[JIRA] (JENKINS-43210) Windows Agent can't connect to Master through JNLP

64 views
Skip to first unread message

bcygan@cloudbees.com (JIRA)

unread,
Mar 30, 2017, 3:46:02 AM3/30/17
to jenkinsc...@googlegroups.com
bcygan created an issue
 
Jenkins / Bug JENKINS-43210
Windows Agent can't connect to Master through JNLP
Issue Type: Bug Bug
Assignee: Kohsuke Kawaguchi
Components: core, windows-slaves-plugin
Created: 2017/Mar/30 7:45 AM
Environment: Jenkins Core 2.32.2.7 running on RHEL 6.8 with JDK 8u121
Windows Slaves Plugin 1.3.1
Windows Server 2012 with latest patches and JDK 8u121
Labels: slave windows
Priority: Blocker Blocker
Reporter: bcygan

When executing 

java -Xmx1g -jar slave.jar -jnlpUrl http://dfvvt01seuops.somebank.somenet/jenkins-iteb/computer/DFVIASTWHUDSON2/slave-agent.jnlp

I get

Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main createEngine
INFORMATION: Setting up slave: DFVIASTWHUDSON2
Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener <init>
INFORMATION: Jenkins agent is running in headless mode.
Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Locating server among http://dfvvt01seuops.somebank.somenet/jenkins-iteb/
Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Agent discovery successful
{{ Agent address: dfvvt01seuops.somebank.somenet}}
{{ Agent port: 50000}}
{{ Identity: 13:74:a6:18:f1:96:9c:cb:69:57:26:b1:a2:17:f2:c9}}
Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Handshaking
Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Connecting to dfvvt01seuops.somebank.somenet:50000
Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Trying protocol: JNLP4-connect
Mõr 30, 2017 9:29:36 AM org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer onRecv
SCHWERWIEGEND: [JNLP4-connect connection to dfvvt01seuops.somebank.somenet/10.241.209.26:50000]
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
{{ at sun.security.ssl.Handshaker.checkThrown(Unknown Source)}}
{{ at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)}}
{{ at sun.security.ssl.SSLEngineImpl.writeAppRecord(Unknown Source)}}
{{ at sun.security.ssl.SSLEngineImpl.wrap(Unknown Source)}}
{{ at javax.net.ssl.SSLEngine.wrap(Unknown Source)}}
{{ at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.processRead(SSLEngineFilterLayer.java:392)}}
{{ at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.onRecv(SSLEngineFilterLayer.java:117)}}
{{ at org.jenkinsci.remoting.protocol.ProtocolStack$Ptr.onRecv(ProtocolStack.java:669)}}
{{ at org.jenkinsci.remoting.protocol.NetworkLayer.onRead(NetworkLayer.java:136)}}
{{ at org.jenkinsci.remoting.protocol.impl.BIONetworkLayer.access$2200(BIONetworkLayer.java:48)}}
{{ at org.jenkinsci.remoting.protocol.impl.BIONetworkLayer$Reader.run(BIONetworkLayer.java:283)}}
{{ at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)}}
{{ at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)}}
{{ at hudson.remoting.Engine$1$1.run(Engine.java:94)}}
{{ at java.lang.Thread.run(Unknown Source)}}
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
{{ at sun.security.ssl.Alerts.getSSLException(Unknown Source)}}
{{ at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)}}
{{ at sun.security.ssl.Handshaker.fatalSE(Unknown Source)}}
{{ at sun.security.ssl.Handshaker.fatalSE(Unknown Source)}}
{{ at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)}}
{{ at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)}}
{{ at sun.security.ssl.Handshaker.processLoop(Unknown Source)}}
{{ at sun.security.ssl.Handshaker$1.run(Unknown Source)}}
{{ at sun.security.ssl.Handshaker$1.run(Unknown Source)}}
{{ at java.security.AccessController.doPrivileged(Native Method)}}
{{ at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source)}}
{{ at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.processRead(SSLEngineFilterLayer.java:382)}}
{{ ... 9 more}}
Caused by: java.security.cert.CertificateException: Public key of the first certificate in chain (subject: C=US, OU=jenkins.io, O=instances, CN=74df086770b5c378864b03273a8576ae) is
{{ not in the list of trusted keys}}
{{ at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkPublicKey(PublicKeyMatchingX509ExtendedTrustManager.java:216)}}
{{ at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkServerTrusted(PublicKeyMatchingX509ExtendedTrustManager.java:263)}}
{{ at org.jenkinsci.remoting.protocol.cert.DelegatingX509ExtendedTrustManager.checkServerTrusted(DelegatingX509ExtendedTrustManager.java:148)}}
{{ ... 17 more}}Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Protocol JNLP4-connect encountered an unexpected exception
java.util.concurrent.ExecutionException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
{{ at org.jenkinsci.remoting.util.SettableFuture.get(SettableFuture.java:223)}}
{{ at hudson.remoting.Engine.innerRun(Engine.java:385)}}
{{ at hudson.remoting.Engine.run(Engine.java:287)}}
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
{{ at sun.security.ssl.Handshaker.checkThrown(Unknown Source)}}
{{ at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)}}
{{ at sun.security.ssl.SSLEngineImpl.writeAppRecord(Unknown Source)}}
{{ at sun.security.ssl.SSLEngineImpl.wrap(Unknown Source)}}
{{ at javax.net.ssl.SSLEngine.wrap(Unknown Source)}}
{{ at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.processRead(SSLEngineFilterLayer.java:392)}}
{{ at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.onRecv(SSLEngineFilterLayer.java:117)}}
{{ at org.jenkinsci.remoting.protocol.ProtocolStack$Ptr.onRecv(ProtocolStack.java:669)}}
{{ at org.jenkinsci.remoting.protocol.NetworkLayer.onRead(NetworkLayer.java:136)}}
{{ at org.jenkinsci.remoting.protocol.impl.BIONetworkLayer.access$2200(BIONetworkLayer.java:48)}}
{{ at org.jenkinsci.remoting.protocol.impl.BIONetworkLayer$Reader.run(BIONetworkLayer.java:283)}}
{{ at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)}}
{{ at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)}}
{{ at hudson.remoting.Engine$1$1.run(Engine.java:94)}}
{{ at java.lang.Thread.run(Unknown Source)}}
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
{{ at sun.security.ssl.Alerts.getSSLException(Unknown Source)}}
{{ at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)}}
{{ at sun.security.ssl.Handshaker.fatalSE(Unknown Source)}}
{{ at sun.security.ssl.Handshaker.fatalSE(Unknown Source)}}
{{ at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)}}
{{ at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)}}
{{ at sun.security.ssl.Handshaker.processLoop(Unknown Source)}}
{{ at sun.security.ssl.Handshaker$1.run(Unknown Source)}}
{{ at sun.security.ssl.Handshaker$1.run(Unknown Source)}}
{{ at java.security.AccessController.doPrivileged(Native Method)}}
{{ at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source)}}
{{ at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.processRead(SSLEngineFilterLayer.java:382)}}
{{ ... 9 more}}
Caused by: java.security.cert.CertificateException: Public key of the first certificate in chain (subject: C=US, OU=jenkins.io, O=instances, CN=74df086770b5c378864b03273a8576ae) is
{{ not in the list of trusted keys}}
{{ at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkPublicKey(PublicKeyMatchingX509ExtendedTrustManager.java:216)}}
{{ at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkServerTrusted(PublicKeyMatchingX509ExtendedTrustManager.java:263)}}
{{ at org.jenkinsci.remoting.protocol.cert.DelegatingX509ExtendedTrustManager.checkServerTrusted(DelegatingX509ExtendedTrustManager.java:148)}}
{{ ... 17 more}}Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Connecting to dfvvt01seuops.somebank.somenet:50000
Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Server reports protocol JNLP4-plaintext not supported, skipping
Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Trying protocol: JNLP3-connect
Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Protocol JNLP3-connect encountered an unexpected exception
java.util.concurrent.ExecutionException: org.jenkinsci.remoting.protocol.impl.ConnectionRefusalException: JNLP3-connect: Incorrect challenge response from master
{{ at java.util.concurrent.FutureTask.report(Unknown Source)}}
{{ at java.util.concurrent.FutureTask.get(Unknown Source)}}
{{ at hudson.remoting.Engine.innerRun(Engine.java:385)}}
{{ at hudson.remoting.Engine.run(Engine.java:287)}}
Caused by: org.jenkinsci.remoting.protocol.impl.ConnectionRefusalException: JNLP3-connect: Incorrect challenge response from master
{{ at org.jenkinsci.remoting.engine.JnlpProtocol3Handler.sendHandshake(JnlpProtocol3Handler.java:213)}}
{{ at org.jenkinsci.remoting.engine.JnlpProtocol3Handler.sendHandshake(JnlpProtocol3Handler.java:123)}}
{{ at org.jenkinsci.remoting.engine.LegacyJnlpProtocolHandler$2.call(LegacyJnlpProtocolHandler.java:162)}}
{{ at org.jenkinsci.remoting.engine.LegacyJnlpProtocolHandler$2.call(LegacyJnlpProtocolHandler.java:158)}}
{{ at java.util.concurrent.FutureTask.run(Unknown Source)}}
{{ at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)}}
{{ at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)}}
{{ at hudson.remoting.Engine$1$1.run(Engine.java:94)}}
{{ at java.lang.Thread.run(Unknown Source)}}Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Connecting to dfvvt01seuops.somebank.somenet:50000
Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Trying protocol: JNLP2-connect
Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Protocol JNLP2-connect encountered an unexpected exception
java.util.concurrent.ExecutionException: org.jenkinsci.remoting.protocol.impl.ConnectionRefusalException: Server didn't accept the handshake:
{{ at java.util.concurrent.FutureTask.report(Unknown Source)}}
{{ at java.util.concurrent.FutureTask.get(Unknown Source)}}
{{ at hudson.remoting.Engine.innerRun(Engine.java:385)}}
{{ at hudson.remoting.Engine.run(Engine.java:287)}}
Caused by: org.jenkinsci.remoting.protocol.impl.ConnectionRefusalException: Server didn't accept the handshake:
{{ at org.jenkinsci.remoting.engine.JnlpProtocol2Handler.sendHandshake(JnlpProtocol2Handler.java:134)}}
{{ at org.jenkinsci.remoting.engine.LegacyJnlpProtocolHandler$2.call(LegacyJnlpProtocolHandler.java:162)}}
{{ at org.jenkinsci.remoting.engine.LegacyJnlpProtocolHandler$2.call(LegacyJnlpProtocolHandler.java:158)}}
{{ at java.util.concurrent.FutureTask.run(Unknown Source)}}
{{ at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)}}
{{ at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)}}
{{ at hudson.remoting.Engine$1$1.run(Engine.java:94)}}
{{ at java.lang.Thread.run(Unknown Source)}}Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Connecting to dfvvt01seuops.somebank.somenet:50000
Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Trying protocol: JNLP-connect
Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Protocol JNLP-connect encountered an unexpected exception
java.util.concurrent.ExecutionException: org.jenkinsci.remoting.protocol.impl.ConnectionRefusalException: Server didn't accept the handshake:
{{ at java.util.concurrent.FutureTask.report(Unknown Source)}}
{{ at java.util.concurrent.FutureTask.get(Unknown Source)}}
{{ at hudson.remoting.Engine.innerRun(Engine.java:385)}}
{{ at hudson.remoting.Engine.run(Engine.java:287)}}
Caused by: org.jenkinsci.remoting.protocol.impl.ConnectionRefusalException: Server didn't accept the handshake:
{{ at org.jenkinsci.remoting.engine.JnlpProtocol1Handler.sendHandshake(JnlpProtocol1Handler.java:121)}}
{{ at org.jenkinsci.remoting.engine.LegacyJnlpProtocolHandler$2.call(LegacyJnlpProtocolHandler.java:162)}}
{{ at org.jenkinsci.remoting.engine.LegacyJnlpProtocolHandler$2.call(LegacyJnlpProtocolHandler.java:158)}}
{{ at java.util.concurrent.FutureTask.run(Unknown Source)}}
{{ at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)}}
{{ at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)}}
{{ at hudson.remoting.Engine$1$1.run(Engine.java:94)}}
{{ at java.lang.Thread.run(Unknown Source)}}Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener error
SCHWERWIEGEND: The server rejected the connection: None of the protocols were accepted
java.lang.Exception: The server rejected the connection: None of the protocols were accepted
{{ at hudson.remoting.Engine.onConnectionRejected(Engine.java:484)}}
{{ at hudson.remoting.Engine.innerRun(Engine.java:448)}}
{{ at hudson.remoting.Engine.run(Engine.java:287)}} 

I don't care for the JNLP3 and JNLP4 issues right now (because I don't need encryption at the moment), but I would expect at least JNLP2 to work. Looks like JENKINS-39232 is not fixed after all.

Related: JENKINS-39232, JENKINS-40668
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e)
Atlassian logo

o.v.nenashev@gmail.com (JIRA)

unread,
Mar 31, 2017, 4:25:01 AM3/31/17
to jenkinsc...@googlegroups.com
Oleg Nenashev assigned an issue to Oleg Nenashev
Change By: Oleg Nenashev
Assignee: Kohsuke Kawaguchi Oleg Nenashev

o.v.nenashev@gmail.com (JIRA)

unread,
Mar 31, 2017, 4:25:01 AM3/31/17
to jenkinsc...@googlegroups.com
Oleg Nenashev updated an issue
Change By: Oleg Nenashev
Component/s: remoting

o.v.nenashev@gmail.com (JIRA)

unread,
Mar 31, 2017, 4:32:01 AM3/31/17
to jenkinsc...@googlegroups.com
Oleg Nenashev commented on Bug JENKINS-43210
 
Re: Windows Agent can't connect to Master through JNLP

So I am mostly aware about the JNLP4 protocol failure

Caused by: java.security.cert.CertificateException: Public key of the first certificate in chain (subject: C=US, OU=jenkins.io, O=instances, CN=74df086770b5c378864b03273a8576ae) is
{{ not in the list of trusted keys}}
{{ at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkPublicKey(PublicKeyMatchingX509ExtendedTrustManager.java:216)}}
{{ at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkServerTrusted(PublicKeyMatchingX509ExtendedTrustManager.java:263)}}
{{ at org.jenkinsci.remoting.protocol.cert.DelegatingX509ExtendedTrustManager.checkServerTrusted(DelegatingX509ExtendedTrustManager.java:148)}}
{{ ... 17 more}}Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Protocol JNLP4-connect encountered an unexpected exception
java.util.concurrent.ExecutionException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

Due to whatever reason the agent does not consider master's certificate as a trusted one. It should never happen for auto-generated certificates AFAIK, so I would assume your master is available over HTTPS and has untrusted certificate.

Please provide more information about your master settings. Jenkins System logs would be also useful.

aburdajewicz@cloudbees.com (JIRA)

unread,
Aug 8, 2018, 10:23:01 AM8/8/18
to jenkinsc...@googlegroups.com

Also if you are running Jenkins behind a proxy, ensure you have the system property `-Dhudson.TcpSlaveAgentListener.hostName=<MASTER_HOSTNAME_OR_IP>` set up on the Jenkins master. See https://wiki.jenkins.io/display/JENKINS/Features+controlled+by+system+properties
This message was sent by Atlassian JIRA (v7.10.1#710002-sha1:6efc396)

matthias.baldi@secanis.ch (JIRA)

unread,
Sep 19, 2018, 6:10:02 AM9/19/18
to jenkinsc...@googlegroups.com
Matthias Baldi updated an issue
 
Change By: Matthias Baldi
Attachment: image-2018-09-19-12-09-33-563.png
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

matthias.baldi@secanis.ch (JIRA)

unread,
Sep 19, 2018, 6:12:02 AM9/19/18
to jenkinsc...@googlegroups.com
Matthias Baldi commented on Bug JENKINS-43210
 
Re: Windows Agent can't connect to Master through JNLP

We have currently also this issue with different versions of Jenkins 107.x, 121.x, 138.x with the JNLP v4 - all other protocols are disabled.
As soon this problem occurs it does not matter if down- or upgrade the Jenkins instance, however it will occur every time.
When we just enabled the JNLP v3 the Slave did not connect to the master and the container died after some seconds because of `no supported JNLP protocol`.
We also tried your property Allan BURDAJEWICZ, but this does not changed the behavior.

This issue does just occur with Jenkins instances we create since this summer, so there must be a change between May and July - maybe in the 107er versions.

We know, when we deploy an older Jenkins version (like <=89x) it will work, but we do not know from where we get this Jenkins.io cert.
Because the CN is not correct and we already set the Jenkins.io cert in the truststore, so it should be allowed and trusted.
I think Jenkins generates this cert itself -> Can you Oleg Nenashev answer the question where this cert is generated and why?
Is this a problem by updateing on a specific version of a plugin? Or is it a "problem" of Jenkins itself?

For me, this issue is not solved.

Following we add our configuration/logs:

 

INFO: Trying protocol: JNLP4-connect
Sep 19, 2018 11:25:02 AM org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer onRecv
SEVERE: [JNLP4-connect connection to vjkm01.pnet.ch/172.18.15.26:33529] 
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
            at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529)
            at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
            at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214)
            at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186)
            at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
            at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.processRead(SSLEngineFilterLayer.java:392)
            at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.onRecv(SSLEngineFilterLayer.java:117)
            at org.jenkinsci.remoting.protocol.ProtocolStack$Ptr.onRecv(ProtocolStack.java:669)
            at org.jenkinsci.remoting.protocol.impl.AckFilterLayer.onRecv(AckFilterLayer.java:255)
            at org.jenkinsci.remoting.protocol.ProtocolStack$Ptr.onRecv(ProtocolStack.java:669)
            at org.jenkinsci.remoting.protocol.NetworkLayer.onRead(NetworkLayer.java:136)
            at org.jenkinsci.remoting.protocol.impl.BIONetworkLayer.access$2200(BIONetworkLayer.java:48)
            at org.jenkinsci.remoting.protocol.impl.BIONetworkLayer$Reader.run(BIONetworkLayer.java:283)
            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
            at hudson.remoting.Engine$1.lambda$newThread$0(Engine.java:93)
            at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
            at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
            at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
            at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:330)
            at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
            at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
            at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
            at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
            at sun.security.ssl.Handshaker$1.run(Handshaker.java:992)
            at sun.security.ssl.Handshaker$1.run(Handshaker.java:989)
            at java.security.AccessController.doPrivileged(Native Method)
            at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467)
            at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.processRead(SSLEngineFilterLayer.java:382)
            ... 11 more
Caused by: java.security.cert.CertificateException: Public key of the first certificate in chain (subject: C=US, OU=jenkins.io, O=instances, CN=9dd32b243d0da3c30cff1c129ec3be8c) is not in the list of trusted keys
            at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkPublicKey(PublicKeyMatchingX509ExtendedTrustManager.java:217)
            at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkServerTrusted(PublicKeyMatchingX509ExtendedTrustManager.java:263)
            at org.jenkinsci.remoting.protocol.cert.DelegatingX509ExtendedTrustManager.checkServerTrusted(DelegatingX509ExtendedTrustManager.java:148)
            at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1601)
            ... 18 more
Sep 19, 2018 11:25:02 AM hudson.remoting.jnlp.Main$CuiListener status
INFO: Protocol JNLP4-connect encountered an unexpected exception
java.util.concurrent.ExecutionException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
            at org.jenkinsci.remoting.util.SettableFuture.get(SettableFuture.java:223)
            at hudson.remoting.Engine.innerRun(Engine.java:614)
            at hudson.remoting.Engine.run(Engine.java:474)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
            at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529)
            at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
            at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214)
            at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186)
            at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
            at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.processRead(SSLEngineFilterLayer.java:392)
            at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.onRecv(SSLEngineFilterLayer.java:117)
            at org.jenkinsci.remoting.protocol.ProtocolStack$Ptr.onRecv(ProtocolStack.java:669)
            at org.jenkinsci.remoting.protocol.impl.AckFilterLayer.onRecv(AckFilterLayer.java:255)
            at org.jenkinsci.remoting.protocol.ProtocolStack$Ptr.onRecv(ProtocolStack.java:669)
            at org.jenkinsci.remoting.protocol.NetworkLayer.onRead(NetworkLayer.java:136)
            at org.jenkinsci.remoting.protocol.impl.BIONetworkLayer.access$2200(BIONetworkLayer.java:48)
            at org.jenkinsci.remoting.protocol.impl.BIONetworkLayer$Reader.run(BIONetworkLayer.java:283)
            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
            at hudson.remoting.Engine$1.lambda$newThread$0(Engine.java:93)
            at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
            at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
            at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
            at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:330)
            at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
            at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
            at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
            at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
            at sun.security.ssl.Handshaker$1.run(Handshaker.java:992)
            at sun.security.ssl.Handshaker$1.run(Handshaker.java:989)
            at java.security.AccessController.doPrivileged(Native Method)
            at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467)
            at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.processRead(SSLEngineFilterLayer.java:382)
            ... 11 more
Caused by: java.security.cert.CertificateException: Public key of the first certificate in chain (subject: C=US, OU=jenkins.io, O=instances, CN=9dd32b243d0da3c30cff1c129ec3be8c) is not in the list of trusted keys
            at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkPublicKey(PublicKeyMatchingX509ExtendedTrustManager.java:217)
            at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkServerTrusted(PublicKeyMatchingX509ExtendedTrustManager.java:263)
            at org.jenkinsci.remoting.protocol.cert.DelegatingX509ExtendedTrustManager.checkServerTrusted(DelegatingX509ExtendedTrustManager.java:148)
            at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1601)
            ... 18 more
Sep 19, 2018 11:25:02 AM hudson.remoting.jnlp.Main$CuiListener status
INFO: Connecting to vjkm01.pnet.ch:33529
Sep 19, 2018 11:25:02 AM hudson.remoting.jnlp.Main$CuiListener status
INFO: Server reports protocol JNLP4-plaintext not supported, skipping
Sep 19, 2018 11:25:02 AM hudson.remoting.jnlp.Main$CuiListener status
INFO: Server reports protocol JNLP3-connect not supported, skipping
Sep 19, 2018 11:25:02 AM hudson.remoting.jnlp.Main$CuiListener status
INFO: Server reports protocol JNLP2-connect not supported, skipping
Sep 19, 2018 11:25:02 AM hudson.remoting.jnlp.Main$CuiListener status
INFO: Server reports protocol JNLP-connect not supported, skipping
Sep 19, 2018 11:25:02 AM hudson.remoting.jnlp.Main$CuiListener error
SEVERE: The server rejected the connection: None of the protocols were accepted
java.lang.Exception: The server rejected the connection: None of the protocols were accepted
            at hudson.remoting.Engine.onConnectionRejected(Engine.java:675)
            at hudson.remoting.Engine.innerRun(Engine.java:639)
            at hudson.remoting.Engine.run(Engine.java:474)

 

docker-compose configuration for Jenkins (startup conf / Java opts):

 

    environment:
      - JAVA_OPTS="-Djava.awt.headless=true -Dhudson.model.DirectoryBrowserSupport.CSP='' -Dhudson.model.DownloadService.noSignatureCheck=true"
      - JENKINS_OPTS="--requestHeaderSize=16384"

 

 

matthias.baldi@secanis.ch (JIRA)

unread,
Oct 3, 2018, 7:54:06 AM10/3/18
to jenkinsc...@googlegroups.com
Matthias Baldi reopened an issue
 
Change By: Matthias Baldi
Resolution: Won't Fix
Status: Resolved Reopened

peter_carenza@bcbst.com (JIRA)

unread,
Nov 8, 2018, 12:32:02 PM11/8/18
to jenkinsc...@googlegroups.com
Peter Carenza commented on Bug JENKINS-43210
 
Re: Windows Agent can't connect to Master through JNLP

I am also having this issue with the current Jenkins release, but only from a docker container.(exposed ports 8084:8080, 50000:50000).

The standalone version from whence we derived the container works perfectly well. We are currently only using JNLP4.

stephane.rzetelny@outlook.com (JIRA)

unread,
Dec 5, 2018, 9:40:03 AM12/5/18
to jenkinsc...@googlegroups.com
Stéphane Rzetelny updated an issue
 
Change By: Stéphane Rzetelny
Attachment: jenkins-43210-issue.txt

stephane.rzetelny@outlook.com (JIRA)

unread,
Dec 5, 2018, 9:41:02 AM12/5/18
to jenkinsc...@googlegroups.com
Stéphane Rzetelny commented on Bug JENKINS-43210
 
Re: Windows Agent can't connect to Master through JNLP

I have exactly same issue using docker image jenkins:jenkins:2.154-slim version and using swarm client plugin 3.14 on a Windows slave in a VM.

I have also tried swarm-client command line options -disableSslVerification without success.

See attachement : jenkins-43210-issue.txt

 

mail@gnuheidix.de (JIRA)

unread,
Dec 14, 2018, 10:34:02 AM12/14/18
to jenkinsc...@googlegroups.com

In reference to my code comment, why is the certificate of the JNLP4-Protocol being generated during runtime and not changable by configuration? How is the agent supposed to validate the certificate? Am I missing something? My agents always report the following during JNLP4 connection attempts:

Caused by: java.security.cert.CertificateException: Public key of the first certificate in chain (subject: C=US, OU=jenkins.io, O=instances, CN=deadbeefdeadbeefdeadbeef) is not in the list of trusted keys

JNLP3 works fine though, but I want the newer secure stuff.

Is the public key supposed to be transferred in the encrypted and authenticated transfer of slave-agent.jnlp?

mail@gnuheidix.de (JIRA)

unread,
Dec 14, 2018, 11:09:11 AM12/14/18
to jenkinsc...@googlegroups.com
Thomas Heidrich edited a comment on Bug JENKINS-43210
In reference to my [code comment|https://github.com/jenkinsci/jenkins/commit/71cbe0cc7c601c04509faa618b23194335288fee#r31678933], why is the certificate of the JNLP4-Protocol being generated during runtime and not changable by configuration? How is the agent supposed to validate the certificate? Am I missing something? My agents always report the following during JNLP4 connection attempts:

{noformat}

Caused by: java.security.cert.CertificateException: Public key of the first certificate in chain (subject: C=US, OU=jenkins.io, O=instances, CN=deadbeefdeadbeefdeadbeef) is not in the list of trusted keys
{noformat}


JNLP3 works fine though, but I want the newer secure stuff.

Is the public key supposed to be transferred in the encrypted and authenticated transfer of slave-agent.jnlp?


UPDATED: Interesting, debugging the agent revealed that the publicKey seems to be transferred, but in my case, this doesn't seem to work.
{noformat}
INFORMATION: Agent discovery successful
  Agent address: jenkins.mycorp
  Agent port:    50000
  Identity:      null
{noformat}

mail@gnuheidix.de (JIRA)

unread,
Dec 14, 2018, 11:22:02 AM12/14/18
to jenkinsc...@googlegroups.com
RESOLVED: (/)
My reverse proxy dropped the header _X-Instance-Identity_ which is being used in the [remoting lib|https://github.com/jenkinsci/remoting/blob/master/src/main/java/org/jenkinsci/remoting/engine/JnlpAgentEndpointResolver.java#L248-L269] to transfer the public key to the agents. The following Apache directive is a bad idea in case one wants to use agents.
{noformat}
Header unset X-Instance-Identity
{noformat}

matthias.baldi@secanis.ch (JIRA)

unread,
Dec 18, 2018, 10:26:02 AM12/18/18
to jenkinsc...@googlegroups.com

Thomas Heidrich thank you for the information.
We checked our Apache config too, but it seems, that our proxy do not reject this headers, so it have to be an other problem.
But a workaround is for us currently to deploy first an old Jenkins version and then we can update it without any problems to the newest one.

I tried it shortly again with the newest version of Jenkins (2.150.1) and one Slave on the same maschine. Both tests with Docker containers were successful on Windows and on Linux.
As soon I can test it, I will try something with a proxy and over multiple servers, maybe it will work now.

matthias.baldi@secanis.ch (JIRA)

unread,
Dec 18, 2018, 10:27:05 AM12/18/18
to jenkinsc...@googlegroups.com
Matthias Baldi edited a comment on Bug JENKINS-43210
[~gnuheidix] thank you for the information.

We checked our Apache config too, but it seems, that our proxy do not reject this headers, so it have to be an other problem.
But a workaround is for us currently to deploy first an old Jenkins version and then we can update it without any problems to the newest one.

I tried it shortly again with the newest version of Jenkins (2.150.1) and one Slave on the same maschine. Both tests with Docker containers were successful on Windows and on Linux.
As soon I can test it, I will try something with a proxy and over multiple servers, maybe it will work now.


And I will update the plugins, maybe it is not an issue of Jenkins itself, it could be, that we hit it because of a plugin update.

bismaya.mohapatra@amdocs.com (JIRA)

unread,
Oct 18, 2019, 4:35:03 AM10/18/19
to jenkinsc...@googlegroups.com

We are also getting the same issue Public key of the first certificate in chain (subject: C=US, OU=jenkins.io, O=instances, CN=74df086770b5c3788....)

We are using Inbound TCP Agent Protocol/4 (TLS encryption).  

Any solution for this ? We tried with Protocol/3 and other options, but it is not working. 
This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
Atlassian logo

bismaya.mohapatra@amdocs.com (JIRA)

unread,
Oct 30, 2019, 7:08:03 AM10/30/19
to jenkinsc...@googlegroups.com
Bismaya Mohapatra updated an issue
 
Change By: Bismaya Mohapatra
Comment:
We are also getting the same issue Public key of the first certificate in chain (subject: C=US, OU=jenkins.io, O=instances, CN=74df086770b5c3788....)

We are using Inbound TCP Agent Protocol/4 (TLS encryption).  

Any solution for this ? We tried with Protocol/3 and other options, but it is not working. 

nielsk.jensen@man.eu (JIRA)

unread,
Oct 30, 2019, 8:27:04 AM10/30/19
to jenkinsc...@googlegroups.com
Niels Kristian Jensen updated an issue
Change By: Niels Kristian Jensen
Component/s: claim-plugin

nielsk.jensen@man.eu (JIRA)

unread,
Oct 30, 2019, 8:27:04 AM10/30/19
to jenkinsc...@googlegroups.com
Niels Kristian Jensen updated an issue
Component/s: windows-slaves-plugin
Reply all
Reply to author
Forward
0 new messages