Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-43416

Add Credentials from job configuration fails "silently"

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Not A Defect
    • Component/s: credentials-plugin
    • Labels:
    • Environment:
      Jenkins Version: 2.46.1
      Docker Version: 17.03.1-ce
      Nginx Version: 1.11.12
      OS: Ubuntu 16.04
    • Similar Issues:

      Description

      Prelude:

      I'm running Jenkins inside a docker container, behind an Nginx (running in other container)

      Jenkins respond to http://<serverNoPort>/jenkins port 8080 is not exposed.

      Found 2 related issues already closed but without solution: JENKINS-39238 and JENKINS-38957

      I hope I provide more information to reproduce


      Steps:

      1. Create a new item
      2. Try to add new credentials (example: source code gitHub)
      3. Fill the credentials and save. 

      Error: 

      It fails silently (user doesn't get any error on screen) but in the browser console the following message is found

      Failed to load resource: net::ERR_CONNECTION_TIMED_OUT
      select.js:156 Uncaught DOMException: Blocked a frame with origin "http://<serverNoPort>" from accessing a cross-origin frame.
      {{ at HTMLIFrameElement.<anonymous> (http://<serverNoPort>/jenkins/adjuncts/69ad1dce/lib/credentials/select/select.js:156:57)}}
      (anonymous) @ select.js:156

      http://<serverNoPort>:8080/jenkins/descriptor/com.cloudbees.plugins.credentials.CredentialsSelectHelper/resolver/com.cloudbees.plugins.credentials.CredentialsSelectHelper$SystemContextResolver/provider/com.cloudbees.plugins.credentials.SystemCredentialsProvider$ProviderImpl/context/jenkins/addCredentials

      It seems that it is trying to reach the Jenkins server trough the default port (that is not exposed) and subsequently fails.

       

       

        Attachments

          Activity

          Hide
          agallardo Alberto Gallardo added a comment - - edited

          Similar here: a credentialsDialog emerges in my https:// configuration page, rendering a form whose POST URL is http://<servername> instead of https://.

          Steps:

          1. Create GitHub Organization or Multibranch Pipeline job (for this example, I'm creating a GitHub Organization job named kkk)
          2. Projects > GitHub Organization > Scan credentials > Add kkk (Folder Credentials Provider)
            1. jenkins gets the dialog: GET https://<jenkins_server_noport>/descriptor/com.cloudbees.plugins.credentials.CredentialsSelectHelper/resolver/com.cloudbees.plugins.credentials.CredentialsSelectHelper$ItemContextResolver/provider/com.cloudbees.hudson.plugins.folder.properties.FolderCredentialsProvider/context/kkk/dialog
            2. the response already contains the POST to the incorrect URL:
           <div class="hd"><h2 tooltip="Folder Credentials Provider"><img src="/static/85cead7b/plugin/credentials/images/48x48/folder-store.png" style="width: 48px; height: 48px; " class="icon-credentials-folder-store icon-xlg" /> Folder Credentials Provider: kkk
           </h2></div><div class="bd"><h3><img src="/static/85cead7b/plugin/credentials/images/24x24/new-credential.png" style="width: 24px; height: 24px; " class="icon-credentials-new-credential icon-md" />
           Add Credentials
           </h3><form method="POST" action="http://<jenkins_server_noport>/descriptor/com.cloudbees.plugins.credentials.CredentialsSelectHelper/resolver/com.cloudbees.plugins.credentials.CredentialsSelectHelper$ItemContextResolver/provider/com.cloudbees.hudson.plugins.folder.properties.FolderCredentialsProvider/context/kkk/addCredentials" id="credentials-dialog-form"><!--omited--></form></div>
          

          I have recursively grepped through all jenkins config + data dirs, but couldn't find any explicit reference to that url http://<jenkins_server_noport>.

          Environment:

          • No docker involved
          • Jenkins listens http in 8080 (firewalled)
          • Jenkins is front-ended with an nginx on corresponding https://
          • Manage Jenkins > Configure Jenkins > Jenkins Location > Jenkins URL = "https://<jenkins_server_noport>/"
          • Jenkins v2.55
          • Plugins:
            • cloudbees-folder v6.0.3
            • credentials v2.1.13
            • github-branch-source v2.0.5
            • github-organization-folder v1.6
          Show
          agallardo Alberto Gallardo added a comment - - edited Similar here: a credentialsDialog emerges in my https:// configuration page, rendering a form whose POST URL is http://<servername> instead of https:// . Steps: Create GitHub Organization or Multibranch Pipeline job (for this example, I'm creating a GitHub Organization job named kkk ) Projects > GitHub Organization > Scan credentials > Add kkk (Folder Credentials Provider) jenkins gets the dialog: GET https://<jenkins_server_noport>/descriptor/com.cloudbees.plugins.credentials.CredentialsSelectHelper/resolver/com.cloudbees.plugins.credentials.CredentialsSelectHelper$ItemContextResolver/provider/com.cloudbees.hudson.plugins.folder.properties.FolderCredentialsProvider/context/kkk/dialog the response already contains the POST to the incorrect URL: <div class= "hd" > <h2 tooltip= "Folder Credentials Provider" > <img src= "/static/85cead7b/plugin/credentials/images/48x48/folder-store.png" style= "width: 48px; height: 48px; " class= "icon-credentials-folder-store icon-xlg" /> Folder Credentials Provider: kkk </h2> </div> <div class= "bd" > <h3> <img src= "/static/85cead7b/plugin/credentials/images/24x24/new-credential.png" style= "width: 24px; height: 24px; " class= "icon-credentials-new-credential icon-md" /> Add Credentials </h3> <form method= "POST" action= "http://<jenkins_server_noport> /descriptor/com.cloudbees.plugins.credentials.CredentialsSelectHelper/resolver/com.cloudbees.plugins.credentials.CredentialsSelectHelper$ItemContextResolver/provider/com.cloudbees.hudson.plugins.folder.properties.FolderCredentialsProvider/context/kkk/addCredentials" id= "credentials-dialog-form" > <!--omited--> </form> </div> I have recursively grepped through all jenkins config + data dirs, but couldn't find any explicit reference to that url http://<jenkins_server_noport> . Environment: No docker involved Jenkins listens http in 8080 (firewalled) Jenkins is front-ended with an nginx on corresponding https:// Manage Jenkins > Configure Jenkins > Jenkins Location > Jenkins URL = "https://<jenkins_server_noport>/" Jenkins v2.55 Plugins: cloudbees-folder v6.0.3 credentials v2.1.13 github-branch-source v2.0.5 github-organization-folder v1.6
          Hide
          agallardo Alberto Gallardo added a comment -

          By the way, I can work-around this:

          • Use a browser with editing capabilities and edit the POST URL 'on the fly' changing the http:// with the correct https://
          • Fill in the form and send it
          Show
          agallardo Alberto Gallardo added a comment - By the way, I can work-around this: Use a browser with editing capabilities and edit the POST URL 'on the fly' changing the http:// with the correct https:// Fill in the form and send it
          Hide
          stephenconnolly Stephen Connolly added a comment -

          Are you injecting the  X-Forwarded-Proto header nginix to ensure that Jenkins knows the request URL is over https?

          Show
          stephenconnolly Stephen Connolly added a comment - Are you injecting the   X-Forwarded-Proto  header nginix to ensure that Jenkins knows the request URL is over https?
          Hide
          gtunon Guiomar Tuñón added a comment -

          In my case yes.

          My problem is the 8080 port that isn't exposed in my server as all the http/https requests must go through ports 80/443 and through the nginx.

          Show
          gtunon Guiomar Tuñón added a comment - In my case yes. My problem is the 8080 port that isn't exposed in my server as all the http/https requests must go through ports 80/443 and through the nginx.
          Hide
          stephenconnolly Stephen Connolly added a comment -

          Right so if you are changing port (and perhaps host too) then you would also need to inject X-Forwarded-Port (and perhaps X-Forwarded-Host too) so that Jenkins has the information to reconstruct the request url.

          Until you have set that up correctly, this is not a bug but rather a configuration issue on your end (note that the core Admin monitor should be giving you a warning when you go to the "Manage Jenkins" screen if you have not got your reverse proxy configured correctly, so if that is not happening then that might be a bug against Jenkins core, but this is not sounding like a bug against credentials plugin)

          Show
          stephenconnolly Stephen Connolly added a comment - Right so if you are changing port (and perhaps host too) then you would also need to inject X-Forwarded-Port (and perhaps X-Forwarded-Host too) so that Jenkins has the information to reconstruct the request url . Until you have set that up correctly, this is not a bug but rather a configuration issue on your end (note that the core Admin monitor should be giving you a warning  when you go to the "Manage Jenkins" screen if you have not got your reverse proxy configured correctly, so if that is not happening then that might be a bug against Jenkins core, but this is not sounding like a bug against credentials plugin)
          Hide
          gtunon Guiomar Tuñón added a comment -

          Thank you for your help. 

          I think now is working. It was the X-Forwarded-Port. 

           

          Show
          gtunon Guiomar Tuñón added a comment - Thank you for your help.  I think now is working. It was the X-Forwarded-Port.   
          Hide
          agallardo Alberto Gallardo added a comment -

          Adding the X-Forwarded-Proto also solved the problem for my. Thanks a lot!

          Show
          agallardo Alberto Gallardo added a comment - Adding the X-Forwarded-Proto also solved the problem for my. Thanks a lot!

            People

            • Assignee:
              stephenconnolly Stephen Connolly
              Reporter:
              gtunon Guiomar Tuñón
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: