Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
None
-
Java: openjdk version "1.8.0_131"
Jenkins: 2.101
Jenkins Host OS: Debian Jessie (8)
Rocket Server: 0.60.3
RocketChat Notifier Plugin: 1.1.0
Description
When testing the connection, I get the exception found below. When manually trying to connect via openssl, I can reproduce the error but can also fix it.
My assumption is, that the java ssl client doesn't send the servername information and thus is "routed" to the wrong website.
Error reproduced via openssl
root@host:~# openssl s_client -connect rocket.domain.com:443 <snip> -----END CERTIFICATE----- subject=/C=DE/O=Company /CN=farmer.domain.com <snip> ---
Error "fixed" via openssl
root@host:~# openssl s_client -connect rocket.domain.com:443 -servername rocket.domain.com <snip> -----END CERTIFICATE----- subject=/OU=Domain Control Validated/OU=Company /OU=PositiveSSL/CN=rocket.doman.com issuer=<snip> ---
Error Msg.
Client error - Could not send message javax.net.ssl.SSLException: Certificate for <rocket.domain.com> doesn't match any of the subject alternative names: [farmer.domain.com, farmer] at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:165) at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:61) at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:141) at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:114) at org.apache.http.conn.ssl.SSLSocketFactory.verifyHostname(SSLSocketFactory.java:580) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:554) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:412) at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:179) at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144) at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:134) at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:612) at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:447) at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:884) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55) at com.mashape.unirest.http.HttpClientHelper.request(HttpClientHelper.java:138) Caused: com.mashape.unirest.http.exceptions.UnirestException at com.mashape.unirest.http.HttpClientHelper.request(HttpClientHelper.java:143) at com.mashape.unirest.request.BaseRequest.asJson(BaseRequest.java:68) at jenkins.plugins.rocketchatnotifier.rocket.RocketChatBasicCallAuthentication.doAuthentication(RocketChatBasicCallAuthentication.java:46) Caused: java.io.IOException: Please check if the server API https://rocket.domain.com//api/v1/login is correct: javax.net.ssl.SSLException: Certificate for <rocket.domain.com> doesn't match any of the subject alternative names: [farmer.domain.com, farmer] at jenkins.plugins.rocketchatnotifier.rocket.RocketChatBasicCallAuthentication.doAuthentication(RocketChatBasicCallAuthentication.java:48) at jenkins.plugins.rocketchatnotifier.rocket.RocketChatClientCallBuilder.buildCall(RocketChatClientCallBuilder.java:91) at jenkins.plugins.rocketchatnotifier.rocket.RocketChatClientCallBuilder.buildCall(RocketChatClientCallBuilder.java:81) at jenkins.plugins.rocketchatnotifier.rocket.RocketChatClientImpl.getChannels(RocketChatClientImpl.java:91) at jenkins.plugins.rocketchatnotifier.RocketClientImpl.<init>(RocketClientImpl.java:30) at jenkins.plugins.rocketchatnotifier.RocketChatNotifier$DescriptorImpl.doTestConnection(RocketChatNotifier.java:397) at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627) at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:343) at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:184) at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:117) at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:129) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845) at org.kohsuke.stapler.MetaClass$5.doDispatch(MetaClass.java:248) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649) at org.kohsuke.stapler.Stapler.service(Stapler.java:238) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:841) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1650) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154) at hudson.plugins.greenballs.GreenBallFilter.doFilter(GreenBallFilter.java:59) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151) at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:99) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84) at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:190) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1253) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1155) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.Server.handle(Server.java:564) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:317) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:110) at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124) at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:748)
Attachments
Activity
Hi,
thanks for your reply.
I not sure either. However, we are using a shared host environment, where many different SSL Hosts are on the same machine. In case the Java Client does not set the host name correctly, it gets a connection from the default SSL Host. I think, that this is happening here.
Hi,
other Plug-Ins stumbled upon the same issue and got it fixed.
For example Jfrog or eclipse:
https://issues.jenkins-ci.org/browse/JENKINS-26403
https://bugs.eclipse.org/bugs/show_bug.cgi?id=478655
SNI Support was added to the apache http client some time ago:
https://issues.apache.org/jira/browse/HTTPCLIENT-1119
I'm no Java developer, so I cannot dive in and propose a fix, but I'm quite sure, it isn't a big of a deal.
Could you please have a look into this?
currently not having time to look at this. From the first look I'm not having an idea what's wrong
Chris Childs
added a comment - Hello.
I am getting the exact same issue at the moment. Chris Childs
added a comment - key_andi were you able to find work around for this? 
No idea why it's not working in your case. Using SSL on different environments and don't have these issues.