[JIRA] (JENKINS-51005) Unrecognized SSL message after logging in through Google OAuth

40 views
Skip to first unread message

thomas.rame@outlook.com (JIRA)

unread,
Apr 25, 2018, 12:45:03 PM4/25/18
to jenkinsc...@googlegroups.com
Thomas Ramé created an issue
 
Jenkins / Bug JENKINS-51005
Unrecognized SSL message after logging in through Google OAuth
Issue Type: Bug Bug
Assignee: Ryan Campbell
Components: google-login-plugin, google-oauth-plugin
Created: 2018-04-25 16:44
Environment: Jenkins ver. 2.107.1
google-login:1.3.1
Labels: plugin jenkins exception
Priority: Minor Minor
Reporter: Thomas Ramé

Hi  !

 

I'm looking for some help because I'm using the Google OAuth to log into Jenkins but after submitting my credentials Jenkins fails.

 

It was working before but for a few days I'm trying to set up the Istio service mesh. It allows me to use the Istio Ingress controller to manage user requests from outside. To simplify, it's a bit like the nginx controller but Istio deploy a Envoy sidecar aside each of your microservices. It very interesting at some points to fully manage request networking a the cluster.

 

What is great is that I'm able to reach Jenkins from outside, it redirects me to the Google login page, and after submitting, it redirects me back to Jenkins... but... I get the following error:

javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
	at sun.security.ssl.InputRecord.handleUnknownRecord(InputRecord.java:710)
	at sun.security.ssl.InputRecord.read(InputRecord.java:527)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:983)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
	at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1334)
	at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1309)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:259)
	at com.google.api.client.http.javanet.NetHttpRequest.execute(NetHttpRequest.java:77)
	at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:972)
	at com.google.api.client.auth.oauth2.TokenRequest.executeUnparsed(TokenRequest.java:283)
	at com.google.api.client.auth.openidconnect.IdTokenResponse.execute(IdTokenResponse.java:120)
	at org.jenkinsci.plugins.googlelogin.GoogleOAuth2SecurityRealm$2.onSuccess(GoogleOAuth2SecurityRealm.java:180)
	at org.jenkinsci.plugins.googlelogin.OAuthSession.doFinishLogin(OAuthSession.java:101)
	at org.jenkinsci.plugins.googlelogin.GoogleOAuth2SecurityRealm.doFinishLogin(GoogleOAuth2SecurityRealm.java:252)
	at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
	at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:343)
	at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:184)
	at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:117)
	at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:129)
	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845)
	at org.kohsuke.stapler.MetaClass$3.doDispatch(MetaClass.java:209)
	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649)
	at org.kohsuke.stapler.Stapler.service(Stapler.java:238)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:841)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1650)
	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
	at org.jenkinsci.plugins.ssegateway.Endpoint$SSEListenChannelFilter.doFilter(Endpoint.java:225)
	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
	at io.jenkins.blueocean.ResourceCacheControl.doFilter(ResourceCacheControl.java:134)
	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
	at io.jenkins.blueocean.auth.jwt.impl.JwtAuthenticationFilter.doFilter(JwtAuthenticationFilter.java:61)
	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:151)
	at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
	at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:64)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
	at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
	at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
	at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
	at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:135)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
	at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
	at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
	at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
	at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90)
	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
	at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
	at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
	at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:190)
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1253)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1155)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
	at org.eclipse.jetty.server.Server.handle(Server.java:564)
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:317)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251)
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279)
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:110)
	at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124)
	at org.eclipse.jetty.util.thread.Invocable.invokePreferred(Invocable.java:128)
	at org.eclipse.jetty.util.thread.Invocable$InvocableExecutor.invoke(Invocable.java:222)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:294)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:199)
	at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)

According to the error message, it's about SSL (obvious ^^). But I don't understand why...

 

If you have any idea I would appreciate

 

Thank you!
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v7.3.0#73011-sha1:3c73d0e)
Atlassian logo

thomas.rame@outlook.com (JIRA)

unread,
Apr 25, 2018, 12:47:02 PM4/25/18
to jenkinsc...@googlegroups.com
Thomas Ramé updated an issue
Change By: Thomas Ramé
Hi :) !


 

I'm looking for some help because I'm using the Google OAuth to log into Jenkins but after submitting my credentials Jenkins fails.

 

It was working before but for a few days I'm trying to set up the Istio service mesh. It allows me to use the Istio Ingress controller to manage user requests from outside. To simplify, it's a bit like the nginx controller but Istio deploy a deploys an Envoy sidecar aside each of your microservices. It very interesting at some points to  like fully manage managing request networking a in the cluster , retrying failed requests . ..

 

What is great is that
I'm able to reach Jenkins from outside, it redirects me to the Google login page, and after submitting, it redirects me back to Jenkins... but... I get the following error:
{code:java}
{code}

According to the error message, it's about SSL (obvious ^^). But I don't understand why...

 

If you have any idea I would appreciate :)

 

Thank you!

thomas.rame@outlook.com (JIRA)

unread,
Apr 25, 2018, 1:28:05 PM4/25/18
to jenkinsc...@googlegroups.com
Thomas Ramé updated an issue
Hi :) !

 

I'm looking for some help because I'm using the Google OAuth to log into Jenkins but after submitting my credentials Jenkins fails.

 

It was working before but for a few days I'm trying to set up the Istio service mesh. It allows me to use the Istio Ingress controller to manage user requests from outside. To simplify, it's a bit like the nginx controller but Istio deploys an Envoy sidecar aside each of your microservices. It very interesting at some points like fully managing request networking in the cluster, retrying failed requests...


 

EDIT: This issue may come from the fact that when a microservice do external requests, it can not request "https://www.googleapis.com/userinfo/v2/me" since the Envoy sidecar need to see it clearly to apply some of its routing rules.

 

I will try tomorrow to modify the plugin to reach "http://www.googleapis.com:443/userinfo/v2/me", like that Envoy will be able to reach Google servers.

 

I'm not sure the issue comes from there, but it could ^^...

thomas.rame@outlook.com (JIRA)

unread,
Apr 25, 2018, 1:29:02 PM4/25/18
to jenkinsc...@googlegroups.com
EDIT: This issue may come from the fact that when a microservice do external requests, it can not request "https://www.googleapis.com/userinfo/v2/me" since the Envoy sidecar need needs to see it clearly to apply some of its routing rules.

 

I will try tomorrow to modify the plugin to reach "http://www.googleapis.com:443/userinfo/v2/me", like that , by receiving this request Envoy will be able to reach Google servers via https protocol .


 

I'm not sure the issue comes from there, but it could ^^...

thomas.rame@outlook.com (JIRA)

unread,
Apr 25, 2018, 5:27:03 PM4/25/18
to jenkinsc...@googlegroups.com
EDIT: This issue may come from the fact that when a microservice do external requests, it can not request "https://www.googleapis.com/userinfo/v2/me" since the Envoy sidecar needs to see it clearly to apply some of its routing rules.

 

I will try tomorrow to modify the plugin to reach "http://www.googleapis.com:443/userinfo/v2/me", like that, by receiving this request Envoy will be able to reach Google servers via https protocol.

 

I 'm not sure the issue comes from there, but it could ^^ I'm investigating to configure the Envoy sidecar to not look at external requests at all . ..

thomas.rame@outlook.com (JIRA)

unread,
Apr 26, 2018, 3:11:02 PM4/26/18
to jenkinsc...@googlegroups.com
Thomas Ramé closed an issue as Fixed
Change By: Thomas Ramé
Status: Open Closed
Resolution: Fixed

rcampbell@cloudbees.com (JIRA)

unread,
Apr 26, 2018, 3:22:02 PM4/26/18
to jenkinsc...@googlegroups.com
Ryan Campbell reopened an issue
Change By: Ryan Campbell
Resolution: Fixed
Status: Closed Reopened

rcampbell@cloudbees.com (JIRA)

unread,
Apr 26, 2018, 3:23:03 PM4/26/18
to jenkinsc...@googlegroups.com
Ryan Campbell resolved as Not A Defect
 

Looks like an environmental issue, closing with correct resolution.
Change By: Ryan Campbell
Status: Reopened Resolved
Resolution: Not A Defect
Reply all
Reply to author
Forward
0 new messages