandler.java:162)}}
{{ at org.jenkinsci.remoting.engine.LegacyJnlpProtocolHandler$2.call(LegacyJnlpProtocolHandler.java:158)}}
{{ at java.util.concurrent.FutureTask.run(Unknown Source)}}
{{ at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)}}
{{ at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)}}
{{ at hudson.remoting.Engine$1$1.run(Engine.java:94)}}
{{ at java.lang.Thread.run(Unknown Source)}}Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Connecting to dfvvt01seuops.somebank.somenet:50000
Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Trying protocol: JNLP-connect
Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Protocol JNLP-connect encountered an unexpected exception
java.util.concurrent.ExecutionException: org.jenkinsci.remoting.protocol.impl.ConnectionRefusalException: Server didn't accept the handshake:
{{ at java.util.concurrent.FutureTask.report(Unknown Source)}}
{{ at java.util.concurrent.FutureTask.get(Unknown Source)}}
{{ at hudson.remoting.Engine.innerRun(Engine.java:385)}}
{{ at hudson.remoting.Engine.run(Engine.java:287)}}
Caused by: org.jenkinsci.remoting.protocol.impl.ConnectionRefusalException: Server didn't accept the handshake:
{{ at org.jenkinsci.remoting.engine.JnlpProtocol1Handler.sendHandshake(JnlpProtocol1Handler.java:121)}}
{{ at org.jenkinsci.remoting.engine.LegacyJnlpProtocolHandler$2.call(LegacyJnlpProtocolHandler.java:162)}}
{{ at org.jenkinsci.remoting.engine.LegacyJnlpProtocolHandler$2.call(LegacyJnlpProtocolHandler.java:158)}}
{{ at java.util.concurrent.FutureTask.run(Unknown Source)}}
{{ at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)}}
{{ at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)}}
{{ at hudson.remoting.Engine$1$1.run(Engine.java:94)}}
{{ at java.lang.Thread.run(Unknown Source)}}Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener error
SCHWERWIEGEND: The server rejected the connection: None of the protocols were accepted
java.lang.Exception: The server rejected the connection: None of the protocols were accepted
{{ at hudson.remoting.Engine.onConnectionRejected(Engine.java:484)}}
{{ at hudson.remoting.Engine.innerRun(Engine.java:448)}}
{{ at hudson.remoting.Engine.run(Engine.java:287)}}

I don't care for the JNLP3 and JNLP4 issues right now (because I don't need encryption at the moment), but I would expect at least JNLP2 to work. Looks like ~~JENKINS-39232~~ is not fixed after all.

Related: ~~JENKINS-39232~~, ~~JENKINS-40668~~

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

jenkins-43210-issue.txt
9 kB
2018-12-05 14:39
image-2018-09-19-12-09-33-563.png
42 kB
2018-09-19 10:09

bcygan created issue - 2017-03-30 07:45

Oleg Nenashev made changes - 2017-03-31 08:24

Assignee

Original: Kohsuke Kawaguchi [ kohsuke ]

New: Oleg Nenashev [ oleg_nenashev ]

Oleg Nenashev made changes - 2017-03-31 08:24

Component/s

New: remoting [ 15489 ]

Oleg Nenashev added a comment - 2017-03-31 08:31

So I am mostly aware about the JNLP4 protocol failure

Caused by: java.security.cert.CertificateException: Public key of the first certificate in chain (subject: C=US, OU=jenkins.io, O=instances, CN=74df086770b5c378864b03273a8576ae) is
{{ not in the list of trusted keys}}
{{ at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkPublicKey(PublicKeyMatchingX509ExtendedTrustManager.java:216)}}
{{ at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkServerTrusted(PublicKeyMatchingX509ExtendedTrustManager.java:263)}}
{{ at org.jenkinsci.remoting.protocol.cert.DelegatingX509ExtendedTrustManager.checkServerTrusted(DelegatingX509ExtendedTrustManager.java:148)}}
{{ ... 17 more}}Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Protocol JNLP4-connect encountered an unexpected exception
java.util.concurrent.ExecutionException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

Due to whatever reason the agent does not consider master's certificate as a trusted one. It should never happen for auto-generated certificates AFAIK, so I would assume your master is available over HTTPS and has untrusted certificate.

Please provide more information about your master settings. Jenkins System logs would be also useful.

Oleg Nenashev added a comment - 2017-03-31 08:31 So I am mostly aware about the JNLP4 protocol failure Caused by: java.security.cert.CertificateException: Public key of the first certificate in chain (subject: C=US, OU=jenkins.io, O=instances, CN=74df086770b5c378864b03273a8576ae) is {{ not in the list of trusted keys}} {{ at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkPublicKey(PublicKeyMatchingX509ExtendedTrustManager.java:216)}} {{ at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkServerTrusted(PublicKeyMatchingX509ExtendedTrustManager.java:263)}} {{ at org.jenkinsci.remoting.protocol.cert.DelegatingX509ExtendedTrustManager.checkServerTrusted(DelegatingX509ExtendedTrustManager.java:148)}} {{ ... 17 more}}Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status INFORMATION: Protocol JNLP4-connect encountered an unexpected exception java.util.concurrent.ExecutionException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem Due to whatever reason the agent does not consider master's certificate as a trusted one. It should never happen for auto-generated certificates AFAIK, so I would assume your master is available over HTTPS and has untrusted certificate. Please provide more information about your master settings. Jenkins System logs would be also useful.

bcygan added a comment - 2017-04-03 12:41

The master is not available via HTTPS, that is why I am not worried about the JNLP v3 and v4 errors. But JNLP v2 should work, and it doesn't. I can provide more details if needed (including logs from the master) beginning of next week.

bcygan added a comment - 2017-04-03 12:41 The master is not available via HTTPS, that is why I am not worried about the JNLP v3 and v4 errors. But JNLP v2 should work, and it doesn't. I can provide more details if needed (including logs from the master) beginning of next week.

Oleg Nenashev made changes - 2017-04-03 13:17

Assignee

Original: Oleg Nenashev [ oleg_nenashev ]

New: bcygan [ bcygan ]

Oleg Nenashev added a comment - 2017-04-03 13:17

OK, looking forward to get logs

Oleg Nenashev added a comment - 2017-04-03 13:17 OK, looking forward to get logs

bcygan added a comment - 2017-04-10 10:47 - edited

I checked, and couldn't find any meaningful entries in the logs. In the meantime, I have switched off JNLP3 and JNLP4. Additional information: This is going through an Apache Reverse Proxy and uses central authentication from Jenkins Operations. Which protocol might help in this case ?

The Apache Reverse Proxy ist configured with the "nocanon" option.

bcygan added a comment - 2017-04-10 10:47 - edited I checked, and couldn't find any meaningful entries in the logs. In the meantime, I have switched off JNLP3 and JNLP4. Additional information: This is going through an Apache Reverse Proxy and uses central authentication from Jenkins Operations. Which protocol might help in this case ? The Apache Reverse Proxy ist configured with the "nocanon" option.

bcygan made changes - 2017-04-10 11:07

Environment

Original: Jenkins Core 2.32.2.7 running on RHEL 6.8 with JDK 8u121
Windows Slaves Plugin 1.3.1
Windows Server 2012 with latest patches and JDK 8u121

New: Jenkins Core 2.32.2.7 running on RHEL 6.8 with JDK 8u121
Windows Slaves Plugin 1.3.1
Windows Server 2012 with latest patches and JDK 8u121
Apache Reverse Proxy with "nocanon" option set

Oleg Nenashev added a comment - 2017-05-06 22:53

Does the issue still happen with disabled JNLP3 ?

Oleg Nenashev added a comment - 2017-05-06 22:53 Does the issue still happen with disabled JNLP3 ?

Assignee:: bcygan

Reporter:: bcygan

Votes:: 3 Vote for this issue

Watchers:: 7 Start watching this issue

Created:: 2017-03-30 07:45

Updated:: 2020-10-31 18:29

Jenkins

Details

Description

Attachments

Attachments

Activity

Collapse comment: Oleg Nenashev added a comment - 2017-03-31 08:31

Expand comment: Oleg Nenashev added a comment - 2017-03-31 08:31

Collapse comment: bcygan added a comment - 2017-04-03 12:41

Expand comment: bcygan added a comment - 2017-04-03 12:41

Collapse comment: Oleg Nenashev added a comment - 2017-04-03 13:17

Expand comment: Oleg Nenashev added a comment - 2017-04-03 13:17

Collapse comment: bcygan added a comment - 2017-04-10 10:47, Edited by bcygan - 2017-04-10 10:57

Expand comment: bcygan added a comment - 2017-04-10 10:47, Edited by bcygan - 2017-04-10 10:57

Collapse comment: Oleg Nenashev added a comment - 2017-05-06 22:53

Expand comment: Oleg Nenashev added a comment - 2017-05-06 22:53

People

Dates