[JENKINS-75005] Specifying a PEM-encoded self-signed root CA certificate via -cert does not work - Jenkins Jira

Type: Bug
Resolution: Unresolved
Priority: Minor
Component/s: remoting
Labels:
None
Environment:

Hide
Jenkins 2.462.2 running in Kubernetes

Using jenkins/inbound-agent:latest@sha256:7df39b03883b9741dacbaac976f054d584c21aeeb54474cf315c5b8dd03db7ef

What Operating System are you using (both controller, and any agents involved in the problem)?

Agent: Debian 12

Controller: Debian 12

Show
Jenkins 2.462.2 running in Kubernetes Using jenkins/inbound-agent: latest@sha256 :7df39b03883b9741dacbaac976f054d584c21aeeb54474cf315c5b8dd03db7ef What Operating System are you using (both controller, and any agents involved in the problem)? Agent: Debian 12 Controller: Debian 12

Similar Issues:
Powered by SuggestiMate

Show

Reproduction steps

Create self-signed root ca certificate and jenkins certificate
Configure jenkins to use the endpoint certificate in the truststore
Mount the root ca certificate in inbound agent's container e.g. under /etc/ssl/certs/ca-certificates.crt
Run job using agent by using
```
-cert @/etc/ssl/certs/ca-certificates.crt
```
argument (or -cert $ROOT_CA by dumping the root CA cert into the ROOT_CA environment variable)

Expected Results

Connection via HTTPS to jenkins controller works

Actual Results

Connection via HTTPS to jenkins controller does not work

When using the inbound agent to connect to Jenkins which is setup with a self-signed certificate, I'm using the -cert parameter from the agent.jar to specify the path to the root CA certificate that is used to sign the jenkins certificate:

/opt/java/openjdk/bin/java -jar /usr/share/jenkins/agent.jar -cert @/etc/ssl/certs/ca-certificates.crt -tunnel jenkins-agent.jenkins.svc.cluster.local:30001 -url https://jenkins.jenkins.svc.cluster.local:8080/ -workDir /home/jenkins/agent -noReconnectAfter 1d blablabla hostname 
"-----END CERTIFICATE-----" is not a valid option

Work-around by storing the root CA cert in an environment variable:

export ROOT_CA=$(cat /etc/ssl/certs/ca-certificates.crt)
/opt/java/openjdk/bin/java -jar /usr/share/jenkins/agent.jar -cert $ROOT_CA -tunnel jenkins-agent.jenkins.svc.cluster.local:30001 -url https://jenkins.jenkins.svc.cluster.local:8080/ -workDir /home/jenkins/agent -noReconnectAfter 1d blablabla hostname 
"-----END" is not a valid option

Cert is valid:

openssl x509 -in /etc/ssl/certs/ca-certificates.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            bf:c0:2a:84:f5:63:50:65:2d:9f:44:1a:8f:d2:e6:21
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = jenkins-ca.example.com
        Validity
            Not Before: Nov 26 07:38:52 2024 GMT
            Not After : Nov 24 07:38:52 2034 GMT
        Subject: CN = jenkins-ca.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:eb:73:51:64:a7:02:9f:a0:3b:2b:a9:2f:9f:6b:
                    9f:3e:ec:bf:f9:61:1b:95:10:2a:79:81:4b:72:6d:
                    73:49:f2:5f:60:a4:f8:28:4f:3d:95:34:58:b1:72:
                    c3:30:2f:1e:17:69:1e:4e:4f:58:8a:b2:27:d6:05:
                    f7:dc:93:79:f3:15:d2:48:c3:22:1b:7a:11:c3:4c:
                    b8:06:f8:b9:68:42:78:6e:33:f1:4c:cb:d8:9c:5b:
                    51:a6:8f:b8:3b:ad:bf:9b:50:81:c4:09:3c:50:c3:
                    67:c2:49:6a:d0:f9:44:94:5a:ae:fb:a8:c2:89:6c:
                    32:08:5f:86:5a:6d:f8:b9:a8:d7:f7:34:9e:0d:24:
[...]

This looks to me like something makes it that part of the certificate is considered an argument so the parsing does not work as expected.

Details

Description

Attachments

Activity

People

Dates