Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-68107

Unable to start Jenkins with HTTP2 unless httpsKeyStore is set

      This happened after upgrading from 2.338 (which worked fine) to 2.340. Jenkins fails to start with the following log: 

      SEVERE  winstone.Logger#logInternal: Container startup failed
      winstone.WinstoneException: Please set --httpsKeyStore
              at winstone.AbstractSecuredConnectorFactory.configureSsl(AbstractSecuredConnectorFactory.java:88)
              at winstone.Http2ConnectorFactory.start(Http2ConnectorFactory.java:59)
              at winstone.Launcher.spawnListener(Launcher.java:255)
      Caused: java.io.IOException: Failed to start a listener: winstone.Http2ConnectorFactory
              at winstone.Launcher.spawnListener(Launcher.java:261)
              at winstone.Launcher.<init>(Launcher.java:191)
              at winstone.Launcher.main(Launcher.java:405)
              at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
              at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.base/java.lang.reflect.Method.invoke(Method.java:566)
              at Main._main(Main.java:304)
              at Main.main(Main.java:108)

      The relevant portion of the Jenkins config:

      JENKINS_PORT="8080"
      JENKINS_LISTEN_ADDRESS="127.0.0.1"
      JENKINS_HTTPS_PORT=""
      JENKINS_HTTPS_KEYSTORE=""
      JENKINS_HTTPS_KEYSTORE_PASSWORD=""
      JENKINS_HTTPS_LISTEN_ADDRESS=""
      JENKINS_HTTP2_PORT="8029"
      JENKINS_HTTP2_LISTEN_ADDRESS="127.0.0.1"
      JENKINS_EXTRA_LIB_FOLDER=""
      JENKINS_ARGS=""
      

      In our case we specifically don't want Jenkins to handle HTTPS, and instead let the webserver do that. Is this still a supported configuration?

          [JENKINS-68107] Unable to start Jenkins with HTTP2 unless httpsKeyStore is set

          Dmitry Erastov added a comment - Could be due to  https://github.com/jenkinsci/winstone/releases/tag/winstone-5.23 or https://github.com/jenkinsci/packaging/pull/296?

          Basil Crow added a comment -

          Yes, Winstone 5.23 (i.e., Jenkins core 2.339 and later) removed the automatic generation of a self signed certificate if TLS is specified (either by httpsPort or http2Port) but no keystore is specified.

          In our case we specifically don't want Jenkins to handle HTTPS

          HTTP/2 over TLS is de facto mandatory, and Jenkins only supports HTTP/2 over TLS. Previously, Jenkins automatically generated a self signed certificate in such cases. Now, it no longer does.

          I believe your options are either to use another web server to serve HTTP/2 (configured with its own certificate) or to use Jenkins/Winstone to serve HTTP/2 with an explicit keystore.

          Basil Crow added a comment - Yes, Winstone 5.23 (i.e., Jenkins core 2.339 and later) removed the automatic generation of a self signed certificate if TLS is specified (either by  httpsPort or  http2Port ) but no keystore is specified. In our case we specifically don't want Jenkins to handle HTTPS HTTP/2 over TLS is de facto mandatory , and Jenkins only supports HTTP/2 over TLS. Previously, Jenkins automatically generated a self signed certificate in such cases. Now, it no longer does. I believe your options are either to use another web server to serve HTTP/2 (configured with its own certificate) or to use Jenkins/Winstone to serve HTTP/2 with an explicit keystore.

          Thanks for the quick response. We disabled http2 in the Jenkins config and instead now fully rely on the web server for that. Version 2.340 now starts without issues!

          As far as the resolution goes, I think the docs at https://www.jenkins.io/doc/book/installing/initial-settings/#using-http2 are a bit unclear about the need to configure https if enabling http2. I'll take a stab at updating them.

          Dmitry Erastov added a comment - Thanks for the quick response. We disabled http2 in the Jenkins config and instead now fully rely on the web server for that. Version 2.340 now starts without issues! As far as the resolution goes, I think the docs at https://www.jenkins.io/doc/book/installing/initial-settings/#using-http2 are a bit unclear about the need to configure https if enabling http2. I'll take a stab at updating them.

          Basil Crow added a comment -

          Fixed in jenkins-infra/jenkins.io#5021. Thanks for the PR!

          Basil Crow added a comment - Fixed in jenkins-infra/jenkins.io#5021 . Thanks for the PR!

            dskrvk Dmitry Erastov
            dskrvk Dmitry Erastov
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: