Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-16531

jenkins-cli with apache+ssl fails with 403

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Minor
    • Resolution: Unresolved
    • Component/s: cli
    • Labels:
      None
    • Similar Issues:

      Description

      Using jenkins-cli with public key authentication.

      jenkins-cli -s http://localhost:8080 help

      works.

      Using jenkins-cli with public key authentication.

      jenkins-cli -s https://jenkins.example.com help

      fails with a 403.

      Exception in thread "main" java.io.IOException: Server returned HTTP response code: 403 for URL: https://jenkins.example.com/cli
      at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1403)
      at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
      at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:61)
      at hudson.cli.CLI.<init>(CLI.java:110)
      at hudson.cli.CLI.<init>(CLI.java:82)
      at hudson.cli.CLI._main(CLI.java:250)
      at hudson.cli.CLI.main(CLI.java:199)

      Apache configuration is a simple vhost with ProxyPass/ProxyPassReverse at the root.

        Attachments

          Issue Links

            Activity

            Hide
            sidnei Sidnei da Silva added a comment -

            Apparently this might be related to SNI (or the lack thereof) on the client side.

            Since this host has multiple SSL vhosts with the same IP, the following config setting was added:

            SSLStrictSNIVHostCheck on

            ... which causes non-SNI clients to be rejected (http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslstrictsnivhostcheck)

            Changing it to:

            SSLStrictSNIVHostCheck off

            ... gets rid of the 403. However the client instead will hang.

            Seems similar to JENKINS-11560 and JENKINS-16345, though the SNI problem could be considered a separate issue.

            Show
            sidnei Sidnei da Silva added a comment - Apparently this might be related to SNI (or the lack thereof) on the client side. Since this host has multiple SSL vhosts with the same IP, the following config setting was added: SSLStrictSNIVHostCheck on ... which causes non-SNI clients to be rejected ( http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslstrictsnivhostcheck ) Changing it to: SSLStrictSNIVHostCheck off ... gets rid of the 403. However the client instead will hang. Seems similar to JENKINS-11560 and JENKINS-16345 , though the SNI problem could be considered a separate issue.

              People

              • Assignee:
                Unassigned
                Reporter:
                sidnei Sidnei da Silva
              • Votes:
                1 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: