[JENKINS-66347] Keystore not working

Type: Bug
Resolution: Fixed
Priority: Blocker
Component/s: packaging
Labels:
- regression

Similar Issues:
Powered by SuggestiMate

Show

Jenkins 2.306 is throwing an error when trying to access a keystore, which prevents it from running with SSL. If I downgrade to 2.305 everything works fine. The error is below. I have verified the keystore location and password are correct, plus as I said it works in 2.305 just fine.

2021-08-10 15:16:58.138+0000 [id=1] INFO winstone.Logger#logInternal: Jetty shutdown successfully
java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory
at winstone.Launcher.spawnListener(Launcher.java:226)
at winstone.Launcher.<init>(Launcher.java:180)
at winstone.Launcher.main(Launcher.java:369)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at Main._main(Main.java:375)
at Main.main(Main.java:151)
Caused by: java.io.IOException: keystore password was incorrect
at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2116)
at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:243)
at java.base/java.security.KeyStore.load(KeyStore.java:1479)
at winstone.AbstractSecuredConnectorFactory.configureSsl(AbstractSecuredConnectorFactory.java:73)
at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:53)
at winstone.Launcher.spawnListener(Launcher.java:220)
... 8 more
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
... 14 more

is duplicated by

JENKINS-66368 After upgrade to CentOS 7 jenkins-2.306-1.1 Jenkins fails to start - keystore access error

Resolved

links to

jenkinsci/packaging#208

Lev added a comment - 2021-08-10 23:37 - edited

Experiencing this as well on RHEL7.

The issue is caused by a change in /etc/rc.d/init.d/jenkins, from 'daemon' to 'daemonize' and the associated quote changes. $JAVA_CMD was previously quoted, however now is not. With the current command, adding quotes around $JAVA_CMD results in an error. And without quotes, it breaks quoting in some of the arguments, including the keystore password.

It is possible to workaround the issue by replacing the entire 'daemonize' line with,

daemon --user "$JENKINS_USER" --pidfile "$JENKINS_PID_FILE" "$JAVA_CMD" $PARAMS --daemon > /dev/null

This effectively reverts the change made in 2.306.

Stems from this commit.

Lev added a comment - 2021-08-10 23:37 - edited Experiencing this as well on RHEL7. The issue is caused by a change in /etc/rc.d/init.d/jenkins, from 'daemon' to 'daemonize' and the associated quote changes. $JAVA_CMD was previously quoted, however now is not. With the current command, adding quotes around $JAVA_CMD results in an error. And without quotes, it breaks quoting in some of the arguments, including the keystore password. It is possible to workaround the issue by replacing the entire 'daemonize' line with, daemon --user "$JENKINS_USER" --pidfile "$JENKINS_PID_FILE" "$JAVA_CMD" $PARAMS --daemon > /dev/null This effectively reverts the change made in 2.306. Stems from this commit.

Basil Crow added a comment - 2021-08-11 00:21 - edited

Hi levnagdimunov0 and snowned, thank you for reporting this and sorry for the regression. Rather than reverting that commit, could you try restoring /etc/rc.d/init.d/jenkins to the released version and making this change instead:

diff --git a/rpm/build/SOURCES/jenkins.init.in b/rpm/build/SOURCES/jenkins.init.in
index 52eb0bf..3cf4268 100644
--- a/rpm/build/SOURCES/jenkins.init.in
+++ b/rpm/build/SOURCES/jenkins.init.in
@@ -86,12 +86,11 @@ do
   JENKINS_JAVA_CMD="$candidate"
 done
 
-JAVA_CMD="$JENKINS_JAVA_CMD $JENKINS_JAVA_OPTIONS -DJENKINS_HOME=$JENKINS_HOME -jar $JENKINS_WAR"
 PARAMS="--logfile=/var/log/@@ARTIFACTNAME@@/@@ARTIFACTNAME@@.log --webroot=/var/cache/@@ARTIFACTNAME@@/war"
 [ -n "$JENKINS_PORT" ] && PARAMS="$PARAMS --httpPort=$JENKINS_PORT"
 [ -n "$JENKINS_LISTEN_ADDRESS" ] && PARAMS="$PARAMS --httpListenAddress=$JENKINS_LISTEN_ADDRESS"
 [ -n "$JENKINS_HTTPS_PORT" ] && PARAMS="$PARAMS --httpsPort=$JENKINS_HTTPS_PORT"
-[ -n "$JENKINS_HTTPS_KEYSTORE" ] && PARAMS="$PARAMS --httpsKeyStore=$JENKINS_HTTPS_KEYSTORE"
+[ -n "$JENKINS_HTTPS_KEYSTORE" ] && PARAMS="$PARAMS --httpsKeyStore='$JENKINS_HTTPS_KEYSTORE'"
 [ -n "$JENKINS_HTTPS_KEYSTORE_PASSWORD" ] && PARAMS="$PARAMS --httpsKeyStorePassword='$JENKINS_HTTPS_KEYSTORE_PASSWORD'"
 [ -n "$JENKINS_HTTPS_LISTEN_ADDRESS" ] && PARAMS="$PARAMS --httpsListenAddress=$JENKINS_HTTPS_LISTEN_ADDRESS"
 [ -n "$JENKINS_HTTP2_PORT" ] && PARAMS="$PARAMS --http2Port=$JENKINS_HTTP2_PORT"
@@ -100,7 +99,7 @@ PARAMS="--logfile=/var/log/@@ARTIFACTNAME@@/@@ARTIFACTNAME@@.log --webroot=/var/
 [ -n "$JENKINS_HANDLER_STARTUP" ] && PARAMS="$PARAMS --handlerCountStartup=$JENKINS_HANDLER_STARTUP"
 [ -n "$JENKINS_HANDLER_MAX" ] && PARAMS="$PARAMS --handlerCountMax=$JENKINS_HANDLER_MAX"
 [ -n "$JENKINS_HANDLER_IDLE" ] && PARAMS="$PARAMS --handlerCountMaxIdle=$JENKINS_HANDLER_IDLE"
-[ -n "$JENKINS_EXTRA_LIB_FOLDER" ] && PARAMS="$PARAMS --extraLibFolder=$JENKINS_EXTRA_LIB_FOLDER"
+[ -n "$JENKINS_EXTRA_LIB_FOLDER" ] && PARAMS="$PARAMS --extraLibFolder='$JENKINS_EXTRA_LIB_FOLDER'"
 [ -n "$JENKINS_ARGS" ] && PARAMS="$PARAMS $JENKINS_ARGS"
 
 if [ "$JENKINS_ENABLE_ACCESS_LOG" = "yes" ]; then
@@ -112,7 +111,7 @@ RETVAL=0
 case "$1" in
     start)
        echo -n "Starting @@PRODUCTNAME@@ "
-       daemonize -u "$JENKINS_USER" -p "$JENKINS_PID_FILE" $JAVA_CMD $PARAMS
+       eval "daemonize -u \"$JENKINS_USER\" -p \"$JENKINS_PID_FILE\" \"$JENKINS_JAVA_CMD\" $JENKINS_JAVA_OPTIONS \"-DJENKINS_HOME=$JENKINS_HOME\" -jar \"$JENKINS_WAR\" $PARAMS"
        RETVAL=$?
        if [ $RETVAL = 0 ]; then
            success

Then run systemctl daemon-reload to apply it, followed by stopping and then starting the Jenkins service with systemctl.

Please let me know if this works. If so, I'll file a PR to correct the problem. If it doesn't work, please give me more steps to reproduce the problem.

Basil Crow added a comment - 2021-08-11 00:21 - edited Hi levnagdimunov0 and snowned , thank you for reporting this and sorry for the regression. Rather than reverting that commit, could you try restoring /etc/rc.d/init.d/jenkins to the released version and making this change instead: diff --git a/rpm/build/SOURCES/jenkins.init.in b/rpm/build/SOURCES/jenkins.init.in index 52eb0bf..3cf4268 100644 --- a/rpm/build/SOURCES/jenkins.init.in +++ b/rpm/build/SOURCES/jenkins.init.in @@ -86,12 +86,11 @@ do JENKINS_JAVA_CMD="$candidate" done -JAVA_CMD="$JENKINS_JAVA_CMD $JENKINS_JAVA_OPTIONS -DJENKINS_HOME=$JENKINS_HOME -jar $JENKINS_WAR" PARAMS="--logfile=/var/log/@@ARTIFACTNAME@@/@@ARTIFACTNAME@@.log --webroot=/var/cache/@@ARTIFACTNAME@@/war" [ -n "$JENKINS_PORT" ] && PARAMS="$PARAMS --httpPort=$JENKINS_PORT" [ -n "$JENKINS_LISTEN_ADDRESS" ] && PARAMS="$PARAMS --httpListenAddress=$JENKINS_LISTEN_ADDRESS" [ -n "$JENKINS_HTTPS_PORT" ] && PARAMS="$PARAMS --httpsPort=$JENKINS_HTTPS_PORT" -[ -n "$JENKINS_HTTPS_KEYSTORE" ] && PARAMS="$PARAMS --httpsKeyStore=$JENKINS_HTTPS_KEYSTORE" +[ -n "$JENKINS_HTTPS_KEYSTORE" ] && PARAMS="$PARAMS --httpsKeyStore='$JENKINS_HTTPS_KEYSTORE'" [ -n "$JENKINS_HTTPS_KEYSTORE_PASSWORD" ] && PARAMS="$PARAMS --httpsKeyStorePassword='$JENKINS_HTTPS_KEYSTORE_PASSWORD'" [ -n "$JENKINS_HTTPS_LISTEN_ADDRESS" ] && PARAMS="$PARAMS --httpsListenAddress=$JENKINS_HTTPS_LISTEN_ADDRESS" [ -n "$JENKINS_HTTP2_PORT" ] && PARAMS="$PARAMS --http2Port=$JENKINS_HTTP2_PORT" @@ -100,7 +99,7 @@ PARAMS="--logfile=/var/log/@@ARTIFACTNAME@@/@@ARTIFACTNAME@@.log --webroot=/var/ [ -n "$JENKINS_HANDLER_STARTUP" ] && PARAMS="$PARAMS --handlerCountStartup=$JENKINS_HANDLER_STARTUP" [ -n "$JENKINS_HANDLER_MAX" ] && PARAMS="$PARAMS --handlerCountMax=$JENKINS_HANDLER_MAX" [ -n "$JENKINS_HANDLER_IDLE" ] && PARAMS="$PARAMS --handlerCountMaxIdle=$JENKINS_HANDLER_IDLE" -[ -n "$JENKINS_EXTRA_LIB_FOLDER" ] && PARAMS="$PARAMS --extraLibFolder=$JENKINS_EXTRA_LIB_FOLDER" +[ -n "$JENKINS_EXTRA_LIB_FOLDER" ] && PARAMS="$PARAMS --extraLibFolder='$JENKINS_EXTRA_LIB_FOLDER'" [ -n "$JENKINS_ARGS" ] && PARAMS="$PARAMS $JENKINS_ARGS" if [ "$JENKINS_ENABLE_ACCESS_LOG" = "yes" ]; then @@ -112,7 +111,7 @@ RETVAL=0 case "$1" in start) echo -n "Starting @@PRODUCTNAME@@ " - daemonize -u "$JENKINS_USER" -p "$JENKINS_PID_FILE" $JAVA_CMD $PARAMS + eval "daemonize -u \"$JENKINS_USER\" -p \"$JENKINS_PID_FILE\" \"$JENKINS_JAVA_CMD\" $JENKINS_JAVA_OPTIONS \"-DJENKINS_HOME=$JENKINS_HOME\" -jar \"$JENKINS_WAR\" $PARAMS" RETVAL=$? if [ $RETVAL = 0 ]; then success Then run systemctl daemon-reload to apply it, followed by stopping and then starting the Jenkins service with systemctl . Please let me know if this works. If so, I'll file a PR to correct the problem. If it doesn't work, please give me more steps to reproduce the problem.

Basil Crow added a comment - 2021-08-11 00:57

Note: I changed the above diff a few times after doing some local testing. I think I've settled on a working version now.

Basil Crow added a comment - 2021-08-11 00:57 Note: I changed the above diff a few times after doing some local testing. I think I've settled on a working version now.

Adam added a comment - 2021-08-11 13:37

basil thanks for the patch, I just tried it and confirmed that it does work. Much appreciated. Do you think the PR will make it into next weeks' release? I ask because I am trying to decide if I should update my automation (Ansible) to make this change, or just wait a few more days for a new release.

Adam added a comment - 2021-08-11 13:37 basil thanks for the patch, I just tried it and confirmed that it does work. Much appreciated. Do you think the PR will make it into next weeks' release? I ask because I am trying to decide if I should update my automation (Ansible) to make this change, or just wait a few more days for a new release.

Basil Crow added a comment - 2021-08-11 13:45

Yes, the PR was merged and the next release will contain the fix.

Basil Crow added a comment - 2021-08-11 13:45 Yes, the PR was merged and the next release will contain the fix.

Adam added a comment - 2021-08-11 15:25

Thanks!

Adam added a comment - 2021-08-11 15:25 Thanks!

Assignee:: Basil Crow

Reporter:: Adam

Votes:: 1 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2021-08-10 15:18

Updated:: 2022-01-31 00:54

Resolved:: 2021-08-11 13:30

Jenkins

Details

Description

Attachments

Issue Links

Activity

Collapse comment: Lev added a comment - 2021-08-10 23:37, Edited by Lev - 2021-08-11 00:10

Expand comment: Lev added a comment - 2021-08-10 23:37, Edited by Lev - 2021-08-11 00:10

Collapse comment: Basil Crow added a comment - 2021-08-11 00:21, Edited by Basil Crow - 2021-08-11 00:56

Expand comment: Basil Crow added a comment - 2021-08-11 00:21, Edited by Basil Crow - 2021-08-11 00:56

Collapse comment: Basil Crow added a comment - 2021-08-11 00:57

Expand comment: Basil Crow added a comment - 2021-08-11 00:57

Collapse comment: Adam added a comment - 2021-08-11 13:37

Expand comment: Adam added a comment - 2021-08-11 13:37

Collapse comment: Basil Crow added a comment - 2021-08-11 13:45

Expand comment: Basil Crow added a comment - 2021-08-11 13:45

Collapse comment: Adam added a comment - 2021-08-11 15:25

Expand comment: Adam added a comment - 2021-08-11 15:25

People

Dates