Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-22448

Add support for PKCS #8 private keys

    Details

    • Type: New Feature
    • Status: Reopened
    • Priority: Major
    • Resolution: Unresolved
    • Component/s: winstone-jetty
    • Labels:
      None
    • Environment:
      Redhat Linux
    • Similar Issues:

      Description

      I am trying to start jenkins using a CA signed certificate but I am getting this error

      Running from: /usr/lib/jenkins/jenkins.war
      Apr 01, 2014 9:56:01 AM winstone.Logger logInternal
      INFO: Winstone shutdown successfully
      Apr 01, 2014 9:56:01 AM winstone.Logger logInternal
      SEVERE: Container startup failed
      java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory
      at winstone.Launcher.spawnListener(Launcher.java:209)
      at winstone.Launcher.<init>(Launcher.java:149)
      at winstone.Launcher.main(Launcher.java:354)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:606)
      at Main._main(Main.java:293)
      at Main.main(Main.java:98)
      Caused by: java.io.IOException: DerValue.getBigInteger, not an int 48
      at sun.security.util.DerValue.getBigInteger(DerValue.java:511)
      at winstone.HttpsConnectorFactory.readPEMRSAPrivateKey(HttpsConnectorFactory.java:171)
      at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:90)
      at winstone.Launcher.spawnListener(Launcher.java:207)
      ... 8 more

      Open ssl was used to generate the key and csr, then the CA gave us back the cert. What could be causing this error?

      JENKINS_ARGS="--httpsCertificate=/var/lib/jenkins/cert/cci-jenkins_uncc_edu_cert.cer --httpsPrivateKey=/var/lib/jenkins/cert/cci-jenkins.key"

        Attachments

          Activity

          Hide
          danielbeck Daniel Beck added a comment -

          So it looks like for Java you can just configure that rather than your application.

          http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#DisabledAlgorithms
          Here's a guide for a different application: http://www.papercut.com/kb/Main/SSLCipherConfiguration

          Do these help?

          Show
          danielbeck Daniel Beck added a comment - So it looks like for Java you can just configure that rather than your application. http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#DisabledAlgorithms Here's a guide for a different application: http://www.papercut.com/kb/Main/SSLCipherConfiguration Do these help?
          Hide
          alex_hha Alex Domoradov added a comment -

          OMG, the "bloody" java

          I will try it and will let you know

          P.S.
          in tomcat for e.g. it's configuring in very simple way

          <Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol"
             scheme="https"
             secure="true"
             clientAuth="false"
             useBodyEncodingForURI="true"
          
             SSLEnabled="true"
             SSLHonorCipherOrder="true"
             SSLDisableCompression="true"
             SSLCertificateFile="/etc/pki/jira/jira.example.net.crt"
             SSLCertificateKeyFile="/etc/pki/jira/jira.example.net.key"
             SSLCACertificateFile="/etc/pki/jira/ca.pem"
             SSLCertificateChainFile="/etc/pki/jira/sub.class1.server.ca.pem"
             SSLCipherSuite="kEECDH+AES128:kEECDH:kEDH:-3DES:kRSA+AES128:kEDH+3DES:DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!MD5:!EXPORT:!LOW:!SEED:!CAMELLIA:!IDEA:!PSK:!SRP:!SSLv2"
             SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
          />
          
          Show
          alex_hha Alex Domoradov added a comment - OMG, the "bloody" java I will try it and will let you know P.S. in tomcat for e.g. it's configuring in very simple way <Connector port= "443" protocol= "org.apache.coyote.http11.Http11AprProtocol" scheme= "https" secure= " true " clientAuth= " false " useBodyEncodingForURI= " true " SSLEnabled= " true " SSLHonorCipherOrder= " true " SSLDisableCompression= " true " SSLCertificateFile= "/etc/pki/jira/jira.example.net.crt" SSLCertificateKeyFile= "/etc/pki/jira/jira.example.net.key" SSLCACertificateFile= "/etc/pki/jira/ca.pem" SSLCertificateChainFile= "/etc/pki/jira/sub.class1.server.ca.pem" SSLCipherSuite= "kEECDH+AES128:kEECDH:kEDH:-3DES:kRSA+AES128:kEDH+3DES:DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!MD5:!EXPORT:!LOW:!SEED:!CAMELLIA:!IDEA:!PSK:!SRP:!SSLv2" SSLProtocol= "TLSv1+TLSv1.1+TLSv1.2" />
          Hide
          canova Tom Canova added a comment -

          I'm using the official jenkins docker container to run my jenkins master. Just tried add key and certificate and I'm getting what appears to be the same error.
          Would using openssl to convert the key or cert to a different format help?
          {{SEVERE: Container startup failed
          java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory
          at winstone.Launcher.spawnListener(Launcher.java:209)
          at winstone.Launcher.<init>(Launcher.java:149)
          at winstone.Launcher.main(Launcher.java:354)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
          at java.lang.reflect.Method.invoke(Method.java:497)
          at Main._main(Main.java:293)
          at Main.main(Main.java:98)
          Caused by: java.io.IOException: DerValue.getBigInteger, not an int 48
          at sun.security.util.DerValue.getBigInteger(DerValue.java:511)
          at winstone.HttpsConnectorFactory.readPEMRSAPrivateKey(HttpsConnectorFactory.java:173)
          at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:89)
          at winstone.Launcher.spawnListener(Launcher.java:207)
          ... 8 more
          }}

          Show
          canova Tom Canova added a comment - I'm using the official jenkins docker container to run my jenkins master. Just tried add key and certificate and I'm getting what appears to be the same error. Would using openssl to convert the key or cert to a different format help? {{SEVERE: Container startup failed java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory at winstone.Launcher.spawnListener(Launcher.java:209) at winstone.Launcher.<init>(Launcher.java:149) at winstone.Launcher.main(Launcher.java:354) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at Main._main(Main.java:293) at Main.main(Main.java:98) Caused by: java.io.IOException: DerValue.getBigInteger, not an int 48 at sun.security.util.DerValue.getBigInteger(DerValue.java:511) at winstone.HttpsConnectorFactory.readPEMRSAPrivateKey(HttpsConnectorFactory.java:173) at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:89) at winstone.Launcher.spawnListener(Launcher.java:207) ... 8 more }}
          Hide
          canova Tom Canova added a comment -

          solved with jenkins docker container by converting everything to a keystore

          first added a password to my key
          openssl rsa -des3 -in key.pem -out key.encrypted.pem

          then converted to pkcs12
          openssl pkcs12 -inkey key.encrypted.pem -in cert.pem -export -out keys.encrypted.pkcs12

          then created a keystore (password for keystore should be same as password for key)
          keytool -importkeystore -srckeystore keys.encrypted.pkcs12 -srcstoretype pkcs12 -destkeystore keystore

          then updated Dockerfile to include keystore and a reference to it in JENKINS_OPTS
          {{FROM jenkins
          USER root
          RUN apt-get update && apt-get install -y jq
          USER jenkins
          COPY keystore /var/lib/jenkins/keystore
          ENV JENKINS_OPTS --httpPort=8080 --httpsPort=8443 --httpsKeyStore=/var/lib/jenkins/keystore --httpsKeyStorePassword=whateverpasswordyouspecified
          EXPOSE 8443}}
          .

          Show
          canova Tom Canova added a comment - solved with jenkins docker container by converting everything to a keystore first added a password to my key openssl rsa -des3 -in key.pem -out key.encrypted.pem then converted to pkcs12 openssl pkcs12 -inkey key.encrypted.pem -in cert.pem -export -out keys.encrypted.pkcs12 then created a keystore (password for keystore should be same as password for key) keytool -importkeystore -srckeystore keys.encrypted.pkcs12 -srcstoretype pkcs12 -destkeystore keystore then updated Dockerfile to include keystore and a reference to it in JENKINS_OPTS {{FROM jenkins USER root RUN apt-get update && apt-get install -y jq USER jenkins COPY keystore /var/lib/jenkins/keystore ENV JENKINS_OPTS --httpPort=8080 --httpsPort=8443 --httpsKeyStore=/var/lib/jenkins/keystore --httpsKeyStorePassword=whateverpasswordyouspecified EXPOSE 8443}} .
          Hide
          roidelapluie Julien Pivotto added a comment -

          The problem is that Jenkins expects a RSA key, not a private key

          Convert /var/lib/jenkins/cert/cci-jenkins.key into a plain RSA key:

          cp /var/lib/jenkins/cert/cci-jenkins.key /var/lib/jenkins/cert/cci-jenkins.key.full
          openssl rsa -in  /var/lib/jenkins/cert/cci-jenkins.key.full -out /var/lib/jenkins/cert/cci-jenkins.key
          

          http://stackoverflow.com/questions/17733536/how-to-convert-a-private-key-to-an-rsa-private-key

          Show
          roidelapluie Julien Pivotto added a comment - The problem is that Jenkins expects a RSA key, not a private key Convert /var/lib/jenkins/cert/cci-jenkins.key into a plain RSA key: cp / var /lib/jenkins/cert/cci-jenkins.key / var /lib/jenkins/cert/cci-jenkins.key.full openssl rsa -in / var /lib/jenkins/cert/cci-jenkins.key.full -out / var /lib/jenkins/cert/cci-jenkins.key http://stackoverflow.com/questions/17733536/how-to-convert-a-private-key-to-an-rsa-private-key

            People

            • Assignee:
              Unassigned
              Reporter:
              tjbryant TJ Bryant
            • Votes:
              2 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

              • Created:
                Updated: