Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-22448

Add support for PKCS #8 private keys

    Details

    • Type: New Feature
    • Status: Reopened
    • Priority: Major
    • Resolution: Unresolved
    • Component/s: winstone-jetty
    • Labels:
      None
    • Environment:
      Redhat Linux
    • Similar Issues:

      Description

      I am trying to start jenkins using a CA signed certificate but I am getting this error

      Running from: /usr/lib/jenkins/jenkins.war
      Apr 01, 2014 9:56:01 AM winstone.Logger logInternal
      INFO: Winstone shutdown successfully
      Apr 01, 2014 9:56:01 AM winstone.Logger logInternal
      SEVERE: Container startup failed
      java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory
      at winstone.Launcher.spawnListener(Launcher.java:209)
      at winstone.Launcher.<init>(Launcher.java:149)
      at winstone.Launcher.main(Launcher.java:354)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:606)
      at Main._main(Main.java:293)
      at Main.main(Main.java:98)
      Caused by: java.io.IOException: DerValue.getBigInteger, not an int 48
      at sun.security.util.DerValue.getBigInteger(DerValue.java:511)
      at winstone.HttpsConnectorFactory.readPEMRSAPrivateKey(HttpsConnectorFactory.java:171)
      at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:90)
      at winstone.Launcher.spawnListener(Launcher.java:207)
      ... 8 more

      Open ssl was used to generate the key and csr, then the CA gave us back the cert. What could be causing this error?

      JENKINS_ARGS="--httpsCertificate=/var/lib/jenkins/cert/cci-jenkins_uncc_edu_cert.cer --httpsPrivateKey=/var/lib/jenkins/cert/cci-jenkins.key"

        Attachments

          Activity

          Hide
          oleg_nenashev Oleg Nenashev added a comment -
          Show
          oleg_nenashev Oleg Nenashev added a comment - Have you tried the resolution on http://serverfault.com/questions/569866/jenkins-wont-serve-with-ca-signed-certificate ?
          Hide
          tjbryant TJ Bryant added a comment -

          No I gave up because it was too much trouble. I decided to run Jenkins in tomcat and let apache handle the ssl. That was much easier.

          Show
          tjbryant TJ Bryant added a comment - No I gave up because it was too much trouble. I decided to run Jenkins in tomcat and let apache handle the ssl. That was much easier.
          Hide
          danielbeck Daniel Beck added a comment -

          From the Server Fault question, answer, and solution regarding startssl this seems to be an issue with the certificates in a format Java (or maybe Jetty) cannot handle (please correct me if I'm wrong).

          For this reason, and because the reporter has given up on the issue, resolving as Won't Fix as there seems to be little that can be done about it in Jenkins.

          Show
          danielbeck Daniel Beck added a comment - From the Server Fault question, answer, and solution regarding startssl this seems to be an issue with the certificates in a format Java (or maybe Jetty) cannot handle (please correct me if I'm wrong). For this reason, and because the reporter has given up on the issue, resolving as Won't Fix as there seems to be little that can be done about it in Jenkins.
          Hide
          shanmusu Sudhakar Shanmugam added a comment -

          After updating the renewed SSL cert into java keystore for HTTPS auth, Jenkins
          startup failed with below error. Still it works with the old expired SSL cert.
          I have verified the verified the java keystore and key cert password, I was
          able to list the keystore content and view the content of the .pfx used in the
          keystore using the passwords.

          Please assist to fix this error.

          svmftadm 19916 1 99 05:49 pts/0 00:00:09
          /opt/mft/shared/software/jdk/jdk1.7.0_51/bin/java
          -Djavax.net.ssl.trustStore=/opt/mft/admin/certs/ldapTrustStore
          -Djavax.net.ssl.keyStore=/opt/mft/admin/certs/ldapTrustStore
          -Djavax.net.ssl.keyStorePassword=xyz -jar /opt/mft/jenkins/jenkins.war
          --httpPort=-1 --httpsPort=9443 --httpsKeyStore=/opt/mft/jenkins/jenkins.jks
          --httpsKeyStorePassword=xyz

          lx0001[/opt/mft/jenkins]> cat jenkins.log
          Running from: /apps/mft/jenkins/jenkins.war
          webroot: EnvVars.masterEnvVars.get("JENKINS_HOME")
          Oct 10, 2014 5:36:02 AM winstone.Logger logInternal
          INFO: Beginning extraction from war file
          Oct 10, 2014 5:36:02 AM winstone.Logger logInternal
          INFO: Winstone shutdown successfully
          Oct 10, 2014 5:36:02 AM winstone.Logger logInternal
          SEVERE: Container startup failed
          java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory
          at winstone.Launcher.spawnListener(Launcher.java:209)
          at winstone.Launcher.<init>(Launcher.java:149)
          at winstone.Launcher.main(Launcher.java:354)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at
          sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
          at
          sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
          at java.lang.reflect.Method.invoke(Method.java:606)
          at Main._main(Main.java:293)
          at Main.main(Main.java:98)
          Caused by: winstone.WinstoneException: Error getting the SSL context object
          at
          winstone.HttpsConnectorFactory.getSSLContext(HttpsConnectorFactory.java:218)
          at
          winstone.HttpsConnectorFactory.createConnector(HttpsConnectorFactory.java:127)
          at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:116)
          at winstone.Launcher.spawnListener(Launcher.java:207)
          ... 8 more

          Show
          shanmusu Sudhakar Shanmugam added a comment - After updating the renewed SSL cert into java keystore for HTTPS auth, Jenkins startup failed with below error. Still it works with the old expired SSL cert. I have verified the verified the java keystore and key cert password, I was able to list the keystore content and view the content of the .pfx used in the keystore using the passwords. Please assist to fix this error. svmftadm 19916 1 99 05:49 pts/0 00:00:09 /opt/mft/shared/software/jdk/jdk1.7.0_51/bin/java -Djavax.net.ssl.trustStore=/opt/mft/admin/certs/ldapTrustStore -Djavax.net.ssl.keyStore=/opt/mft/admin/certs/ldapTrustStore -Djavax.net.ssl.keyStorePassword=xyz -jar /opt/mft/jenkins/jenkins.war --httpPort=-1 --httpsPort=9443 --httpsKeyStore=/opt/mft/jenkins/jenkins.jks --httpsKeyStorePassword=xyz lx0001 [/opt/mft/jenkins] > cat jenkins.log Running from: /apps/mft/jenkins/jenkins.war webroot: EnvVars.masterEnvVars.get("JENKINS_HOME") Oct 10, 2014 5:36:02 AM winstone.Logger logInternal INFO: Beginning extraction from war file Oct 10, 2014 5:36:02 AM winstone.Logger logInternal INFO: Winstone shutdown successfully Oct 10, 2014 5:36:02 AM winstone.Logger logInternal SEVERE: Container startup failed java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory at winstone.Launcher.spawnListener(Launcher.java:209) at winstone.Launcher.<init>(Launcher.java:149) at winstone.Launcher.main(Launcher.java:354) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at Main._main(Main.java:293) at Main.main(Main.java:98) Caused by: winstone.WinstoneException: Error getting the SSL context object at winstone.HttpsConnectorFactory.getSSLContext(HttpsConnectorFactory.java:218) at winstone.HttpsConnectorFactory.createConnector(HttpsConnectorFactory.java:127) at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:116) at winstone.Launcher.spawnListener(Launcher.java:207) ... 8 more
          Hide
          danielbeck Daniel Beck added a comment -

          Please direct your requests for assistance somewhere else. This is an issue tracker, not a support forum.

          Show
          danielbeck Daniel Beck added a comment - Please direct your requests for assistance somewhere else. This is an issue tracker, not a support forum.
          Hide
          blaisorblade Paolo Giarrusso added a comment -

          Let me question the analysis by Daniel Beck.

          Is there any evidence that Jenkins supports PEM-formatted keys as claimed? Say, a regression test? The exception is thrown by Jenkins code that implements by hand parsing of key files, and that code has some TODOs that suggest it's not a correctness champion, and there's no link to what spec it is implementing. In fact, it's surprising that Jenkins code implements such low-level certificate parsing instead of using some library.

          https://github.com/jenkinsci/winstone/blob/f42497acd05d2ab69ae40875cfab0f9675777ef4/src/java/winstone/HttpsConnectorFactory.java#L148

          1. Jenkins documents supporting PEM keys.
          2. I have what looks like such a key generated with openssl.
          3. Jenkins fails on that key as documented in this issue.

             --httpsPrivateKey        = the location of the PEM-encoded SSL private key.
                                        (the one that starts with '-----BEGIN RSA PRIVATE KEY-----')
          

          I created a key with openssl:

          openssl req -nodes -newkey rsa:2048 -keyout kamino.key -out kamino-req.pem -subj $OMITTED
          

          the file starts with

          -----BEGIN PRIVATE KEY-----
          Show
          blaisorblade Paolo Giarrusso added a comment - Let me question the analysis by Daniel Beck. Is there any evidence that Jenkins supports PEM-formatted keys as claimed? Say, a regression test? The exception is thrown by Jenkins code that implements by hand parsing of key files, and that code has some TODOs that suggest it's not a correctness champion, and there's no link to what spec it is implementing. In fact, it's surprising that Jenkins code implements such low-level certificate parsing instead of using some library. https://github.com/jenkinsci/winstone/blob/f42497acd05d2ab69ae40875cfab0f9675777ef4/src/java/winstone/HttpsConnectorFactory.java#L148 1. Jenkins documents supporting PEM keys. 2. I have what looks like such a key generated with openssl. 3. Jenkins fails on that key as documented in this issue. --httpsPrivateKey = the location of the PEM-encoded SSL private key. (the one that starts with '-----BEGIN RSA PRIVATE KEY-----') I created a key with openssl: openssl req -nodes -newkey rsa:2048 -keyout kamino.key -out kamino-req.pem -subj $OMITTED the file starts with -----BEGIN PRIVATE KEY-----
          Hide
          danielbeck Daniel Beck added a comment -

          Paolo Giarrusso To clarify, you're getting the same exception with your key generated like that? Could you post the exception stack trace/error message, which version of Jenkins you're using, and the key you generated?

          Show
          danielbeck Daniel Beck added a comment - Paolo Giarrusso To clarify, you're getting the same exception with your key generated like that? Could you post the exception stack trace/error message, which version of Jenkins you're using, and the key you generated?
          Hide
          blaisorblade Paolo Giarrusso added a comment -

          Daniel Beck Thanks a lot for the prompt answer!
          Essentially yes, I'm getting essentially the same exception, but the line numbers are slightly different, so below's the actual data. I won't post the real private key since it's used in production after being certified by an external authority, but I've regenerated another one with the same command, self-signed it, and reproduced the same error.

          I'm running Jenkins LTS from a recent official Docker image (running Jenkins ver. 1.596.2). The openssl I used is from the host, openssl 1.0.1f-1ubuntu2.11 from Ubuntu 14.04 LTS.

          Jenkins output:

          # docker run --name myjenkins-ssl-bad-2 -p 8443:8443 -v /var/jenkins_home jenkins-ssl-bad-2
          /usr/share/jenkins/ref/init.groovy.d/tcp-slave-angent-port.groovy
           /usr/share/jenkins/ref/init.groovy.d/tcp-slave-angent-port.groovy -> init.groovy.d/tcp-slave-angent-port.groovy
          copy init.groovy.d/tcp-slave-angent-port.groovy to JENKINS_HOME
          Running from: /usr/share/jenkins/jenkins.war
          webroot: EnvVars.masterEnvVars.get("JENKINS_HOME")
          May 11, 2015 8:29:43 PM winstone.Logger logInternal
          INFO: Beginning extraction from war file
          May 11, 2015 8:29:44 PM winstone.Logger logInternal
          INFO: Winstone shutdown successfully
          May 11, 2015 8:29:44 PM winstone.Logger logInternal
          SEVERE: Container startup failed
          java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory
                  at winstone.Launcher.spawnListener(Launcher.java:209)
                  at winstone.Launcher.<init>(Launcher.java:149)
                  at winstone.Launcher.main(Launcher.java:354)
                  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
                  at java.lang.reflect.Method.invoke(Method.java:606)
                  at Main._main(Main.java:293)
                  at Main.main(Main.java:98)
          Caused by: java.io.IOException: DerValue.getBigInteger, not an int 48
                  at sun.security.util.DerValue.getBigInteger(DerValue.java:511)
                  at winstone.HttpsConnectorFactory.readPEMRSAPrivateKey(HttpsConnectorFactory.java:173)
                  at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:89)
                  at winstone.Launcher.spawnListener(Launcher.java:207)
                  ... 8 more
          

          OpenSSL output, on the host:

          # openssl req -nodes -newkey rsa:2048 -keyout kamino-foo.key -out kamino-req-foo.pem -subj '/O=Universitaet Tuebingen/L=Tuebingen/ST=Baden-Wuerttemberg/C=DE/CN=kamino.informatik.uni-tuebingen.de/emailAddress=paolo.giarrusso@uni-tuebingen.de'
          Generating a 2048 bit RSA private key
          ........+++
          ...................................................................................+++
          writing new private key to 'kamino-foo.key'
          -----
          # openssl x509 -req -days 365 -in kamino-req-foo.pem -signkey kamino-foo.key -out kamino-foo.crt
          Signature ok
          subject=/O=Universitaet Tuebingen/L=Tuebingen/ST=Baden-Wuerttemberg/C=DE/CN=kamino.informatik.uni-tuebingen.de/emailAddress=paolo.giarrusso@uni-tuebingen.de
          Getting Private key
          # cat kamino-foo.key
          -----BEGIN PRIVATE KEY-----
          MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQD7QaxOVQYuiUHU
          jGkvfrn49FMadPMrK32sG8oeRAAbjC9hi6PXxEXXzZR29VpQ9TWApxNWmqs0GJWF
          +pLfnr0iXX7OdThFPKVjgVIXVA1SbB23vE2lKOTu9FmJoTz8DANP4lqEj4GdVpNj
          I8+o6QtfdoLXs4P8l+NA/0UeVPS9HZ0qR8SDKIFf5Ila2w68t8u5Hr9I0hWwd4wY
          G7qT04JKeV9uTLo2q7EtGJEDB4nSY8H9S2MRgTpQzVO1C2l7Um00623TRRWyutgv
          seMA98SzFbbEloofUgRsG5wk1h6wuNFOcE6LT/0wOa3PaQePcu4PS1IKbmixD375
          IbcAUXpzAgMBAAECggEAIPCrNlnPRaqZBtShtahXmVvuyTkr6Cz7fOTnyq//k5z9
          WTyFbnQ8893v6OihvptnOEavMlt0to/Cip4fQ1H8WdUIGukjR3B7/l+l84kBdhzW
          iJAXXd/Oo8VFN9X7uM+aX469b0OhKo9/IzA+uVZUN1/CJ6VRWHxRPuQ4m5FnxKMq
          x32TA9a25sHHyosu3DJSpKscVbQttz0yZxQvzM/2BK9iCOBoFfLbJQy9cYs048Va
          82oKv2KMUsOUlyjP9EUbaJLj9CUqgEbSAYPe0+tFzSTN29KlOZFYwnnJ32tQy3wN
          YagZdgCr+8939sqlVVNFK3BxNaoPk+5YcSkq3AqWgQKBgQD+qmoRhHkGVlBuafVB
          7bPURgNJ9RwUsfDyI978q4bVg/EA7z1/KchYrLHh91bPv+PsWeeYb5gMVufRiyYE
          MOo3kF38TETdb/7AUAnxfXRAWm98FMQL3awTYafCRvGC3c7I501m9+a4Tg9w1tzZ
          VgmDVOFpl1P9u4cuBZ2kWA9lbQKBgQD8kq+e7i/gLYz/Zo87qkXJ8+Om4cJL+ej+
          5E8hCTNTA2RqKxVmPiQlu8Gp2lSHF+ouhik1nTllmCvYIWR3+EKO2+crt1rWXtJu
          Y4h4MbF4LW2l7kID2gDtHPgDETl1e8SVlL0IDKxtgnqxGss5MJMOSE9Pt2pZ21/n
          Ii/PwsrTXwKBgQCqs13/ufVJmye0qw97jrKgkgF4XHTjJlckZ4j7gpoRmqw7/SES
          kNY7Ih7mIV2uSaikb6r+kaawdrxSx9vGqWcFsZ5eFF2AtKZlEAFqPrZiwHvEB0NV
          1NOX9jh10Anot3b5UZmfcIHVfnV5JHzKrZIY1xd1KLti84VsAtWlKGXBjQKBgQDz
          OTLkIs153YOlQ5d1RqCUPUgiIc+gqJYGN8g3sQt6yo59auXdosPejnON5NF3ksES
          cmHm3nQycJrwNB/zI+C8f+mbAKP6Qi/02+bEkF4ts9mea9WordwserQfCAxEJZ8G
          yMhMox+9CWSrfnjrpupGW738r008IPS2uQY/1X7KkwKBgHPYfesm1y4Ho972Xf+z
          Ccfpebx9a36seBN1aWvJ4eOaJchXXKShSVjsuEiHDQ0mJSSm+5RLalZhhbq6s4ZW
          wAhxfD6d8GY5AefyYCVcd6bq+Y2ctcyLKJl2h8FcOCabC+zMYQe4lG8RoJnzyzoN
          AAZBBjPLW4u/tuBaXFeG/z1S
          -----END PRIVATE KEY-----
          # cat kamino-req-foo.pem
          -----BEGIN CERTIFICATE REQUEST-----
          MIIDAzCCAesCAQAwgb0xHzAdBgNVBAoMFlVuaXZlcnNpdGFldCBUdWViaW5nZW4x
          EjAQBgNVBAcMCVR1ZWJpbmdlbjEbMBkGA1UECAwSQmFkZW4tV3VlcnR0ZW1iZXJn
          MQswCQYDVQQGEwJERTErMCkGA1UEAwwia2FtaW5vLmluZm9ybWF0aWsudW5pLXR1
          ZWJpbmdlbi5kZTEvMC0GCSqGSIb3DQEJARYgcGFvbG8uZ2lhcnJ1c3NvQHVuaS10
          dWViaW5nZW4uZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD7QaxO
          VQYuiUHUjGkvfrn49FMadPMrK32sG8oeRAAbjC9hi6PXxEXXzZR29VpQ9TWApxNW
          mqs0GJWF+pLfnr0iXX7OdThFPKVjgVIXVA1SbB23vE2lKOTu9FmJoTz8DANP4lqE
          j4GdVpNjI8+o6QtfdoLXs4P8l+NA/0UeVPS9HZ0qR8SDKIFf5Ila2w68t8u5Hr9I
          0hWwd4wYG7qT04JKeV9uTLo2q7EtGJEDB4nSY8H9S2MRgTpQzVO1C2l7Um00623T
          RRWyutgvseMA98SzFbbEloofUgRsG5wk1h6wuNFOcE6LT/0wOa3PaQePcu4PS1IK
          bmixD375IbcAUXpzAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAOhegn5Ss59rR
          zltrDfOKxJEeuqb87ze0GNCGblkVXkpErEByLLJHN+q9qk0rVo4tXtliHpaHA1ZA
          0IwMYOffWLnC8bHIINFO9IlTAmVMi2Gul0oxKORmbBzYOonl2Xr2Kwq/N0naYKgx
          q4jNmwkopdPKmgmUIpGHGASTHKDkDBeAVatWj2s3TrzSaFeg0n3JxKSmg0au3KPp
          nKUphtEhGfyIRsuhi+GAx8N428qFpvqllrFZAiQFCxqrgBcetPcsFZTSqXgJovTo
          ZodZ4nzdYnkKJSyxYTQw7aiNVLvuikqq3oyRy7oTDmnjayx4GDeRzD4ZQUsK5V5u
          O4N3jKS36Q==
          -----END CERTIFICATE REQUEST-----
          # cat kamino-foo.crt
          -----BEGIN CERTIFICATE-----
          MIID+DCCAuACCQDs4UelTd8M0TANBgkqhkiG9w0BAQsFADCBvTEfMB0GA1UECgwW
          VW5pdmVyc2l0YWV0IFR1ZWJpbmdlbjESMBAGA1UEBwwJVHVlYmluZ2VuMRswGQYD
          VQQIDBJCYWRlbi1XdWVydHRlbWJlcmcxCzAJBgNVBAYTAkRFMSswKQYDVQQDDCJr
          YW1pbm8uaW5mb3JtYXRpay51bmktdHVlYmluZ2VuLmRlMS8wLQYJKoZIhvcNAQkB
          FiBwYW9sby5naWFycnVzc29AdW5pLXR1ZWJpbmdlbi5kZTAeFw0xNTA1MTEyMDI2
          MTJaFw0xNjA1MTAyMDI2MTJaMIG9MR8wHQYDVQQKDBZVbml2ZXJzaXRhZXQgVHVl
          YmluZ2VuMRIwEAYDVQQHDAlUdWViaW5nZW4xGzAZBgNVBAgMEkJhZGVuLVd1ZXJ0
          dGVtYmVyZzELMAkGA1UEBhMCREUxKzApBgNVBAMMImthbWluby5pbmZvcm1hdGlr
          LnVuaS10dWViaW5nZW4uZGUxLzAtBgkqhkiG9w0BCQEWIHBhb2xvLmdpYXJydXNz
          b0B1bmktdHVlYmluZ2VuLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
          AQEA+0GsTlUGLolB1IxpL365+PRTGnTzKyt9rBvKHkQAG4wvYYuj18RF182UdvVa
          UPU1gKcTVpqrNBiVhfqS3569Il1+znU4RTylY4FSF1QNUmwdt7xNpSjk7vRZiaE8
          /AwDT+JahI+BnVaTYyPPqOkLX3aC17OD/JfjQP9FHlT0vR2dKkfEgyiBX+SJWtsO
          vLfLuR6/SNIVsHeMGBu6k9OCSnlfbky6NquxLRiRAweJ0mPB/UtjEYE6UM1TtQtp
          e1JtNOtt00UVsrrYL7HjAPfEsxW2xJaKH1IEbBucJNYesLjRTnBOi0/9MDmtz2kH
          j3LuD0tSCm5osQ9++SG3AFF6cwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCLEUiK
          +DwZTaGnrN+CF4vpfFiW89g9v/GwtFWiaKfv7dBdNpOz9MwQiNoewadyLW9JW+pz
          5fqDYpFppW9aIPHHkpsatKDoyGJM9rK/qBL2beXT9SeitLZFLDvI0dY57G1z3AWw
          ZHvb1ic3bic9FVqCPOQwTZm/qCBKuyhSg2cyKdNi5DpUwEu4K3nbZy7zvwhflc4g
          V0L+J4Wv6FJzwnluuBaTWv7oRiu4gVs63AuUnL45YrLHjeOcbXeeLEEDsW344igX
          V1ArM2gJFdMZHCaU5mLd1LYa/6o5wFV5RAVwdIWEGwMeGhMypldUCXHR80AFv60l
          F5LEX7BrToWVzWg9
          -----END CERTIFICATE-----
          

          Should you want to reproduce the same environment through Docker, see below for the configuration I used — but I'm not sure that's helpful, so feel free to ignore what's below.

          Docker configuration and setup command-line. Warning: I'm a Docker beginner, so I'm not sure this will work just so — the first line refers to the `jenkins` image provided here, though it should pull the right one from the remote repository.

          # cat Dockerfile
          FROM jenkins
          
          COPY kamino-foo.crt /var/lib/jenkins/kamino.informatik.uni-tuebingen.de.crt
          COPY kamino-foo.key /var/lib/jenkins/kamino.informatik.uni-tuebingen.de.key
          
          USER root
          RUN chown jenkins /var/lib/jenkins/kamino.informatik.uni-tuebingen.de.*
          USER jenkins
          ENV JENKINS_OPTS --httpPort=-1 --httpsPort=8443 --httpsCertificate=/var/lib/jenkins/kamino.informatik.uni-tuebingen.de.crt --httpsPrivateKey=/var/lib/jenkins/kamino.informatik.uni-tuebingen.de.key
          
          EXPOSE 8443
          # docker build -t jenkins-ssl-bad-2 .
          

          Information about relevant Docker images:

          # docker images
          jenkins                               latest              235c3abb5af0        2 weeks ago         662 MB
          jenkins-ssl-bad-2                     latest              cee95cb7e808        7 minutes ago       662.1 MB
          
          Show
          blaisorblade Paolo Giarrusso added a comment - Daniel Beck Thanks a lot for the prompt answer! Essentially yes, I'm getting essentially the same exception, but the line numbers are slightly different, so below's the actual data. I won't post the real private key since it's used in production after being certified by an external authority, but I've regenerated another one with the same command, self-signed it, and reproduced the same error. I'm running Jenkins LTS from a recent official Docker image (running Jenkins ver. 1.596.2). The openssl I used is from the host, openssl 1.0.1f-1ubuntu2.11 from Ubuntu 14.04 LTS. Jenkins output: # docker run --name myjenkins-ssl-bad-2 -p 8443:8443 -v / var /jenkins_home jenkins-ssl-bad-2 /usr/share/jenkins/ref/init.groovy.d/tcp-slave-angent-port.groovy /usr/share/jenkins/ref/init.groovy.d/tcp-slave-angent-port.groovy -> init.groovy.d/tcp-slave-angent-port.groovy copy init.groovy.d/tcp-slave-angent-port.groovy to JENKINS_HOME Running from: /usr/share/jenkins/jenkins.war webroot: EnvVars.masterEnvVars.get( "JENKINS_HOME" ) May 11, 2015 8:29:43 PM winstone.Logger logInternal INFO: Beginning extraction from war file May 11, 2015 8:29:44 PM winstone.Logger logInternal INFO: Winstone shutdown successfully May 11, 2015 8:29:44 PM winstone.Logger logInternal SEVERE: Container startup failed java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory at winstone.Launcher.spawnListener(Launcher.java:209) at winstone.Launcher.<init>(Launcher.java:149) at winstone.Launcher.main(Launcher.java:354) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at Main._main(Main.java:293) at Main.main(Main.java:98) Caused by: java.io.IOException: DerValue.getBigInteger, not an int 48 at sun.security.util.DerValue.getBigInteger(DerValue.java:511) at winstone.HttpsConnectorFactory.readPEMRSAPrivateKey(HttpsConnectorFactory.java:173) at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:89) at winstone.Launcher.spawnListener(Launcher.java:207) ... 8 more OpenSSL output, on the host: # openssl req -nodes -newkey rsa:2048 -keyout kamino-foo.key -out kamino-req-foo.pem -subj '/O=Universitaet Tuebingen/L=Tuebingen/ST=Baden-Wuerttemberg/C=DE/CN=kamino.informatik.uni-tuebingen.de/emailAddress=paolo.giarrusso@uni-tuebingen.de' Generating a 2048 bit RSA private key ........+++ ...................................................................................+++ writing new private key to 'kamino-foo.key' ----- # openssl x509 -req -days 365 -in kamino-req-foo.pem -signkey kamino-foo.key -out kamino-foo.crt Signature ok subject=/O=Universitaet Tuebingen/L=Tuebingen/ST=Baden-Wuerttemberg/C=DE/CN=kamino.informatik.uni-tuebingen.de/emailAddress=paolo.giarrusso@uni-tuebingen.de Getting Private key # cat kamino-foo.key -----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQD7QaxOVQYuiUHU jGkvfrn49FMadPMrK32sG8oeRAAbjC9hi6PXxEXXzZR29VpQ9TWApxNWmqs0GJWF +pLfnr0iXX7OdThFPKVjgVIXVA1SbB23vE2lKOTu9FmJoTz8DANP4lqEj4GdVpNj I8+o6QtfdoLXs4P8l+NA/0UeVPS9HZ0qR8SDKIFf5Ila2w68t8u5Hr9I0hWwd4wY G7qT04JKeV9uTLo2q7EtGJEDB4nSY8H9S2MRgTpQzVO1C2l7Um00623TRRWyutgv seMA98SzFbbEloofUgRsG5wk1h6wuNFOcE6LT/0wOa3PaQePcu4PS1IKbmixD375 IbcAUXpzAgMBAAECggEAIPCrNlnPRaqZBtShtahXmVvuyTkr6Cz7fOTnyq //k5z9 WTyFbnQ8893v6OihvptnOEavMlt0to/Cip4fQ1H8WdUIGukjR3B7/l+l84kBdhzW iJAXXd/Oo8VFN9X7uM+aX469b0OhKo9/IzA+uVZUN1/CJ6VRWHxRPuQ4m5FnxKMq x32TA9a25sHHyosu3DJSpKscVbQttz0yZxQvzM/2BK9iCOBoFfLbJQy9cYs048Va 82oKv2KMUsOUlyjP9EUbaJLj9CUqgEbSAYPe0+tFzSTN29KlOZFYwnnJ32tQy3wN YagZdgCr+8939sqlVVNFK3BxNaoPk+5YcSkq3AqWgQKBgQD+qmoRhHkGVlBuafVB 7bPURgNJ9RwUsfDyI978q4bVg/EA7z1/KchYrLHh91bPv+PsWeeYb5gMVufRiyYE MOo3kF38TETdb/7AUAnxfXRAWm98FMQL3awTYafCRvGC3c7I501m9+a4Tg9w1tzZ VgmDVOFpl1P9u4cuBZ2kWA9lbQKBgQD8kq+e7i/gLYz/Zo87qkXJ8+Om4cJL+ej+ 5E8hCTNTA2RqKxVmPiQlu8Gp2lSHF+ouhik1nTllmCvYIWR3+EKO2+crt1rWXtJu Y4h4MbF4LW2l7kID2gDtHPgDETl1e8SVlL0IDKxtgnqxGss5MJMOSE9Pt2pZ21/n Ii/PwsrTXwKBgQCqs13/ufVJmye0qw97jrKgkgF4XHTjJlckZ4j7gpoRmqw7/SES kNY7Ih7mIV2uSaikb6r+kaawdrxSx9vGqWcFsZ5eFF2AtKZlEAFqPrZiwHvEB0NV 1NOX9jh10Anot3b5UZmfcIHVfnV5JHzKrZIY1xd1KLti84VsAtWlKGXBjQKBgQDz OTLkIs153YOlQ5d1RqCUPUgiIc+gqJYGN8g3sQt6yo59auXdosPejnON5NF3ksES cmHm3nQycJrwNB/zI+C8f+mbAKP6Qi/02+bEkF4ts9mea9WordwserQfCAxEJZ8G yMhMox+9CWSrfnjrpupGW738r008IPS2uQY/1X7KkwKBgHPYfesm1y4Ho972Xf+z Ccfpebx9a36seBN1aWvJ4eOaJchXXKShSVjsuEiHDQ0mJSSm+5RLalZhhbq6s4ZW wAhxfD6d8GY5AefyYCVcd6bq+Y2ctcyLKJl2h8FcOCabC+zMYQe4lG8RoJnzyzoN AAZBBjPLW4u/tuBaXFeG/z1S -----END PRIVATE KEY----- # cat kamino-req-foo.pem -----BEGIN CERTIFICATE REQUEST----- MIIDAzCCAesCAQAwgb0xHzAdBgNVBAoMFlVuaXZlcnNpdGFldCBUdWViaW5nZW4x EjAQBgNVBAcMCVR1ZWJpbmdlbjEbMBkGA1UECAwSQmFkZW4tV3VlcnR0ZW1iZXJn MQswCQYDVQQGEwJERTErMCkGA1UEAwwia2FtaW5vLmluZm9ybWF0aWsudW5pLXR1 ZWJpbmdlbi5kZTEvMC0GCSqGSIb3DQEJARYgcGFvbG8uZ2lhcnJ1c3NvQHVuaS10 dWViaW5nZW4uZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD7QaxO VQYuiUHUjGkvfrn49FMadPMrK32sG8oeRAAbjC9hi6PXxEXXzZR29VpQ9TWApxNW mqs0GJWF+pLfnr0iXX7OdThFPKVjgVIXVA1SbB23vE2lKOTu9FmJoTz8DANP4lqE j4GdVpNjI8+o6QtfdoLXs4P8l+NA/0UeVPS9HZ0qR8SDKIFf5Ila2w68t8u5Hr9I 0hWwd4wYG7qT04JKeV9uTLo2q7EtGJEDB4nSY8H9S2MRgTpQzVO1C2l7Um00623T RRWyutgvseMA98SzFbbEloofUgRsG5wk1h6wuNFOcE6LT/0wOa3PaQePcu4PS1IK bmixD375IbcAUXpzAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAOhegn5Ss59rR zltrDfOKxJEeuqb87ze0GNCGblkVXkpErEByLLJHN+q9qk0rVo4tXtliHpaHA1ZA 0IwMYOffWLnC8bHIINFO9IlTAmVMi2Gul0oxKORmbBzYOonl2Xr2Kwq/N0naYKgx q4jNmwkopdPKmgmUIpGHGASTHKDkDBeAVatWj2s3TrzSaFeg0n3JxKSmg0au3KPp nKUphtEhGfyIRsuhi+GAx8N428qFpvqllrFZAiQFCxqrgBcetPcsFZTSqXgJovTo ZodZ4nzdYnkKJSyxYTQw7aiNVLvuikqq3oyRy7oTDmnjayx4GDeRzD4ZQUsK5V5u O4N3jKS36Q== -----END CERTIFICATE REQUEST----- # cat kamino-foo.crt -----BEGIN CERTIFICATE----- MIID+DCCAuACCQDs4UelTd8M0TANBgkqhkiG9w0BAQsFADCBvTEfMB0GA1UECgwW VW5pdmVyc2l0YWV0IFR1ZWJpbmdlbjESMBAGA1UEBwwJVHVlYmluZ2VuMRswGQYD VQQIDBJCYWRlbi1XdWVydHRlbWJlcmcxCzAJBgNVBAYTAkRFMSswKQYDVQQDDCJr YW1pbm8uaW5mb3JtYXRpay51bmktdHVlYmluZ2VuLmRlMS8wLQYJKoZIhvcNAQkB FiBwYW9sby5naWFycnVzc29AdW5pLXR1ZWJpbmdlbi5kZTAeFw0xNTA1MTEyMDI2 MTJaFw0xNjA1MTAyMDI2MTJaMIG9MR8wHQYDVQQKDBZVbml2ZXJzaXRhZXQgVHVl YmluZ2VuMRIwEAYDVQQHDAlUdWViaW5nZW4xGzAZBgNVBAgMEkJhZGVuLVd1ZXJ0 dGVtYmVyZzELMAkGA1UEBhMCREUxKzApBgNVBAMMImthbWluby5pbmZvcm1hdGlr LnVuaS10dWViaW5nZW4uZGUxLzAtBgkqhkiG9w0BCQEWIHBhb2xvLmdpYXJydXNz b0B1bmktdHVlYmluZ2VuLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEA+0GsTlUGLolB1IxpL365+PRTGnTzKyt9rBvKHkQAG4wvYYuj18RF182UdvVa UPU1gKcTVpqrNBiVhfqS3569Il1+znU4RTylY4FSF1QNUmwdt7xNpSjk7vRZiaE8 /AwDT+JahI+BnVaTYyPPqOkLX3aC17OD/JfjQP9FHlT0vR2dKkfEgyiBX+SJWtsO vLfLuR6/SNIVsHeMGBu6k9OCSnlfbky6NquxLRiRAweJ0mPB/UtjEYE6UM1TtQtp e1JtNOtt00UVsrrYL7HjAPfEsxW2xJaKH1IEbBucJNYesLjRTnBOi0/9MDmtz2kH j3LuD0tSCm5osQ9++SG3AFF6cwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCLEUiK +DwZTaGnrN+CF4vpfFiW89g9v/GwtFWiaKfv7dBdNpOz9MwQiNoewadyLW9JW+pz 5fqDYpFppW9aIPHHkpsatKDoyGJM9rK/qBL2beXT9SeitLZFLDvI0dY57G1z3AWw ZHvb1ic3bic9FVqCPOQwTZm/qCBKuyhSg2cyKdNi5DpUwEu4K3nbZy7zvwhflc4g V0L+J4Wv6FJzwnluuBaTWv7oRiu4gVs63AuUnL45YrLHjeOcbXeeLEEDsW344igX V1ArM2gJFdMZHCaU5mLd1LYa/6o5wFV5RAVwdIWEGwMeGhMypldUCXHR80AFv60l F5LEX7BrToWVzWg9 -----END CERTIFICATE----- Should you want to reproduce the same environment through Docker, see below for the configuration I used — but I'm not sure that's helpful, so feel free to ignore what's below. Docker configuration and setup command-line. Warning: I'm a Docker beginner, so I'm not sure this will work just so — the first line refers to the `jenkins` image provided here , though it should pull the right one from the remote repository. # cat Dockerfile FROM jenkins COPY kamino-foo.crt / var /lib/jenkins/kamino.informatik.uni-tuebingen.de.crt COPY kamino-foo.key / var /lib/jenkins/kamino.informatik.uni-tuebingen.de.key USER root RUN chown jenkins / var /lib/jenkins/kamino.informatik.uni-tuebingen.de.* USER jenkins ENV JENKINS_OPTS --httpPort=-1 --httpsPort=8443 --httpsCertificate=/ var /lib/jenkins/kamino.informatik.uni-tuebingen.de.crt --httpsPrivateKey=/ var /lib/jenkins/kamino.informatik.uni-tuebingen.de.key EXPOSE 8443 # docker build -t jenkins-ssl-bad-2 . Information about relevant Docker images: # docker images jenkins latest 235c3abb5af0 2 weeks ago 662 MB jenkins-ssl-bad-2 latest cee95cb7e808 7 minutes ago 662.1 MB
          Hide
          alex_hha Alex Domoradov added a comment - - edited

          I have the same issue on jenkins-1.617 and win 2k8

          C:\users\Administrator> net start jenkins
          The Jenkins service is starting.
          The Jenkins service could not be started.
          
          A system error has occurred.
          
          System error 1067 has occurred.
          
          The process terminated unexpectedly.
          

          jenkins.err.log contains the following lines

          Jun 18, 2015 7:34:37 PM winstone.Logger logInternal
          INFO: Beginning extraction from war file
          Jun 18, 2015 7:34:37 PM winstone.Logger logInternal
          INFO: Winstone shutdown successfully
          Jun 18, 2015 7:34:37 PM winstone.Logger logInternal
          SEVERE: Container startup failed
          java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory
          	at winstone.Launcher.spawnListener(Launcher.java:209)
          	at winstone.Launcher.<init>(Launcher.java:149)
          	at winstone.Launcher.main(Launcher.java:354)
          	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
          	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
          	at java.lang.reflect.Method.invoke(Unknown Source)
          	at Main._main(Main.java:293)
          	at Main.main(Main.java:98)
          Caused by: java.io.IOException: DerValue.getBigInteger, not an int 48
          	at sun.security.util.DerValue.getBigInteger(Unknown Source)
          	at winstone.HttpsConnectorFactory.readPEMRSAPrivateKey(HttpsConnectorFactory.java:173)
          	at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:89)
          	at winstone.Launcher.spawnListener(Launcher.java:207)
          	... 8 more
          

          P.S.
          With GoDaddy certificate it works fine in the same environment.

          Show
          alex_hha Alex Domoradov added a comment - - edited I have the same issue on jenkins-1.617 and win 2k8 C:\users\Administrator> net start jenkins The Jenkins service is starting. The Jenkins service could not be started. A system error has occurred. System error 1067 has occurred. The process terminated unexpectedly. jenkins.err.log contains the following lines Jun 18, 2015 7:34:37 PM winstone.Logger logInternal INFO: Beginning extraction from war file Jun 18, 2015 7:34:37 PM winstone.Logger logInternal INFO: Winstone shutdown successfully Jun 18, 2015 7:34:37 PM winstone.Logger logInternal SEVERE: Container startup failed java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory at winstone.Launcher.spawnListener(Launcher.java:209) at winstone.Launcher.<init>(Launcher.java:149) at winstone.Launcher.main(Launcher.java:354) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at Main._main(Main.java:293) at Main.main(Main.java:98) Caused by: java.io.IOException: DerValue.getBigInteger, not an int 48 at sun.security.util.DerValue.getBigInteger(Unknown Source) at winstone.HttpsConnectorFactory.readPEMRSAPrivateKey(HttpsConnectorFactory.java:173) at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:89) at winstone.Launcher.spawnListener(Launcher.java:207) ... 8 more P.S. With GoDaddy certificate it works fine in the same environment.
          Hide
          alex_hha Alex Domoradov added a comment -

          Any advice?

          Show
          alex_hha Alex Domoradov added a comment - Any advice?
          Hide
          tjbryant TJ Bryant added a comment -

          I couldn't figure out how to fix it. I had to switch to using a tomcat container to run jenkins.

          Show
          tjbryant TJ Bryant added a comment - I couldn't figure out how to fix it. I had to switch to using a tomcat container to run jenkins.
          Hide
          blaisorblade Paolo Giarrusso added a comment -

          Alex Domoradov: I managed to fix it by switching to a keytool certificate store (see SuperUser link), though that's a pain, but I wish I'd switched to a nginx proxy — especially if you want to SSL more services, it's more convenient to do it all in nginx rather than once for each service. (An Apache proxy would also work, it'd just be more resource hungry).
          Googling "nginx ssl proxy" leads me to an HOWTO for Jenkins somehow, https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-with-ssl-as-a-reverse-proxy-for-jenkins.

          Show
          blaisorblade Paolo Giarrusso added a comment - Alex Domoradov : I managed to fix it by switching to a keytool certificate store (see SuperUser link), though that's a pain, but I wish I'd switched to a nginx proxy — especially if you want to SSL more services, it's more convenient to do it all in nginx rather than once for each service. (An Apache proxy would also work, it'd just be more resource hungry). Googling "nginx ssl proxy" leads me to an HOWTO for Jenkins somehow, https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-with-ssl-as-a-reverse-proxy-for-jenkins .
          Hide
          alex_hha Alex Domoradov added a comment - - edited

          Could anyone point me where I can get all available values for the httpsKeyManagerType option? For e.g. can I use PKCS12 (in Tomcat/JIRA I Could) or JKS only? And how can I specify cipher suite to disable RC4. With default settings I got the following results on SSLLABS -

          Thanks in advance

          Show
          alex_hha Alex Domoradov added a comment - - edited Could anyone point me where I can get all available values for the httpsKeyManagerType option? For e.g. can I use PKCS12 (in Tomcat/JIRA I Could) or JKS only? And how can I specify cipher suite to disable RC4. With default settings I got the following results on SSLLABS - Thanks in advance
          Hide
          afinkenstadt andrew finkenstadt added a comment -

          Using http://stackoverflow.com/questions/17733536/how-do-i-convert-a-private-key-to-an-rsa-private-key seems to have done the trick. Namely:

          Newer versions of OpenSSL say BEGIN PRIVATE KEY because they contain the private key + an OID that identifies the key type. To get the old style key you can do this:

          openssl rsa -in server.key -out server_new.key

          Show
          afinkenstadt andrew finkenstadt added a comment - Using http://stackoverflow.com/questions/17733536/how-do-i-convert-a-private-key-to-an-rsa-private-key seems to have done the trick. Namely: Newer versions of OpenSSL say BEGIN PRIVATE KEY because they contain the private key + an OID that identifies the key type. To get the old style key you can do this: openssl rsa -in server.key -out server_new.key
          Hide
          alex_hha Alex Domoradov added a comment -

          The post dated by Jul 18 '13. So about which version of openssl they are talking about?

          I'm using

          1. openssl version
            OpenSSL 1.0.1e-fips 11 Feb 2013

          Is it newer enough?

          Show
          alex_hha Alex Domoradov added a comment - The post dated by Jul 18 '13. So about which version of openssl they are talking about? I'm using openssl version OpenSSL 1.0.1e-fips 11 Feb 2013 Is it newer enough?
          Hide
          blaisorblade Paolo Giarrusso added a comment -

          I'd bet yes, otherwise you probably wouldn't have this issue.
          But to verify, according to that StackOverflow post, if the key starts with

          -----BEGIN PRIVATE KEY-----
          

          it's from the "new" format, while if starts with

          -----BEGIN RSA PRIVATE KEY-----
          

          it's from the old format (though the post has the wrong capitalization). I verified that my key used indeed the new format, and is indeed from a "new" openssl:

          # openssl version
          OpenSSL 1.0.1f 6 Jan 2014
          

          (Warning: For the old format, I'd guess you could also find DSA there instead of RSA, depending on the key algorithm).

          I found a more complete description of the situation in this post: http://stackoverflow.com/q/20065304/53974. The "new" format is PKCS #8, the "old" format is PKCS #1. In the old format, the key algorithm (RSA or DSA) is described in the header; in the new format, this info is not in the header but in an extra field in the base64 content. While parsing the content, Jenkins produced the exception we see because of this extra field. That post links to further details.

          Issue Summary/Possible Diagnosis

          To sum up the issue (as we understand), Jenkins only accepts the PKCS #1 format, and OpenSSL used to produce that by default, but now produces PKCS#8, and Jenkins cannot handle the latter format. There is a workaround which fits this hypothesis, that worked (up to now) for the only user who tested it. More experiments are needed to confirm the explanation.

          Acks

          Kudos to andrew finkenstadt for finding the essential bit of info, and the workaround (I haven't tried to verify it). I've just put together a summary. Caveat: I'm no PKCS format expert.

          Show
          blaisorblade Paolo Giarrusso added a comment - I'd bet yes, otherwise you probably wouldn't have this issue. But to verify, according to that StackOverflow post, if the key starts with -----BEGIN PRIVATE KEY----- it's from the "new" format, while if starts with -----BEGIN RSA PRIVATE KEY----- it's from the old format (though the post has the wrong capitalization). I verified that my key used indeed the new format, and is indeed from a "new" openssl: # openssl version OpenSSL 1.0.1f 6 Jan 2014 (Warning: For the old format, I'd guess you could also find DSA there instead of RSA, depending on the key algorithm). I found a more complete description of the situation in this post: http://stackoverflow.com/q/20065304/53974 . The "new" format is PKCS #8, the "old" format is PKCS #1. In the old format, the key algorithm (RSA or DSA) is described in the header; in the new format, this info is not in the header but in an extra field in the base64 content. While parsing the content, Jenkins produced the exception we see because of this extra field. That post links to further details. Issue Summary/Possible Diagnosis To sum up the issue (as we understand), Jenkins only accepts the PKCS #1 format, and OpenSSL used to produce that by default, but now produces PKCS#8, and Jenkins cannot handle the latter format. There is a workaround which fits this hypothesis, that worked (up to now) for the only user who tested it. More experiments are needed to confirm the explanation. Acks Kudos to andrew finkenstadt for finding the essential bit of info, and the workaround (I haven't tried to verify it). I've just put together a summary. Caveat: I'm no PKCS format expert.
          Hide
          afinkenstadt andrew finkenstadt added a comment -
          afinkenstadt in ~/projects
          ⚡ openssl version
          OpenSSL 0.9.8zd 8 Jan 2015
          
          Show
          afinkenstadt andrew finkenstadt added a comment - afinkenstadt in ~/projects ⚡ openssl version OpenSSL 0.9.8zd 8 Jan 2015
          Hide
          alex_hha Alex Domoradov added a comment - - edited
          # head -2 jenkins.example.net.key
          -----BEGIN PRIVATE KEY-----
          MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC5WDBnZaE4HtmG
          

          So as you can see I have the new key format and at the same time I can't use self signed certificate in jenkins. It works only if I converted certificate and key to PKCS12 and then import it to JKS storage. Something like the following one

          # cat rootca.pem jenkins.example.net.crt > chain.pem
          # openssl pkcs12 -export -in chain.pem -inkey jenkins.example.net.key > jenkins.example.net.p12 
          # keytool -importkeystore -srckeystore jenkins.example.net.p12 -destkeystore jenkins.example.net.jks -srcstoretype pkcs12
          
          Show
          alex_hha Alex Domoradov added a comment - - edited # head -2 jenkins.example.net.key -----BEGIN PRIVATE KEY----- MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQC5WDBnZaE4HtmG So as you can see I have the new key format and at the same time I can't use self signed certificate in jenkins. It works only if I converted certificate and key to PKCS12 and then import it to JKS storage. Something like the following one # cat rootca.pem jenkins.example.net.crt > chain.pem # openssl pkcs12 -export -in chain.pem -inkey jenkins.example.net.key > jenkins.example.net.p12 # keytool -importkeystore -srckeystore jenkins.example.net.p12 -destkeystore jenkins.example.net.jks -srcstoretype pkcs12
          Hide
          blaisorblade Paolo Giarrusso added a comment -

          So as you can see I have the new key format and at the same time I can't use self signed certificate in jenkins.

          You sound surprised, but that's what we figured. The key format is too new — Jenkins only understands the old one (or JKS).

          Show
          blaisorblade Paolo Giarrusso added a comment - So as you can see I have the new key format and at the same time I can't use self signed certificate in jenkins. You sound surprised, but that's what we figured. The key format is too new — Jenkins only understands the old one (or JKS).
          Hide
          danielbeck Daniel Beck added a comment -

          Changed issue title and type based on recent comments.

          Show
          danielbeck Daniel Beck added a comment - Changed issue title and type based on recent comments.
          Hide
          alex_hha Alex Domoradov added a comment - - edited

          I don't think so. Because I have 2 certificates (X509 format), one of them from StartSSL and another one from GoDaddy and they both works with jenkins. And I have been used the same openssl version and commands to generate csr/private key. Something like the following

          # openssl req -nodes -sha256 -newkey rsa:4096 -keyout jenkins.example.net.key -out jenkins.example.net.csr
          

          and the following ones for self signed certificate

          # openssl req -new -x509 -extensions v3_ca -keyout private/rootca.key -out rootca.crt -days 3650 -config ./openssl.conf
          
          # openssl req -new -nodes -out jenkins.example.net.csr -keyout jenkins.example.net.key -config ./openssl.conf
          
          # openssl ca -out jenkins.example.net.crt -config ./openssl.conf -infiles jenkins.example.net.csr
          
          Show
          alex_hha Alex Domoradov added a comment - - edited I don't think so. Because I have 2 certificates (X509 format), one of them from StartSSL and another one from GoDaddy and they both works with jenkins. And I have been used the same openssl version and commands to generate csr/private key. Something like the following # openssl req -nodes -sha256 -newkey rsa:4096 -keyout jenkins.example.net.key -out jenkins.example.net.csr and the following ones for self signed certificate # openssl req - new -x509 -extensions v3_ca -keyout private /rootca.key -out rootca.crt -days 3650 -config ./openssl.conf # openssl req - new -nodes -out jenkins.example.net.csr -keyout jenkins.example.net.key -config ./openssl.conf # openssl ca -out jenkins.example.net.crt -config ./openssl.conf -infiles jenkins.example.net.csr
          Hide
          blaisorblade Paolo Giarrusso added a comment -

          If the working certificate also use the "new format" (BEGIN PRIVATE KEY), then the current hypothesis seems insufficient. However, could you still see what happens if you convert the key to the "old format" and use the result, as suggested by andrew finkenstadt's post?

          openssl rsa -in jenkins.example.net.key -out jenkins_new.example.net.key
          

          However, (I guess) Jenkins shouldn't contain its own code to parse keys anyway, it should at best just integrate some third-party library for it (hoping there's a library you can use without too much expertise).

          For now, fixing docs seems more urgent.

          Show
          blaisorblade Paolo Giarrusso added a comment - If the working certificate also use the "new format" (BEGIN PRIVATE KEY), then the current hypothesis seems insufficient. However, could you still see what happens if you convert the key to the "old format" and use the result, as suggested by andrew finkenstadt's post? openssl rsa -in jenkins.example.net.key -out jenkins_new.example.net.key However, (I guess) Jenkins shouldn't contain its own code to parse keys anyway, it should at best just integrate some third-party library for it (hoping there's a library you can use without too much expertise). For now, fixing docs seems more urgent.
          Hide
          alex_hha Alex Domoradov added a comment - - edited

          It works with the old key format! I have converted the key on centos 5 box with the following openssl version

          # openssl version
          OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
          

          But as before it has very low result on ssl labs. So the question - is it possible to enable Forward Secrecy, disable RC4 and enable support of strong Diffie-Hellman (DH) key exchange (1024+) ? Or the only way is for using some sort of reverse proxy such as nginx/haproxy/apache?

          Show
          alex_hha Alex Domoradov added a comment - - edited It works with the old key format! I have converted the key on centos 5 box with the following openssl version # openssl version OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 But as before it has very low result on ssl labs. So the question - is it possible to enable Forward Secrecy, disable RC4 and enable support of strong Diffie-Hellman (DH) key exchange (1024+) ? Or the only way is for using some sort of reverse proxy such as nginx/haproxy/apache?
          Hide
          blaisorblade Paolo Giarrusso added a comment -

          Alex Domoradov Good question, but that belongs to a separate bug.

          Googling leads to https://issues.jenkins-ci.org/browse/JENKINS-23925, but even after the "workaround" there (switching away from Java 6) RC4 looks enabled. Jenkins's default servlet container doesn't seem to document extensive SSL configuration support (see http://winstone.sourceforge.net/#https).
          After some googling, I'd guess that either changing servlet container (to some with good HTTPS support) or reverse proxying seems a better idea, at least because it's done often and well documented — I couldn't even find how to disable RC4 with Jenkins, while I've run into how to configure nginx without looking for it.
          (Again, I'm just another user bitten from the issue).

          Show
          blaisorblade Paolo Giarrusso added a comment - Alex Domoradov Good question, but that belongs to a separate bug. Googling leads to https://issues.jenkins-ci.org/browse/JENKINS-23925 , but even after the "workaround" there (switching away from Java 6) RC4 looks enabled. Jenkins's default servlet container doesn't seem to document extensive SSL configuration support (see http://winstone.sourceforge.net/#https ). After some googling, I'd guess that either changing servlet container (to some with good HTTPS support) or reverse proxying seems a better idea, at least because it's done often and well documented — I couldn't even find how to disable RC4 with Jenkins, while I've run into how to configure nginx without looking for it. (Again, I'm just another user bitten from the issue).
          Hide
          alex_hha Alex Domoradov added a comment -

          I think it would be great if someone from developers will say anything

          P.S.
          My jenkins ships with JAVA_VERSION="1.8.0_20".

          Show
          alex_hha Alex Domoradov added a comment - I think it would be great if someone from developers will say anything P.S. My jenkins ships with JAVA_VERSION="1.8.0_20".
          Hide
          danielbeck Daniel Beck added a comment -

          even after the "workaround" there (switching away from Java 6) RC4 looks enabled.

          If the problem is not just outdated Java (remember that Java 7 already is old as well, should to be newest version of that), please reopen. It shouldn't be too difficult to implement.

          Show
          danielbeck Daniel Beck added a comment - even after the "workaround" there (switching away from Java 6) RC4 looks enabled. If the problem is not just outdated Java (remember that Java 7 already is old as well, should to be newest version of that), please reopen. It shouldn't be too difficult to implement.
          Hide
          danielbeck Daniel Beck added a comment -

          So it looks like for Java you can just configure that rather than your application.

          http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#DisabledAlgorithms
          Here's a guide for a different application: http://www.papercut.com/kb/Main/SSLCipherConfiguration

          Do these help?

          Show
          danielbeck Daniel Beck added a comment - So it looks like for Java you can just configure that rather than your application. http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#DisabledAlgorithms Here's a guide for a different application: http://www.papercut.com/kb/Main/SSLCipherConfiguration Do these help?
          Hide
          alex_hha Alex Domoradov added a comment -

          OMG, the "bloody" java

          I will try it and will let you know

          P.S.
          in tomcat for e.g. it's configuring in very simple way

          <Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol"
             scheme="https"
             secure="true"
             clientAuth="false"
             useBodyEncodingForURI="true"
          
             SSLEnabled="true"
             SSLHonorCipherOrder="true"
             SSLDisableCompression="true"
             SSLCertificateFile="/etc/pki/jira/jira.example.net.crt"
             SSLCertificateKeyFile="/etc/pki/jira/jira.example.net.key"
             SSLCACertificateFile="/etc/pki/jira/ca.pem"
             SSLCertificateChainFile="/etc/pki/jira/sub.class1.server.ca.pem"
             SSLCipherSuite="kEECDH+AES128:kEECDH:kEDH:-3DES:kRSA+AES128:kEDH+3DES:DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!MD5:!EXPORT:!LOW:!SEED:!CAMELLIA:!IDEA:!PSK:!SRP:!SSLv2"
             SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
          />
          
          Show
          alex_hha Alex Domoradov added a comment - OMG, the "bloody" java I will try it and will let you know P.S. in tomcat for e.g. it's configuring in very simple way <Connector port= "443" protocol= "org.apache.coyote.http11.Http11AprProtocol" scheme= "https" secure= " true " clientAuth= " false " useBodyEncodingForURI= " true " SSLEnabled= " true " SSLHonorCipherOrder= " true " SSLDisableCompression= " true " SSLCertificateFile= "/etc/pki/jira/jira.example.net.crt" SSLCertificateKeyFile= "/etc/pki/jira/jira.example.net.key" SSLCACertificateFile= "/etc/pki/jira/ca.pem" SSLCertificateChainFile= "/etc/pki/jira/sub.class1.server.ca.pem" SSLCipherSuite= "kEECDH+AES128:kEECDH:kEDH:-3DES:kRSA+AES128:kEDH+3DES:DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!MD5:!EXPORT:!LOW:!SEED:!CAMELLIA:!IDEA:!PSK:!SRP:!SSLv2" SSLProtocol= "TLSv1+TLSv1.1+TLSv1.2" />
          Hide
          canova Tom Canova added a comment -

          I'm using the official jenkins docker container to run my jenkins master. Just tried add key and certificate and I'm getting what appears to be the same error.
          Would using openssl to convert the key or cert to a different format help?
          {{SEVERE: Container startup failed
          java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory
          at winstone.Launcher.spawnListener(Launcher.java:209)
          at winstone.Launcher.<init>(Launcher.java:149)
          at winstone.Launcher.main(Launcher.java:354)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
          at java.lang.reflect.Method.invoke(Method.java:497)
          at Main._main(Main.java:293)
          at Main.main(Main.java:98)
          Caused by: java.io.IOException: DerValue.getBigInteger, not an int 48
          at sun.security.util.DerValue.getBigInteger(DerValue.java:511)
          at winstone.HttpsConnectorFactory.readPEMRSAPrivateKey(HttpsConnectorFactory.java:173)
          at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:89)
          at winstone.Launcher.spawnListener(Launcher.java:207)
          ... 8 more
          }}

          Show
          canova Tom Canova added a comment - I'm using the official jenkins docker container to run my jenkins master. Just tried add key and certificate and I'm getting what appears to be the same error. Would using openssl to convert the key or cert to a different format help? {{SEVERE: Container startup failed java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory at winstone.Launcher.spawnListener(Launcher.java:209) at winstone.Launcher.<init>(Launcher.java:149) at winstone.Launcher.main(Launcher.java:354) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at Main._main(Main.java:293) at Main.main(Main.java:98) Caused by: java.io.IOException: DerValue.getBigInteger, not an int 48 at sun.security.util.DerValue.getBigInteger(DerValue.java:511) at winstone.HttpsConnectorFactory.readPEMRSAPrivateKey(HttpsConnectorFactory.java:173) at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:89) at winstone.Launcher.spawnListener(Launcher.java:207) ... 8 more }}
          Hide
          canova Tom Canova added a comment -

          solved with jenkins docker container by converting everything to a keystore

          first added a password to my key
          openssl rsa -des3 -in key.pem -out key.encrypted.pem

          then converted to pkcs12
          openssl pkcs12 -inkey key.encrypted.pem -in cert.pem -export -out keys.encrypted.pkcs12

          then created a keystore (password for keystore should be same as password for key)
          keytool -importkeystore -srckeystore keys.encrypted.pkcs12 -srcstoretype pkcs12 -destkeystore keystore

          then updated Dockerfile to include keystore and a reference to it in JENKINS_OPTS
          {{FROM jenkins
          USER root
          RUN apt-get update && apt-get install -y jq
          USER jenkins
          COPY keystore /var/lib/jenkins/keystore
          ENV JENKINS_OPTS --httpPort=8080 --httpsPort=8443 --httpsKeyStore=/var/lib/jenkins/keystore --httpsKeyStorePassword=whateverpasswordyouspecified
          EXPOSE 8443}}
          .

          Show
          canova Tom Canova added a comment - solved with jenkins docker container by converting everything to a keystore first added a password to my key openssl rsa -des3 -in key.pem -out key.encrypted.pem then converted to pkcs12 openssl pkcs12 -inkey key.encrypted.pem -in cert.pem -export -out keys.encrypted.pkcs12 then created a keystore (password for keystore should be same as password for key) keytool -importkeystore -srckeystore keys.encrypted.pkcs12 -srcstoretype pkcs12 -destkeystore keystore then updated Dockerfile to include keystore and a reference to it in JENKINS_OPTS {{FROM jenkins USER root RUN apt-get update && apt-get install -y jq USER jenkins COPY keystore /var/lib/jenkins/keystore ENV JENKINS_OPTS --httpPort=8080 --httpsPort=8443 --httpsKeyStore=/var/lib/jenkins/keystore --httpsKeyStorePassword=whateverpasswordyouspecified EXPOSE 8443}} .
          Hide
          roidelapluie Julien Pivotto added a comment -

          The problem is that Jenkins expects a RSA key, not a private key

          Convert /var/lib/jenkins/cert/cci-jenkins.key into a plain RSA key:

          cp /var/lib/jenkins/cert/cci-jenkins.key /var/lib/jenkins/cert/cci-jenkins.key.full
          openssl rsa -in  /var/lib/jenkins/cert/cci-jenkins.key.full -out /var/lib/jenkins/cert/cci-jenkins.key
          

          http://stackoverflow.com/questions/17733536/how-to-convert-a-private-key-to-an-rsa-private-key

          Show
          roidelapluie Julien Pivotto added a comment - The problem is that Jenkins expects a RSA key, not a private key Convert /var/lib/jenkins/cert/cci-jenkins.key into a plain RSA key: cp / var /lib/jenkins/cert/cci-jenkins.key / var /lib/jenkins/cert/cci-jenkins.key.full openssl rsa -in / var /lib/jenkins/cert/cci-jenkins.key.full -out / var /lib/jenkins/cert/cci-jenkins.key http://stackoverflow.com/questions/17733536/how-to-convert-a-private-key-to-an-rsa-private-key

            People

            • Assignee:
              Unassigned
              Reporter:
              tjbryant TJ Bryant
            • Votes:
              2 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

              • Created:
                Updated: