[JIRA] (JENKINS-25333) Jenkins 1.586 not starting up using Java8

https://rhn.redhat.com/errata/RHSA-2016-1504.html

This is now also an issue for Java 7 on RedHat Enterprise 5, 6 & 7, since a few weeks ago, a java-1.7.0-openjdk security update was released for all RHEL versions that updated it to u111 and also moves the CertAndKeyGen class from /sun/security/x509/CertAndKeyGen.class to /sun/security/tools/keytool/CertAndKeyGen.class:

It looks like this comes directly from the upstream openjdk, from their Mercurial source code repo:

http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/file/tip/src/share/classes/sun/security/tools/keytool/CertAndKeyGen.java

I also found a github pull request that was opened a few months ago to address this issue:

https://github.com/jenkinsci/winstone/pull/23

This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c)

dbeck@cloudbees.com (JIRA)

unread,

Aug 8, 2016, 11:47:02 AM8/8/16

to jenkinsc...@googlegroups.com

Daniel Beck commented on

What are the circumstances for this to happen? Reading the code indicates it's only when relying on ad-hoc cert generation in winstone-jetty, i.e. neither a keystore nor a prepared SSL cert.

smithj4@bnl.gov (JIRA)

unread,

Aug 8, 2016, 12:11:04 PM8/8/16

to jenkinsc...@googlegroups.com

Jason Smith commented on

https://github.com/jenkinsci/winstone/blob/master/src/java/winstone/HttpsConnectorFactory.java#L18

I am using the RedHat Jemkins rpms, and have this config setting: JENKINS_HTTPS_PORT="8443", which adds this argument to the java command line in the initscript: --httpsPort=8443. But I think this is irrelevant, since the failure comes from the import:

since the class path was moved. So even if I used my own keystore for the cert & key, importing sun.security.x509.CertAndKeyGen will still fail.

dbeck@cloudbees.com (JIRA)

unread,

Aug 8, 2016, 12:22:01 PM8/8/16

to jenkinsc...@googlegroups.com

Daniel Beck commented on

Jason Smith Yes, so you're relying on ad-hoc cert functionality. Just create a cert and reference that and you should be fine.

Imports don't really matter here, otherwise the stack trace in the issue description wouldn't have called start() and reached line 101.

schristou88@gmail.com (JIRA)

unread,

Aug 15, 2016, 3:00:04 PM8/15/16

to jenkinsc...@googlegroups.com

Steven Christou commented on

Daniel Beck Maybe it's best to remove this functionality from Winstone. My PR was just to give us some time before removing it completely. The fix I provided won't work with JDK 9, so this might give us a few months(years?) to suggest to avoid using the built-in cert generation and use a valid one before everyone starts using JDK 9 heavily. I could also provide an error on startup suggesting everyone switch to using an outside certificate instead.

dbeck@cloudbees.com (JIRA)

unread,

Aug 15, 2016, 3:57:01 PM8/15/16

to jenkinsc...@googlegroups.com

Daniel Beck commented on

Steven Christou Would be viable, provided it doesn't break things for anyone currently using it successfully. E.g. print a deprecation warning for them and otherwise work, and print a useful error message otherwise. Just removing the parameter and getting something like "This argument doesn't exist" has the potential to break users' instances.

schristou88@gmail.com (JIRA)

unread,

Aug 18, 2016, 4:56:04 PM8/18/16

to jenkinsc...@googlegroups.com

Steven Christou updated an issue

Jenkins /

Jenkins 1.586 not starting up using Java8

Change By:	Steven Christou

Using Java8, Jenkins doesn't start with the following message:

{noformat}
SCHWERWIEGEND: Container startup failed
java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory
   at winstone.Launcher.spawnListener(Launcher.java:209)
   at winstone.Launcher.<init>(Launcher.java:149)
   at winstone.Launcher.main(Launcher.java:354)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
   at java.lang.reflect.Method.invoke(Method.java:483)
   at Main._main(Main.java:293)
   at Main.main(Main.java:98)
Caused by: java.lang.NoClassDefFoundError: sun/security/x509/CertAndKeyGen
   at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:101)
   at winstone.Launcher.spawnListener(Launcher.java:207)
   ... 8 more
Caused by: java.lang.ClassNotFoundException: sun.security.x509.CertAndKeyGen
   at java.net.URLClassLoader$1.run(URLClassLoader.java:372)
   at java.net.URLClassLoader$1.run(URLClassLoader.java:361)
   at java.security.AccessController.doPrivileged(Native Method)
   at java.net.URLClassLoader.findClass(URLClassLoader.java:360)
   at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
   at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
   ... 10 more
{noformat}

After switching back to Oracle Java 7, it works without problems.

wilson@ds.net (JIRA)

unread,

Aug 24, 2016, 9:32:08 AM8/24/16

to jenkinsc...@googlegroups.com

Brian Wilson commented on

It would be very useful to get this feature of Jenkins working again. Our setup uses Active Directory user authentication and with Jenkins using http on the default port 8080, the paswords are potentially compromised if someone starts sniffing traffic on the server.

I've been trying to get the -httpsport option working with no success and happened to stumble across this ticket which explained things. Now I'm trying to get a signed certificate to install, but I have to say SSL/TLS is not something I've had to deal with much so this is a little confusing (learning about CSR, CRT, JKS, KEY, etc.). If this could be better explained, or just plain fixed as documented, I'm sure a lot of people would be very grateful.

dbeck@cloudbees.com (JIRA)

unread,

Aug 24, 2016, 10:57:01 AM8/24/16

to jenkinsc...@googlegroups.com

Daniel Beck commented on

If this could be better explained

The documentation (and usage instructions) says:

--httpsPrivateKey this switch with --httpsCertificate can be used to run HTTPS with OpenSSL secret key file and the corresponding certificate file

These files are the output of pretty much every OpenSSL "how to create a self-signed certificate" tutorial on the web.

I don't think we need to write another one.

jglick@cloudbees.com (JIRA)

unread,

Dec 8, 2016, 2:25:01 PM12/8/16

to jenkinsc...@googlegroups.com

Jesse Glick commented on

I think in the world of letsencrypt.org there is no reason to keep this functionality undeprecated.

jglick@cloudbees.com (JIRA)

unread,

Dec 15, 2016, 9:45:05 AM12/15/16

to jenkinsc...@googlegroups.com

Jesse Glick started work on

Change By:	Jesse Glick
Status:	Open In Progress

jglick@cloudbees.com (JIRA)

unread,

Dec 15, 2016, 9:45:06 AM12/15/16

to jenkinsc...@googlegroups.com

Jesse Glick assigned an issue to Jesse Glick

Jenkins /

Jenkins 1.586 not starting up using Java8

Change By:	Jesse Glick
Assignee:	Jesse Glick

jglick@cloudbees.com (JIRA)

unread,

Dec 15, 2016, 11:08:02 AM12/15/16

to jenkinsc...@googlegroups.com

Jesse Glick updated

Jenkins /

Jenkins 1.586 not starting up using Java8

Change By:	Jesse Glick
Status:	In Progress Review

scm_issue_link@java.net (JIRA)

unread,

Dec 19, 2016, 3:45:02 PM12/19/16

to jenkinsc...@googlegroups.com

SCM/JIRA link daemon commented on