[JNLP][Agent][Docker] connect an Agent to a Jenkins instance using self-signed certs

[Ivan Fernandez Calvo]

Hi,

I have a Jenkins instance running (2.230, also I have tested LTS) on a Docker container using only HTTPS with self-signed certificates, in the same network I start an SSH Build Agent and a JNLP Agent, the SSH Build agent connects

without issues, but the JNLP gives me an error I dunno what it is related, it said that the X-Instance-Identity is invalid, there is no proxy or anything else in between and the X-Instance-Identity is there so I dunno, why Jenkins said, is invalid, Do anyone see something similar or know what is this error about?

This is the Agent config

<slave>

<name>

jnlp-agent

</name>

<remoteFS>

/home/jenkins

</remoteFS>

<numExecutors>

2

</numExecutors>

<mode>

NORMAL

</mode>

<launcher class="hudson.slaves.JNLPLauncher">

<workDirSettings>

<disabled>

false

</disabled>

<workDirPath>

/home/jenkins

</workDirPath>

<internalDir>

remoting

</internalDir>

<failIfWorkDirIsMissing>

false

</failIfWorkDirIsMissing>

</workDirSettings>

<webSocket>

false

</webSocket>

</launcher>

<label>

jnlp linux

</label>

<nodeProperties/>

</slave>

These are the commands I use to launch the Jenkins instance

printf "[dn]\nCN=localhost\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:localhost\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth" > domain.ext

openssl req \

    -newkey rsa:2048 -nodes -sha256 -keyout domain_private.key \

    -x509 -days 365 -out domain.crt \

    -subj '/CN=localhost' -extensions EXT -config domain.ext

openssl rsa -in domain_private.key -out domain.key

docker run \

    -e JENKINS_OPTS="--httpPort=-1 --httpsPort=9443 --httpsCertificate=/var/lib/jenkins/cert --httpsPrivateKey=/var/lib/jenkins/pk"

    --name jenkins \

    --rm \

    -p 9443:9443 \

    -v jenkins_home:/var/jenkins_home \

    --network net \

    jenkins/jenkins-tls:2.230

An this is the command used to launch eht Agent

docker run --name jnlp-agent -it --rm --network net jenkins/jnlp-slave -disableHttpsCertValidation -credentials jenkins:"SuP3rP4ssw0rd" -url https://jenkins:9443/computer/jnlp-agent/slave-agent.jnlp 224a6accfb5b9728e3db3dfc43ae8d2d986b24c09b2d8701497ca13c474d3dde jnlp-agent 

Apr 11, 2020 11:36:59 AM hudson.remoting.jnlp.Main createEngine

INFO: Setting up agent: jnlp-agent

Apr 11, 2020 11:36:59 AM hudson.remoting.jnlp.Main$CuiListener <init>

INFO: Jenkins agent is running in headless mode.

Apr 11, 2020 11:36:59 AM hudson.remoting.jnlp.Main createEngine

WARNING: Certificate validation for HTTPs endpoints is disabled

Apr 11, 2020 11:37:00 AM hudson.remoting.Engine startEngine

INFO: Using Remoting version: 4.3

Apr 11, 2020 11:37:00 AM hudson.remoting.Engine startEngine

WARNING: No Working Directory. Using the legacy JAR Cache location: /home/jenkins/.jenkins/cache/jars

Apr 11, 2020 11:37:00 AM hudson.remoting.jnlp.Main$CuiListener status

INFO: Locating server among [https://jenkins:9443/computer/jnlp-agent/slave-agent.jnlp]

Apr 11, 2020 11:37:00 AM org.jenkinsci.remoting.engine.JnlpAgentEndpointResolver openURLConnection

WARNING: HTTPs certificate check is disabled for the endpoint.

Apr 11, 2020 11:37:00 AM hudson.remoting.jnlp.Main$CuiListener error

SEVERE: https://jenkins:9443/computer/jnlp-agent/slave-agent.jnlp/tcpSlaveAgentListener/ appears to be publishing an invalid X-Instance-Identity.

java.io.IOException: https://jenkins:9443/computer/jnlp-agent/slave-agent.jnlp/tcpSlaveAgentListener/ appears to be publishing an invalid X-Instance-Identity.

at org.jenkinsci.remoting.engine.JnlpAgentEndpointResolver.resolve(JnlpAgentEndpointResolver.java:287)

at hudson.remoting.Engine.innerRun(Engine.java:693)

at hudson.remoting.Engine.run(Engine.java:518)

So I've changed to try to use direct connect without luck 

JENKINS_INSTANCE_IDENTITY=$(curl -sfkI https://localhost:9443 | grep X-Instance-Identity | cut -d\  -f2)

echo ${JENKINS_INSTANCE_IDENTITY}

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAijph9cC+d2brNUMc+wE8Y3ZUvByXYIDZzJpAL37x6juBmwTGKPhOhCmmal/Lm5dTMAF1IWnZyOlMnLPrcPm4ifbhOS11Azpk/3lIH+DrK0ypXqVgYRf9ovLF7ZFRvNZovr6eMHXql4pK5wzgFQGM0ZcP6WwaWfKAma3ekqFLz986WvNBsQ4r7C5sxPZLYiSBuBiy+8bMSzzfd6S7FbpWG3RMJjXckw5mG4jDmLkMSfdhLrTsTKQbcPgPrbSJlZdZRUW5SdxsFF0oxuhhNibUkNgDcDQ3UEHVVVM2H7g1ul3gzOThX6mXf6Hm/YUCNmIGlQIb/siOQe5mxcYxxl/VAQIDAQAB

docker run --name jnlp-agent -it --rm --network net jenkins/jnlp-slave -disableHttpsCertValidation -credentials jenkins:"SuP3rP4ssw0rd" -instanceIdentity ${JENKINS_INSTANCE_IDENTITY} -direct jenkins:9443 224a6accfb5b9728e3db3dfc43ae8d2d986b24c09b2d8701497ca13c474d3dde jnlp-agent 

Apr 11, 2020 11:45:28 AM hudson.remoting.jnlp.Main createEngine

INFO: Setting up agent: jnlp-agent

Apr 11, 2020 11:45:29 AM hudson.remoting.jnlp.Main$CuiListener <init>

INFO: Jenkins agent is running in headless mode.

Apr 11, 2020 11:45:29 AM hudson.remoting.jnlp.Main createEngine

WARNING: Certificate validation for HTTPs endpoints is disabled

Apr 11, 2020 11:45:29 AM hudson.remoting.Engine startEngine

INFO: Using Remoting version: 4.3

Apr 11, 2020 11:45:29 AM hudson.remoting.Engine startEngine

WARNING: No Working Directory. Using the legacy JAR Cache location: /home/jenkins/.jenkins/cache/jars

Apr 11, 2020 11:45:29 AM hudson.remoting.jnlp.Main$CuiListener status

INFO: Locating server among []

Apr 11, 2020 11:45:29 AM hudson.remoting.jnlp.Main$CuiListener error

SEVERE: Illegal base64 character d

java.lang.IllegalArgumentException: Illegal base64 character d

at java.util.Base64$Decoder.decode0(Base64.java:714)

at java.util.Base64$Decoder.decode(Base64.java:526)

at java.util.Base64$Decoder.decode(Base64.java:549)

at org.jenkinsci.remoting.engine.JnlpEndpointResolver.getIdentity(JnlpEndpointResolver.java:43)

at org.jenkinsci.remoting.engine.JnlpAgentEndpointConfigurator.resolve(JnlpAgentEndpointConfigurator.java:51)

at hudson.remoting.Engine.innerRun(Engine.java:693)

at hudson.remoting.Engine.run(Engine.java:518)

[Ivan Fernandez Calvo]

Well, it was a stupid thing the URL that I pass to the Docker container is the JNLP agent URL (https://jenkins:9443/computer/jnlp-agent/slave-agent.jnlp ), it should be the Jenkins URL (https://jenkins:9443), so that's my error.

This command works as expected :palmface: 

docker run --name jnlp-agent -it --rm --network net jenkins/jnlp-slave -disableHttpsCertValidation -credentials jenkins:"SuP3rP4ssw0rd" -url https://jenkins:9443 224a6accfb5b9728e3db3dfc43ae8d2d986b24c09b2d8701497ca13c474d3dde jnlp-agent

BTW the error message is completely unrelated to the fail that was what confuses me. 

[Ramanathan Muthaiah]

On Saturday, April 11, 2020 at 5:43:28 PM UTC+5:30, Ivan Fernandez Calvo wrote:

Hi,

I have a Jenkins instance running (2.230, also I have tested LTS) on a Docker container using only HTTPS with self-signed certificates, in the same network I start an SSH Build Agent and a JNLP Agent, the SSH Build agent connects

without issues,

Am interested to know how you managed this config i.e. SSH connectivity from the master to external build agent or node.

For a while, I have been searching thru' docs, this forum and SO but could not find proper solution.

Would appreciate if you can pls outline the functional config or procedure.

/Ram 

[Ivan Fernandez Calvo]

I make it with JCasC, basically is a Docker compose with Jenkins, openSAML, and a SSH Build Agent, it is what I use to test issues see https://github.com/kuisathaverat/jenkins-issues/tree/master/jobDSL

You have a bunch of examples on the JCasC demo folder

https://github.com/jenkinsci/configuration-as-code-plugin/blob/master/demos/build_agents/README.md

[Ramanathan Muthaiah]

Thanks very much for sharing the info, will take a look.

/Ram