Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-60857

Wildcard certificates rejected by Winstone after Jetty update

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Blocker Blocker
    • core, winstone-jetty
    • Jenkins 2.217 on CentOS 6.10
      Jenkins 2.204.3 LTS on Windows Server 2012 R2
      Wildcard-SSL-Certificate in Java-Keystore in PKCS12 format
      Jenkins 2.204.3 LTS on Ubuntu 18.04.4 LTS
    • 2.218 2.204.4

      With 2.217 Jenkins no longer accepts the supplied keystore which worked flawlessly with all former versions.

      It complains about "multiple certificates" even if there is only one stored in the keystore.

      Re-creating the keystore doesn't change a thing.

      Here's the log output:

      2020-01-24 09:59:56.255+0000 [id=1]     SEVERE  winstone.Logger#logInternal: Container startup failed
      java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
              at org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1275)
              at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1256)
              at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:374)
              at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:245)
              at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
              at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
              at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
              at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:92)
              at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
              at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
              at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
              at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:320)
              at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
              at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:231)
              at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
              at org.eclipse.jetty.server.Server.doStart(Server.java:385)
              at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
              at winstone.Launcher.<init>(Launcher.java:188)
      Caused: java.io.IOException: Failed to start Jetty
              at winstone.Launcher.<init>(Launcher.java:190)
              at winstone.Launcher.main(Launcher.java:359)
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.lang.reflect.Method.invoke(Method.java:498)
              at Main._main(Main.java:375)
              at Main.main(Main.java:151)
      2020-01-24 09:59:56.256+0000 [id=22]    WARNING o.j.h.a.Index$2$1#fetch: Failed to load hudson.model.Queue
      java.lang.ClassNotFoundException: hudson.model.queue.QueueSorter
              at java.net.URLClassLoader.findClass(URLClassLoader.java:382)
              at java.lang.ClassLoader.loadClass(ClassLoader.java:418)
              at java.lang.ClassLoader.loadClass(ClassLoader.java:351)
              at org.eclipse.jetty.webapp.WebAppClassLoader.loadClass(WebAppClassLoader.java:543)
              at java.lang.ClassLoader.loadClass(ClassLoader.java:351)
      Caused: java.lang.NoClassDefFoundError: hudson/model/queue/QueueSorter
              at java.lang.Class.getDeclaredMethods0(Native Method)
              at java.lang.Class.privateGetDeclaredMethods(Class.java:2701)
              at java.lang.Class.getDeclaredMethods(Class.java:1975)
              at org.jvnet.hudson.annotation_indexer.Index$2$1.fetch(Index.java:103)
              at org.jvnet.hudson.annotation_indexer.Index$2$1.hasNext(Index.java:73)
              at org.jvnet.hudson.annotation_indexer.SubtypeIterator.fetch(SubtypeIterator.java:18)
              at org.jvnet.hudson.annotation_indexer.SubtypeIterator.hasNext(SubtypeIterator.java:28)
              at hudson.init.TaskMethodFinder.discoverTasks(TaskMethodFinder.java:56)
              at hudson.init.InitializerFinder.discoverTasks(InitializerFinder.java:33)
              at hudson.init.TaskMethodFinder.discoverTasks(TaskMethodFinder.java:32)
              at org.jvnet.hudson.reactor.TaskBuilder$2.discoverTasks(TaskBuilder.java:61)
              at org.jvnet.hudson.reactor.Reactor.<init>(Reactor.java:151)
              at org.jvnet.hudson.reactor.Reactor.<init>(Reactor.java:156)
              at jenkins.model.Jenkins$5.<init>(Jenkins.java:1127)
              at jenkins.model.Jenkins.executeReactor(Jenkins.java:1127)
              at jenkins.model.Jenkins.<init>(Jenkins.java:966)
              at hudson.model.Hudson.<init>(Hudson.java:85)
              at hudson.model.Hudson.<init>(Hudson.java:81)
              at hudson.WebAppMain$3.run(WebAppMain.java:233)
      
      

          [JENKINS-60857] Wildcard certificates rejected by Winstone after Jetty update

          Christian Keck created issue -
          H. Feldker made changes -
          Link New: This issue is duplicated by JENKINS-60858 [ JENKINS-60858 ]

          H. Feldker added a comment -

          Hello,

          we encountered a similar issue (same exception), but our keystore is in JKS format and we do not have a wildcard certificate.

          My guess is that this issue is connected with the jetty update 9.4.23:

          releasenotes entry: 4325 Deprecate SniX509ExtendedKeyManager constructor without SslContextFactory$Server)

           

          Best regards,

          Heiko

          H. Feldker added a comment - Hello, we encountered a similar issue (same exception), but our keystore is in JKS format and we do not have a wildcard certificate. My guess is that this issue is connected with the jetty update 9.4.23: releasenotes entry: 4325 Deprecate SniX509ExtendedKeyManager constructor without SslContextFactory$Server)   Best regards, Heiko

          Christian Keck added a comment - - edited

          I agree with Heiko that it must be related with a change in the API of Jetty or at least a change in the acceptance of missing parameters in some methods.

          However, the noted deprecation seems to lead to a different error message as found here for example: https://github.com/eclipse/jetty.project/issues/4425

          EDIT: Nevermind - the message had been updated in 4.25...

          Christian Keck added a comment - - edited I agree with Heiko that it must be related with a change in the API of Jetty or at least a change in the acceptance of missing parameters in some methods. However, the noted deprecation seems to lead to a different error message as found here for example: https://github.com/eclipse/jetty.project/issues/4425 EDIT: Nevermind - the message had been updated in 4.25...
          Christian Keck made changes -
          Labels Original: SSL jenkins jetty New: SSL jetty keystore

          I got the same issue after upgrading to 2.217.

          François Isabelle added a comment - I got the same issue after upgrading to 2.217.

          Same for me

          Alexander Gängel added a comment - Same for me
          Christian Keck made changes -
          Link New: This issue duplicates JENKINS-60854 [ JENKINS-60854 ]
          Christian Keck made changes -
          Priority Original: Critical [ 2 ] New: Blocker [ 1 ]
          Jesse Glick made changes -
          Assignee New: Jesse Glick [ jglick ]

            oleg_nenashev Oleg Nenashev
            christg74 Christian Keck
            Votes:
            12 Vote for this issue
            Watchers:
            25 Start watching this issue

              Created:
              Updated:
              Resolved: