[JIRA] [core] (JENKINS-22448) Jenkins Error CA Certificate

[p.giarrusso@gmail.com (JIRA)]

Paolo Giarrusso reopened an issue

Let me question the analysis by Daniel Beck. Is there any evidence that Jenkins supports PEM-formatted keys as claimed? Say, a regression test? The exception is thrown by Jenkins code that implements by hand parsing of key files, and that code has some TODOs that suggest it's not a correctness champion, and there's no link to what spec it is implementing. In fact, it's surprising that Jenkins code implements such low-level certificate parsing instead of using some library. https://github.com/jenkinsci/winstone/blob/f42497acd05d2ab69ae40875cfab0f9675777ef4/src/java/winstone/HttpsConnectorFactory.java#L148 1. Jenkins documents supporting PEM keys. 2. I have what looks like such a key generated with openssl. 3. Jenkins fails on that key as documented in this issue. --httpsPrivateKey = the location of the PEM-encoded SSL private key. (the one that starts with '-----BEGIN RSA PRIVATE KEY-----') I created a key with openssl: openssl req -nodes -newkey rsa:2048 -keyout kamino.key -out kamino-req.pem -subj $OMITTED the file starts with -----BEGIN PRIVATE KEY----- Jenkins / JENKINS-22448 Jenkins Error CA Certificate Change By: Paolo Giarrusso Resolution: Won't Fix Status: Resolved Reopened Add Comment

This message was sent by Atlassian JIRA (v6.4.2#64017-sha1:e244265)

[p.giarrusso@gmail.com (JIRA)]

Paolo Giarrusso assigned an issue to Daniel Beck

Jenkins / JENKINS-22448 Jenkins Error CA Certificate

Change By: Paolo Giarrusso Assignee: Daniel Beck

Add Comment

[daniel@beckweb.net (JIRA)]

Daniel Beck assigned an issue to Unassigned

Jenkins / JENKINS-22448 Jenkins Error CA Certificate

Change By: Daniel Beck Assignee: Daniel Beck

Add Comment

[daniel@beckweb.net (JIRA)]

Daniel Beck commented on JENKINS-22448

Re: Jenkins Error CA Certificate Paolo Giarrusso To clarify, you're getting the same exception with your key generated like that? Could you post the exception stack trace/error message, which version of Jenkins you're using, and the key you generated?

Add Comment

[p.giarrusso@gmail.com (JIRA)]

Paolo Giarrusso commented on JENKINS-22448

Re: Jenkins Error CA Certificate

Daniel Beck Thanks a lot for the prompt answer! Essentially yes, I'm getting essentially the same exception, but the line numbers are slightly different, so below's the actual data. I won't post the real private key since it's used in production after being certified by an external authority, but I've regenerated another one with the same command, self-signed it, and reproduced the same error. I'm running Jenkins LTS from a recent official Docker image (running Jenkins ver. 1.596.2). The openssl I used is from the host, openssl 1.0.1f-1ubuntu2.11 from Ubuntu 14.04 LTS. Jenkins output: # docker run --name myjenkins-ssl-bad-2 -p 8443:8443 -v /var/jenkins_home jenkins-ssl-bad-2 /usr/share/jenkins/ref/init.groovy.d/tcp-slave-angent-port.groovy /usr/share/jenkins/ref/init.groovy.d/tcp-slave-angent-port.groovy -> init.groovy.d/tcp-slave-angent-port.groovy copy init.groovy.d/tcp-slave-angent-port.groovy to JENKINS_HOME Running from: /usr/share/jenkins/jenkins.war webroot: EnvVars.masterEnvVars.get("JENKINS_HOME") May 11, 2015 8:29:43 PM winstone.Logger logInternal INFO: Beginning extraction from war file May 11, 2015 8:29:44 PM winstone.Logger logInternal INFO: Winstone shutdown successfully May 11, 2015 8:29:44 PM winstone.Logger logInternal SEVERE: Container startup failed java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory at winstone.Launcher.spawnListener(Launcher.java:209) at winstone.Launcher.<init>(Launcher.java:149) at winstone.Launcher.main(Launcher.java:354) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at Main._main(Main.java:293) at Main.main(Main.java:98) Caused by: java.io.IOException: DerValue.getBigInteger, not an int 48 at sun.security.util.DerValue.getBigInteger(DerValue.java:511) at winstone.HttpsConnectorFactory.readPEMRSAPrivateKey(HttpsConnectorFactory.java:173) at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:89) at winstone.Launcher.spawnListener(Launcher.java:207) ... 8 more OpenSSL output, on the host: # openssl req -nodes -newkey rsa:2048 -keyout kamino-foo.key -out kamino-req-foo.pem -subj '/O=Universitaet Tuebingen/L=Tuebingen/ST=Baden-Wuerttemberg/C=DE/CN=kamino.informatik.uni-tuebingen.de/emailAddress=paolo.g...@uni-tuebingen.de' Generating a 2048 bit RSA private key ........+++ ...................................................................................+++ writing new private key to 'kamino-foo.key' ----- # openssl x509 -req -days 365 -in kamino-req-foo.pem -signkey kamino-foo.key -out kamino-foo.crt Signature ok subject=/O=Universitaet Tuebingen/L=Tuebingen/ST=Baden-Wuerttemberg/C=DE/CN=kamino.informatik.uni-tuebingen.de/emailAddress=paolo.g...@uni-tuebingen.de Getting Private key # cat kamino-foo.key -----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQD7QaxOVQYuiUHU jGkvfrn49FMadPMrK32sG8oeRAAbjC9hi6PXxEXXzZR29VpQ9TWApxNWmqs0GJWF +pLfnr0iXX7OdThFPKVjgVIXVA1SbB23vE2lKOTu9FmJoTz8DANP4lqEj4GdVpNj I8+o6QtfdoLXs4P8l+NA/0UeVPS9HZ0qR8SDKIFf5Ila2w68t8u5Hr9I0hWwd4wY G7qT04JKeV9uTLo2q7EtGJEDB4nSY8H9S2MRgTpQzVO1C2l7Um00623TRRWyutgv seMA98SzFbbEloofUgRsG5wk1h6wuNFOcE6LT/0wOa3PaQePcu4PS1IKbmixD375 IbcAUXpzAgMBAAECggEAIPCrNlnPRaqZBtShtahXmVvuyTkr6Cz7fOTnyq//k5z9 WTyFbnQ8893v6OihvptnOEavMlt0to/Cip4fQ1H8WdUIGukjR3B7/l+l84kBdhzW iJAXXd/Oo8VFN9X7uM+aX469b0OhKo9/IzA+uVZUN1/CJ6VRWHxRPuQ4m5FnxKMq x32TA9a25sHHyosu3DJSpKscVbQttz0yZxQvzM/2BK9iCOBoFfLbJQy9cYs048Va 82oKv2KMUsOUlyjP9EUbaJLj9CUqgEbSAYPe0+tFzSTN29KlOZFYwnnJ32tQy3wN YagZdgCr+8939sqlVVNFK3BxNaoPk+5YcSkq3AqWgQKBgQD+qmoRhHkGVlBuafVB 7bPURgNJ9RwUsfDyI978q4bVg/EA7z1/KchYrLHh91bPv+PsWeeYb5gMVufRiyYE MOo3kF38TETdb/7AUAnxfXRAWm98FMQL3awTYafCRvGC3c7I501m9+a4Tg9w1tzZ VgmDVOFpl1P9u4cuBZ2kWA9lbQKBgQD8kq+e7i/gLYz/Zo87qkXJ8+Om4cJL+ej+ 5E8hCTNTA2RqKxVmPiQlu8Gp2lSHF+ouhik1nTllmCvYIWR3+EKO2+crt1rWXtJu Y4h4MbF4LW2l7kID2gDtHPgDETl1e8SVlL0IDKxtgnqxGss5MJMOSE9Pt2pZ21/n Ii/PwsrTXwKBgQCqs13/ufVJmye0qw97jrKgkgF4XHTjJlckZ4j7gpoRmqw7/SES kNY7Ih7mIV2uSaikb6r+kaawdrxSx9vGqWcFsZ5eFF2AtKZlEAFqPrZiwHvEB0NV 1NOX9jh10Anot3b5UZmfcIHVfnV5JHzKrZIY1xd1KLti84VsAtWlKGXBjQKBgQDz OTLkIs153YOlQ5d1RqCUPUgiIc+gqJYGN8g3sQt6yo59auXdosPejnON5NF3ksES cmHm3nQycJrwNB/zI+C8f+mbAKP6Qi/02+bEkF4ts9mea9WordwserQfCAxEJZ8G yMhMox+9CWSrfnjrpupGW738r008IPS2uQY/1X7KkwKBgHPYfesm1y4Ho972Xf+z Ccfpebx9a36seBN1aWvJ4eOaJchXXKShSVjsuEiHDQ0mJSSm+5RLalZhhbq6s4ZW wAhxfD6d8GY5AefyYCVcd6bq+Y2ctcyLKJl2h8FcOCabC+zMYQe4lG8RoJnzyzoN AAZBBjPLW4u/tuBaXFeG/z1S -----END PRIVATE KEY----- # cat kamino-req-foo.pem -----BEGIN CERTIFICATE REQUEST----- MIIDAzCCAesCAQAwgb0xHzAdBgNVBAoMFlVuaXZlcnNpdGFldCBUdWViaW5nZW4x EjAQBgNVBAcMCVR1ZWJpbmdlbjEbMBkGA1UECAwSQmFkZW4tV3VlcnR0ZW1iZXJn MQswCQYDVQQGEwJERTErMCkGA1UEAwwia2FtaW5vLmluZm9ybWF0aWsudW5pLXR1 ZWJpbmdlbi5kZTEvMC0GCSqGSIb3DQEJARYgcGFvbG8uZ2lhcnJ1c3NvQHVuaS10 dWViaW5nZW4uZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD7QaxO VQYuiUHUjGkvfrn49FMadPMrK32sG8oeRAAbjC9hi6PXxEXXzZR29VpQ9TWApxNW mqs0GJWF+pLfnr0iXX7OdThFPKVjgVIXVA1SbB23vE2lKOTu9FmJoTz8DANP4lqE j4GdVpNjI8+o6QtfdoLXs4P8l+NA/0UeVPS9HZ0qR8SDKIFf5Ila2w68t8u5Hr9I 0hWwd4wYG7qT04JKeV9uTLo2q7EtGJEDB4nSY8H9S2MRgTpQzVO1C2l7Um00623T RRWyutgvseMA98SzFbbEloofUgRsG5wk1h6wuNFOcE6LT/0wOa3PaQePcu4PS1IK bmixD375IbcAUXpzAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAOhegn5Ss59rR zltrDfOKxJEeuqb87ze0GNCGblkVXkpErEByLLJHN+q9qk0rVo4tXtliHpaHA1ZA 0IwMYOffWLnC8bHIINFO9IlTAmVMi2Gul0oxKORmbBzYOonl2Xr2Kwq/N0naYKgx q4jNmwkopdPKmgmUIpGHGASTHKDkDBeAVatWj2s3TrzSaFeg0n3JxKSmg0au3KPp nKUphtEhGfyIRsuhi+GAx8N428qFpvqllrFZAiQFCxqrgBcetPcsFZTSqXgJovTo ZodZ4nzdYnkKJSyxYTQw7aiNVLvuikqq3oyRy7oTDmnjayx4GDeRzD4ZQUsK5V5u O4N3jKS36Q== -----END CERTIFICATE REQUEST----- # cat kamino-foo.crt -----BEGIN CERTIFICATE----- MIID+DCCAuACCQDs4UelTd8M0TANBgkqhkiG9w0BAQsFADCBvTEfMB0GA1UECgwW VW5pdmVyc2l0YWV0IFR1ZWJpbmdlbjESMBAGA1UEBwwJVHVlYmluZ2VuMRswGQYD VQQIDBJCYWRlbi1XdWVydHRlbWJlcmcxCzAJBgNVBAYTAkRFMSswKQYDVQQDDCJr YW1pbm8uaW5mb3JtYXRpay51bmktdHVlYmluZ2VuLmRlMS8wLQYJKoZIhvcNAQkB FiBwYW9sby5naWFycnVzc29AdW5pLXR1ZWJpbmdlbi5kZTAeFw0xNTA1MTEyMDI2 MTJaFw0xNjA1MTAyMDI2MTJaMIG9MR8wHQYDVQQKDBZVbml2ZXJzaXRhZXQgVHVl YmluZ2VuMRIwEAYDVQQHDAlUdWViaW5nZW4xGzAZBgNVBAgMEkJhZGVuLVd1ZXJ0 dGVtYmVyZzELMAkGA1UEBhMCREUxKzApBgNVBAMMImthbWluby5pbmZvcm1hdGlr LnVuaS10dWViaW5nZW4uZGUxLzAtBgkqhkiG9w0BCQEWIHBhb2xvLmdpYXJydXNz b0B1bmktdHVlYmluZ2VuLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEA+0GsTlUGLolB1IxpL365+PRTGnTzKyt9rBvKHkQAG4wvYYuj18RF182UdvVa UPU1gKcTVpqrNBiVhfqS3569Il1+znU4RTylY4FSF1QNUmwdt7xNpSjk7vRZiaE8 /AwDT+JahI+BnVaTYyPPqOkLX3aC17OD/JfjQP9FHlT0vR2dKkfEgyiBX+SJWtsO vLfLuR6/SNIVsHeMGBu6k9OCSnlfbky6NquxLRiRAweJ0mPB/UtjEYE6UM1TtQtp e1JtNOtt00UVsrrYL7HjAPfEsxW2xJaKH1IEbBucJNYesLjRTnBOi0/9MDmtz2kH j3LuD0tSCm5osQ9++SG3AFF6cwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCLEUiK +DwZTaGnrN+CF4vpfFiW89g9v/GwtFWiaKfv7dBdNpOz9MwQiNoewadyLW9JW+pz 5fqDYpFppW9aIPHHkpsatKDoyGJM9rK/qBL2beXT9SeitLZFLDvI0dY57G1z3AWw ZHvb1ic3bic9FVqCPOQwTZm/qCBKuyhSg2cyKdNi5DpUwEu4K3nbZy7zvwhflc4g V0L+J4Wv6FJzwnluuBaTWv7oRiu4gVs63AuUnL45YrLHjeOcbXeeLEEDsW344igX V1ArM2gJFdMZHCaU5mLd1LYa/6o5wFV5RAVwdIWEGwMeGhMypldUCXHR80AFv60l F5LEX7BrToWVzWg9 -----END CERTIFICATE----- Should you want to reproduce the same environment through Docker, see below for the configuration I used — but I'm not sure that's helpful, so feel free to ignore what's below. Docker configuration and setup command-line. Warning: I'm a Docker beginner, so I'm not sure this will work just so — the first line refers to the `jenkins` image provided here, though it should pull the right one from the remote repository. # cat Dockerfile FROM jenkins COPY kamino-foo.crt /var/lib/jenkins/kamino.informatik.uni-tuebingen.de.crt COPY kamino-foo.key /var/lib/jenkins/kamino.informatik.uni-tuebingen.de.key USER root RUN chown jenkins /var/lib/jenkins/kamino.informatik.uni-tuebingen.de.* USER jenkins ENV JENKINS_OPTS --httpPort=-1 --httpsPort=8443 --httpsCertificate=/var/lib/jenkins/kamino.informatik.uni-tuebingen.de.crt --httpsPrivateKey=/var/lib/jenkins/kamino.informatik.uni-tuebingen.de.key EXPOSE 8443 # docker build -t jenkins-ssl-bad-2 . Information about relevant Docker images: # docker images jenkins latest 235c3abb5af0 2 weeks ago 662 MB jenkins-ssl-bad-2 latest cee95cb7e808 7 minutes ago 662.1 MB

Add Comment

[alex.hha@gmail.com (JIRA)]

Alex Domoradov commented on JENKINS-22448

Re: Jenkins Error CA Certificate

I have the same issue on jenkins-1.617 and win 2k8 C:\users\Administrator> net start jenkins The Jenkins service is starting. The Jenkins service could not be started. A system error has occurred. System error 1067 has occurred. The process terminated unexpectedly. jenkins.err.log contains the following lines Jun 18, 2015 7:34:37 PM winstone.Logger logInternal INFO: Beginning extraction from war file Jun 18, 2015 7:34:37 PM winstone.Logger logInternal INFO: Winstone shutdown successfully Jun 18, 2015 7:34:37 PM winstone.Logger logInternal SEVERE: Container startup failed java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory at winstone.Launcher.spawnListener(Launcher.java:209) at winstone.Launcher.<init>(Launcher.java:149) at winstone.Launcher.main(Launcher.java:354) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at Main._main(Main.java:293) at Main.main(Main.java:98) Caused by: java.io.IOException: DerValue.getBigInteger, not an int 48 at sun.security.util.DerValue.getBigInteger(Unknown Source) at winstone.HttpsConnectorFactory.readPEMRSAPrivateKey(HttpsConnectorFactory.java:173) at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:89) at winstone.Launcher.spawnListener(Launcher.java:207) ... 8 more

Add Comment

[alex.hha@gmail.com (JIRA)]

Alex Domoradov edited a comment on JENKINS-22448

Re: Jenkins Error CA Certificate

I have the same issue on jenkins-1.617 and win 2k8

{code}

C:\users\Administrator> net start jenkins The Jenkins service is starting. The Jenkins service could not be started. A system error has occurred. System error 1067 has occurred. The process terminated unexpectedly.

{code}

jenkins.err.log contains the following lines

{code}

Jun 18, 2015 7:34:37 PM winstone.Logger logInternal INFO: Beginning extraction from war file Jun 18, 2015 7:34:37 PM winstone.Logger logInternal INFO: Winstone shutdown successfully Jun 18, 2015 7:34:37 PM winstone.Logger logInternal SEVERE: Container startup failed java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory at winstone.Launcher.spawnListener(Launcher.java:209) at winstone.Launcher.<init>(Launcher.java:149) at winstone.Launcher.main(Launcher.java:354) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at Main._main(Main.java:293) at Main.main(Main.java:98) Caused by: java.io.IOException: DerValue.getBigInteger, not an int 48 at sun.security.util.DerValue.getBigInteger(Unknown Source) at winstone.HttpsConnectorFactory.readPEMRSAPrivateKey(HttpsConnectorFactory.java:173) at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:89) at winstone.Launcher.spawnListener(Launcher.java:207) ... 8 more

{code} P.S. With GoDaddy certificate it works fine in the same environment.

Add Comment

[alex.hha@gmail.com (JIRA)]

Alex Domoradov commented on JENKINS-22448

Re: Jenkins Error CA Certificate

Any advice?

Add Comment

[tjbryant@uncc.edu (JIRA)]

TJ Bryant commented on JENKINS-22448

Re: Jenkins Error CA Certificate

I couldn't figure out how to fix it. I had to switch to using a tomcat container to run jenkins.

Add Comment

[p.giarrusso@gmail.com (JIRA)]

Paolo Giarrusso commented on JENKINS-22448

Re: Jenkins Error CA Certificate

Alex Domoradov: I managed to fix it by switching to a keytool certificate store (see SuperUser link), though that's a pain, but I wish I'd switched to a nginx proxy — especially if you want to SSL more services, it's more convenient to do it all in nginx rather than once for each service. (An Apache proxy would also work, it'd just be more resource hungry). Googling "nginx ssl proxy" leads me to an HOWTO for Jenkins somehow, https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-with-ssl-as-a-reverse-proxy-for-jenkins.

Add Comment

[alex.hha@gmail.com (JIRA)]

Alex Domoradov commented on JENKINS-22448

Re: Jenkins Error CA Certificate

Could anyone point me where I can get all available values for the httpsKeyManagerType option? For e.g. can I use PKCS12 (in Tomcat/JIRA I Could) or JKS only? Thanks in advance

Add Comment

[alex.hha@gmail.com (JIRA)]

Alex Domoradov edited a comment on JENKINS-22448

Re: Jenkins Error CA Certificate

Could anyone point me where I can get all available values for the httpsKeyManagerType option? For e.g. can I use PKCS12 (in Tomcat/JIRA I Could) or JKS only?  And how can I specify cipher suite to disable RC4. With default settings I got the following results on SSLLABS - !http://i.imgur.com/Qk6h21r.png! Thanks in advance

Add Comment

[afinkenstadt@zynga.com (JIRA)]

andrew finkenstadt commented on JENKINS-22448

Re: Jenkins Error CA Certificate

Using http://stackoverflow.com/questions/17733536/how-do-i-convert-a-private-key-to-an-rsa-private-key seems to have done the trick. Namely: Newer versions of OpenSSL say BEGIN PRIVATE KEY because they contain the private key + an OID that identifies the key type. To get the old style key you can do this: openssl rsa -in server.key -out server_new.key

Add Comment

[alex.hha@gmail.com (JIRA)]

Alex Domoradov commented on JENKINS-22448

Re: Jenkins Error CA Certificate

The post dated by Jul 18 '13. So about which version of openssl they are talking about? I'm using openssl version OpenSSL 1.0.1e-fips 11 Feb 2013 Is it newer enough?

Add Comment

[p.giarrusso@gmail.com (JIRA)]

Paolo Giarrusso commented on JENKINS-22448

Re: Jenkins Error CA Certificate

I'd bet yes, otherwise you probably wouldn't have this issue. But to verify, according to that StackOverflow post, if the key starts with -----BEGIN PRIVATE KEY----- it's from the "new" format, while if starts with -----BEGIN RSA PRIVATE KEY----- it's from the old format (though the post has the wrong capitalization). I verified that my key used indeed the new format, and is indeed from a "new" openssl: # openssl version OpenSSL 1.0.1f 6 Jan 2014 (Warning: For the old format, I'd guess you could also find DSA there instead of RSA, depending on the key algorithm). I found a more complete description of the situation in this post: http://stackoverflow.com/q/20065304/53974. The "new" format is PKCS #8, the "old" format is PKCS #1. In the old format, the key algorithm (RSA or DSA) is described in the header; in the new format, this info is not in the header but in an extra field in the base64 content. While parsing the content, Jenkins produced the exception we see because of this extra field. That post links to further details. Issue Summary/Possible Diagnosis To sum up the issue (as we understand), Jenkins only accepts the PKCS #1 format, and OpenSSL used to produce that by default, but now produces PKCS#8, and Jenkins cannot handle the latter format. There is a workaround which fits this hypothesis, that worked (up to now) for the only user who tested it. More experiments are needed to confirm the explanation. Acks Kudos to andrew finkenstadt for finding the essential bit of info, and the workaround (I haven't tried to verify it). I've just put together a summary. Caveat: I'm no PKCS format expert.

Add Comment

[afinkenstadt@zynga.com (JIRA)]

andrew finkenstadt commented on JENKINS-22448

Re: Jenkins Error CA Certificate

afinkenstadt in ~/projects ⚡ openssl version OpenSSL 0.9.8zd 8 Jan 2015

Add Comment

[alex.hha@gmail.com (JIRA)]

Alex Domoradov commented on JENKINS-22448

Re: Jenkins Error CA Certificate

head -2 jenkins.example.net.key ---- BEGIN PRIVATE KEY ---- MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC5WDBnZaE4HtmG So as you can see I have the new key format and at the same time I can't use self signed certificate in jenkins. It works only if I converted certificate and key to PKCS12 and then import it to JKS storage. Something like the following one cat rootca.pem jenkins.example.net.crt > chain.pem openssl pkcs12 -export -in chain.pem -inkey jenkins.example.net.key > jenkins.example.net.p12 keytool -importkeystore -srckeystore jenkins.example.net.p12 -destkeystore jenkins.example.net.jks -srcstoretype pkcs12

Add Comment

[alex.hha@gmail.com (JIRA)]

Alex Domoradov edited a comment on JENKINS-22448

Re: Jenkins Error CA Certificate

{code} # head -2 jenkins.example.net.key -----BEGIN PRIVATE KEY----- MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC5WDBnZaE4HtmG {code}

So as you can see I have the new key format and at the same time I can't use self signed certificate in jenkins. It works only if I converted certificate and key to PKCS12 and then import it to JKS storage. Something like the following one

{code} # cat rootca.pem jenkins.example.net.crt > chain.pem # openssl pkcs12 -export -in chain.pem -inkey jenkins.example.net.key > jenkins.example.net.p12  # keytool -importkeystore -srckeystore jenkins.example.net.p12 -destkeystore jenkins.example.net.jks -srcstoretype pkcs12 {code}

Add Comment

[p.giarrusso@gmail.com (JIRA)]

Paolo Giarrusso commented on JENKINS-22448

Re: Jenkins Error CA Certificate

So as you can see I have the new key format and at the same time I can't use self signed certificate in jenkins. You sound surprised, but that's what we figured. The key format is too new — Jenkins only understands the old one (or JKS).

Add Comment

[dbeck@cloudbees.com (JIRA)]

Daniel Beck updated an issue

Jenkins / JENKINS-22448 Add support for PKCS #8 private keys Changed issue title and type based on recent comments. Change By: Daniel Beck Summary: Jenkins Error CA Certificate Add support for PKCS #8 private keys Issue Type: Bug New Feature

Add Comment

[alex.hha@gmail.com (JIRA)]

Alex Domoradov commented on JENKINS-22448

Re: Add support for PKCS #8 private keys I don't think so. Because I have 2 certificates (X509 format), one of them from StartSSL and another one from GoDaddy and they both works with jenkins. And I have been used the same openssl version and commands to generate csr/private key. Something like the following # openssl req -nodes -sha256 -newkey rsa:4096 -keyout jenkins.example.net.key -out jenkins.example.net.csr and the following ones for self signed certificate # openssl req -new -x509 -extensions v3_ca -keyout private/rootca.key -out rootca.crt -days 3650 -config ./openssl.conf # openssl req -new -nodes -out jenkins.example.net.csr -keyout jenkins.example.net.key -config ./openssl.conf # openssl ca -out jenkins.example.net.crt -config ./openssl.conf -infiles jenkins.example.net.csr

Add Comment

[alex.hha@gmail.com (JIRA)]

Alex Domoradov edited a comment on JENKINS-22448

Re: Add support for PKCS #8 private keys

I don't think so. Because I have 2 certificates (X509 format), one of them from StartSSL and another one from GoDaddy and they both works with jenkins. And I have been used the same openssl version and commands to generate csr/private key. Something like the following

{code}

# openssl req -nodes -sha256 -newkey rsa:4096 -keyout jenkins.example.net.key -out jenkins.example.net.csr

{code}

and the following ones for self signed certificate

{code}

# openssl req -new -x509 -extensions v3_ca -keyout private/rootca.key -out rootca.crt -days 3650 -config ./openssl.conf # openssl req -new -nodes -out jenkins.example.net.csr -keyout jenkins.example.net.key -config ./openssl.conf # openssl ca -out jenkins.example.net.crt -config ./openssl.conf -infiles jenkins.example.net.csr

{code}

Add Comment

[dbeck@cloudbees.com (JIRA)]

Daniel Beck updated an issue

Jenkins / JENKINS-22448

Add support for PKCS #8 private keys

Change By: Daniel Beck Component/s: winstone-jetty Component/s: core

Add Comment

[p.giarrusso@gmail.com (JIRA)]

Paolo Giarrusso commented on JENKINS-22448

Re: Add support for PKCS #8 private keys If the working certificate also use the "new format" (BEGIN PRIVATE KEY), then the current hypothesis seems insufficient. However, could you still see what happens if you convert the key to the "old format" and use the result, as suggested by andrew finkenstadt's post? openssl rsa -in jenkins.example.net.key -out jenkins_new.example.net.key However, (I guess) Jenkins shouldn't contain its own code to parse keys anyway, it should at best just integrate some third-party library for it (hoping there's a library you can use without too much expertise). For now, fixing docs seems more urgent.

Add Comment

[alex.hha@gmail.com (JIRA)]

Alex Domoradov commented on JENKINS-22448

Re: Add support for PKCS #8 private keys

It works with the old key format! I have converted the key on centos 5 box with the following openssl version # openssl version OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

Add Comment

[alex.hha@gmail.com (JIRA)]

Alex Domoradov edited a comment on JENKINS-22448

Re: Add support for PKCS #8 private keys

It works with the old key format! I have converted the key on centos 5 box with the following openssl version

{code}

# openssl version OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

{code} But as before it has very low result on ssl labs. So the question - is it possible to enable  Forward Secrecy, disable RC4 and enable support of strong Diffie-Hellman (DH) key exchange (1024+) ? Or the only way is for using some sort of reverse proxy such as nginx/haproxy/apache?

Add Comment

[p.giarrusso@gmail.com (JIRA)]

Paolo Giarrusso commented on JENKINS-22448

Re: Add support for PKCS #8 private keys

Alex Domoradov Good question, but that belongs to a separate bug. Googling leads to https://issues.jenkins-ci.org/browse/JENKINS-23925, but even after the "workaround" there (switching away from Java 6) RC4 looks enabled. Jenkins's default servlet container doesn't seem to document extensive SSL configuration support (see http://winstone.sourceforge.net/#https). After some googling, I'd guess that either changing servlet container (to some with good HTTPS support) or reverse proxying seems a better idea, at least because it's done often and well documented — I couldn't even find how to disable RC4 with Jenkins, while I've run into how to configure nginx without looking for it. (Again, I'm just another user bitten from the issue).

Add Comment

[alex.hha@gmail.com (JIRA)]

Alex Domoradov commented on JENKINS-22448

Re: Add support for PKCS #8 private keys

I think it would be great if someone from developers will say anything P.S. My jenkins ships with JAVA_VERSION="1.8.0_20".

Add Comment

[dbeck@cloudbees.com (JIRA)]

Daniel Beck commented on JENKINS-22448

Re: Add support for PKCS #8 private keys

even after the "workaround" there (switching away from Java 6) RC4 looks enabled. If the problem is not just outdated Java (remember that Java 7 already is old as well, should to be newest version of that), please reopen. It shouldn't be too difficult to implement.

Add Comment

[dbeck@cloudbees.com (JIRA)]

Daniel Beck commented on JENKINS-22448

Re: Add support for PKCS #8 private keys

So it looks like for Java you can just configure that rather than your application. http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#DisabledAlgorithms Here's a guide for a different application: http://www.papercut.com/kb/Main/SSLCipherConfiguration Do these help?

Add Comment

[alex.hha@gmail.com (JIRA)]

Alex Domoradov commented on JENKINS-22448

Re: Add support for PKCS #8 private keys

OMG, the "bloody" java I will try it and will let you know P.S. in tomcat for e.g. it's configuring in very simple way <Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol" scheme="https" secure="true" clientAuth="false" useBodyEncodingForURI="true" SSLEnabled="true" SSLHonorCipherOrder="true" SSLDisableCompression="true" SSLCertificateFile="/etc/pki/jira/jira.example.net.crt" SSLCertificateKeyFile="/etc/pki/jira/jira.example.net.key" SSLCACertificateFile="/etc/pki/jira/ca.pem" SSLCertificateChainFile="/etc/pki/jira/sub.class1.server.ca.pem" SSLCipherSuite="kEECDH+AES128:kEECDH:kEDH:-3DES:kRSA+AES128:kEDH+3DES:DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!MD5:!EXPORT:!LOW:!SEED:!CAMELLIA:!IDEA:!PSK:!SRP:!SSLv2" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2" />

Add Comment

[tom.canova@us.ibm.com (JIRA)]

Tom Canova commented on JENKINS-22448

Re: Add support for PKCS #8 private keys

I'm using the official jenkins docker container to run my jenkins master. Just tried add key and certificate and I'm getting what appears to be the same error. Would using openssl to convert the key or cert to a different format help? {{SEVERE: Container startup failed

java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory at winstone.Launcher.spawnListener(Launcher.java:209) at winstone.Launcher.<init>(Launcher.java:149) at winstone.Launcher.main(Launcher.java:354) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497)

at Main._main(Main.java:293) at Main.main(Main.java:98) Caused by: java.io.IOException: DerValue.getBigInteger, not an int 48

at sun.security.util.DerValue.getBigInteger(DerValue.java:511)

at winstone.HttpsConnectorFactory.readPEMRSAPrivateKey(HttpsConnectorFactory.java:173) at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:89) at winstone.Launcher.spawnListener(Launcher.java:207) ... 8 more }}

Add Comment

[tom.canova@us.ibm.com (JIRA)]

Tom Canova commented on JENKINS-22448

Re: Add support for PKCS #8 private keys

solved with jenkins docker container by converting everything to a keystore first added a password to my key openssl rsa -des3 -in key.pem -out key.encrypted.pem then converted to pkcs12 openssl pkcs12 -inkey key.encrypted.pem -in cert.pem -export -out keys.encrypted.pkcs12 then created a keystore (password for keystore should be same as password for key) keytool -importkeystore -srckeystore keys.encrypted.pkcs12 -srcstoretype pkcs12 -destkeystore keystore then updated Dockerfile to include keystore and a reference to it in JENKINS_OPTS {{FROM jenkins USER root RUN apt-get update && apt-get install -y jq USER jenkins COPY keystore /var/lib/jenkins/keystore ENV JENKINS_OPTS --httpPort=8080 --httpsPort=8443 --httpsKeyStore=/var/lib/jenkins/keystore --httpsKeyStorePassword=whateverpasswordyouspecified EXPOSE 8443}} .

Add Comment

[roidelapluie@inuits.eu (JIRA)]

Julien Pivotto commented on JENKINS-22448

Re: Add support for PKCS #8 private keys

The problem is that Jenkins expects a RSA key, not a private key Convert /var/lib/jenkins/cert/cci-jenkins.key into a plain RSA key: cp /var/lib/jenkins/cert/cci-jenkins.key /var/lib/jenkins/cert/cci-jenkins.key.full openssl rsa -in /var/lib/jenkins/cert/cci-jenkins.key.full -out /var/lib/jenkins/cert/cci-jenkins.key http://stackoverflow.com/questions/17733536/how-to-convert-a-private-key-to-an-rsa-private-key

Add Comment

This message was sent by Atlassian JIRA (v7.1.7#71011-sha1:2526d7c)