search

timja / jenkins-gh-issues-poc-06-18

0 stars 0 forks source link

[JENKINS-43210] Windows Agent can't connect to Master through JNLP #3972

Open timja opened 7 years ago

timja commented 7 years ago

When executing 

java -Xmx1g -jar slave.jar -jnlpUrl http://dfvvt01seuops.somebank.somenet/jenkins-iteb/computer/DFVIASTWHUDSON2/slave-agent.jnlp

I get

Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main createEngine
INFORMATION: Setting up slave: DFVIASTWHUDSON2
Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener
INFORMATION: Jenkins agent is running in headless mode.
Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Locating server among http://dfvvt01seuops.somebank.somenet/jenkins-iteb/
Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Agent discovery successful
{{ Agent address: dfvvt01seuops.somebank.somenet}}
{{ Agent port: 50000}}
{{ Identity: 13:74:a6:18:f1:96:9c:cb:69:57:26:b1:a2:17:f2:c9}}
Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Handshaking
Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Connecting to dfvvt01seuops.somebank.somenet:50000
Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Trying protocol: JNLP4-connect
Mõr 30, 2017 9:29:36 AM org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer onRecv
SCHWERWIEGEND: [JNLP4-connect connection to dfvvt01seuops.somebank.somenet/10.241.209.26:50000]
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
{{ at sun.security.ssl.Handshaker.checkThrown(Unknown Source)}}
{{ at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)}}
{{ at sun.security.ssl.SSLEngineImpl.writeAppRecord(Unknown Source)}}
{{ at sun.security.ssl.SSLEngineImpl.wrap(Unknown Source)}}
{{ at javax.net.ssl.SSLEngine.wrap(Unknown Source)}}
{{ at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.processRead(SSLEngineFilterLayer.java:392)}}
{{ at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.onRecv(SSLEngineFilterLayer.java:117)}}
{{ at org.jenkinsci.remoting.protocol.ProtocolStack$Ptr.onRecv(ProtocolStack.java:669)}}
{{ at org.jenkinsci.remoting.protocol.NetworkLayer.onRead(NetworkLayer.java:136)}}
{{ at org.jenkinsci.remoting.protocol.impl.BIONetworkLayer.access$2200(BIONetworkLayer.java:48)}}
{{ at org.jenkinsci.remoting.protocol.impl.BIONetworkLayer$Reader.run(BIONetworkLayer.java:283)}}
{{ at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)}}
{{ at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)}}
{{ at hudson.remoting.Engine$1$1.run(Engine.java:94)}}
{{ at java.lang.Thread.run(Unknown Source)}}
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
{{ at sun.security.ssl.Alerts.getSSLException(Unknown Source)}}
{{ at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)}}
{{ at sun.security.ssl.Handshaker.fatalSE(Unknown Source)}}
{{ at sun.security.ssl.Handshaker.fatalSE(Unknown Source)}}
{{ at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)}}
{{ at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)}}
{{ at sun.security.ssl.Handshaker.processLoop(Unknown Source)}}
{{ at sun.security.ssl.Handshaker$1.run(Unknown Source)}}
{{ at sun.security.ssl.Handshaker$1.run(Unknown Source)}}
{{ at java.security.AccessController.doPrivileged(Native Method)}}
{{ at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source)}}
{{ at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.processRead(SSLEngineFilterLayer.java:382)}}
{{ ... 9 more}}
Caused by: java.security.cert.CertificateException: Public key of the first certificate in chain (subject: C=US, OU=jenkins.io, O=instances, CN=74df086770b5c378864b03273a8576ae) is
{{ not in the list of trusted keys}}
{{ at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkPublicKey(PublicKeyMatchingX509ExtendedTrustManager.java:216)}}
{{ at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkServerTrusted(PublicKeyMatchingX509ExtendedTrustManager.java:263)}}
{{ at org.jenkinsci.remoting.protocol.cert.DelegatingX509ExtendedTrustManager.checkServerTrusted(DelegatingX509ExtendedTrustManager.java:148)}}
{{ ... 17 more}}Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Protocol JNLP4-connect encountered an unexpected exception
java.util.concurrent.ExecutionException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
{{ at org.jenkinsci.remoting.util.SettableFuture.get(SettableFuture.java:223)}}
{{ at hudson.remoting.Engine.innerRun(Engine.java:385)}}
{{ at hudson.remoting.Engine.run(Engine.java:287)}}
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
{{ at sun.security.ssl.Handshaker.checkThrown(Unknown Source)}}
{{ at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)}}
{{ at sun.security.ssl.SSLEngineImpl.writeAppRecord(Unknown Source)}}
{{ at sun.security.ssl.SSLEngineImpl.wrap(Unknown Source)}}
{{ at javax.net.ssl.SSLEngine.wrap(Unknown Source)}}
{{ at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.processRead(SSLEngineFilterLayer.java:392)}}
{{ at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.onRecv(SSLEngineFilterLayer.java:117)}}
{{ at org.jenkinsci.remoting.protocol.ProtocolStack$Ptr.onRecv(ProtocolStack.java:669)}}
{{ at org.jenkinsci.remoting.protocol.NetworkLayer.onRead(NetworkLayer.java:136)}}
{{ at org.jenkinsci.remoting.protocol.impl.BIONetworkLayer.access$2200(BIONetworkLayer.java:48)}}
{{ at org.jenkinsci.remoting.protocol.impl.BIONetworkLayer$Reader.run(BIONetworkLayer.java:283)}}
{{ at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)}}
{{ at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)}}
{{ at hudson.remoting.Engine$1$1.run(Engine.java:94)}}
{{ at java.lang.Thread.run(Unknown Source)}}
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
{{ at sun.security.ssl.Alerts.getSSLException(Unknown Source)}}
{{ at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)}}
{{ at sun.security.ssl.Handshaker.fatalSE(Unknown Source)}}
{{ at sun.security.ssl.Handshaker.fatalSE(Unknown Source)}}
{{ at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)}}
{{ at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)}}
{{ at sun.security.ssl.Handshaker.processLoop(Unknown Source)}}
{{ at sun.security.ssl.Handshaker$1.run(Unknown Source)}}
{{ at sun.security.ssl.Handshaker$1.run(Unknown Source)}}
{{ at java.security.AccessController.doPrivileged(Native Method)}}
{{ at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source)}}
{{ at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.processRead(SSLEngineFilterLayer.java:382)}}
{{ ... 9 more}}
Caused by: java.security.cert.CertificateException: Public key of the first certificate in chain (subject: C=US, OU=jenkins.io, O=instances, CN=74df086770b5c378864b03273a8576ae) is
{{ not in the list of trusted keys}}
{{ at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkPublicKey(PublicKeyMatchingX509ExtendedTrustManager.java:216)}}
{{ at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkServerTrusted(PublicKeyMatchingX509ExtendedTrustManager.java:263)}}
{{ at org.jenkinsci.remoting.protocol.cert.DelegatingX509ExtendedTrustManager.checkServerTrusted(DelegatingX509ExtendedTrustManager.java:148)}}
{{ ... 17 more}}Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Connecting to dfvvt01seuops.somebank.somenet:50000
Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Server reports protocol JNLP4-plaintext not supported, skipping
Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Trying protocol: JNLP3-connect
Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Protocol JNLP3-connect encountered an unexpected exception
java.util.concurrent.ExecutionException: org.jenkinsci.remoting.protocol.impl.ConnectionRefusalException: JNLP3-connect: Incorrect challenge response from master
{{ at java.util.concurrent.FutureTask.report(Unknown Source)}}
{{ at java.util.concurrent.FutureTask.get(Unknown Source)}}
{{ at hudson.remoting.Engine.innerRun(Engine.java:385)}}
{{ at hudson.remoting.Engine.run(Engine.java:287)}}
Caused by: org.jenkinsci.remoting.protocol.impl.ConnectionRefusalException: JNLP3-connect: Incorrect challenge response from master
{{ at org.jenkinsci.remoting.engine.JnlpProtocol3Handler.sendHandshake(JnlpProtocol3Handler.java:213)}}
{{ at org.jenkinsci.remoting.engine.JnlpProtocol3Handler.sendHandshake(JnlpProtocol3Handler.java:123)}}
{{ at org.jenkinsci.remoting.engine.LegacyJnlpProtocolHandler$2.call(LegacyJnlpProtocolHandler.java:162)}}
{{ at org.jenkinsci.remoting.engine.LegacyJnlpProtocolHandler$2.call(LegacyJnlpProtocolHandler.java:158)}}
{{ at java.util.concurrent.FutureTask.run(Unknown Source)}}
{{ at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)}}
{{ at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)}}
{{ at hudson.remoting.Engine$1$1.run(Engine.java:94)}}
{{ at java.lang.Thread.run(Unknown Source)}}Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Connecting to dfvvt01seuops.somebank.somenet:50000
Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Trying protocol: JNLP2-connect
Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Protocol JNLP2-connect encountered an unexpected exception
java.util.concurrent.ExecutionException: org.jenkinsci.remoting.protocol.impl.ConnectionRefusalException: Server didn't accept the handshake:
{{ at java.util.concurrent.FutureTask.report(Unknown Source)}}
{{ at java.util.concurrent.FutureTask.get(Unknown Source)}}
{{ at hudson.remoting.Engine.innerRun(Engine.java:385)}}
{{ at hudson.remoting.Engine.run(Engine.java:287)}}
Caused by: org.jenkinsci.remoting.protocol.impl.ConnectionRefusalException: Server didn't accept the handshake:
{{ at org.jenkinsci.remoting.engine.JnlpProtocol2Handler.sendHandshake(JnlpProtocol2Handler.java:134)}}
{{ at org.jenkinsci.remoting.engine.LegacyJnlpProtocolHandler$2.call(LegacyJnlpProtocolHandler.java:162)}}
{{ at org.jenkinsci.remoting.engine.LegacyJnlpProtocolHandler$2.call(LegacyJnlpProtocolHandler.java:158)}}
{{ at java.util.concurrent.FutureTask.run(Unknown Source)}}
{{ at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)}}
{{ at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)}}
{{ at hudson.remoting.Engine$1$1.run(Engine.java:94)}}
{{ at java.lang.Thread.run(Unknown Source)}}Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Connecting to dfvvt01seuops.somebank.somenet:50000
Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Trying protocol: JNLP-connect
Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Protocol JNLP-connect encountered an unexpected exception
java.util.concurrent.ExecutionException: org.jenkinsci.remoting.protocol.impl.ConnectionRefusalException: Server didn't accept the handshake:
{{ at java.util.concurrent.FutureTask.report(Unknown Source)}}
{{ at java.util.concurrent.FutureTask.get(Unknown Source)}}
{{ at hudson.remoting.Engine.innerRun(Engine.java:385)}}
{{ at hudson.remoting.Engine.run(Engine.java:287)}}
Caused by: org.jenkinsci.remoting.protocol.impl.ConnectionRefusalException: Server didn't accept the handshake:
{{ at org.jenkinsci.remoting.engine.JnlpProtocol1Handler.sendHandshake(JnlpProtocol1Handler.java:121)}}
{{ at org.jenkinsci.remoting.engine.LegacyJnlpProtocolHandler$2.call(LegacyJnlpProtocolHandler.java:162)}}
{{ at org.jenkinsci.remoting.engine.LegacyJnlpProtocolHandler$2.call(LegacyJnlpProtocolHandler.java:158)}}
{{ at java.util.concurrent.FutureTask.run(Unknown Source)}}
{{ at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)}}
{{ at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)}}
{{ at hudson.remoting.Engine$1$1.run(Engine.java:94)}}
{{ at java.lang.Thread.run(Unknown Source)}}Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener error
SCHWERWIEGEND: The server rejected the connection: None of the protocols were accepted
java.lang.Exception: The server rejected the connection: None of the protocols were accepted
{{ at hudson.remoting.Engine.onConnectionRejected(Engine.java:484)}}
{{ at hudson.remoting.Engine.innerRun(Engine.java:448)}}
{{ at hudson.remoting.Engine.run(Engine.java:287)}} 

I don't care for the JNLP3 and JNLP4 issues right now (because I don't need encryption at the moment), but I would expect at least JNLP2 to work. Looks like JENKINS-39232 is not fixed after all.

Related: JENKINS-39232, JENKINS-40668

Originally reported by bcygan, imported from: Windows Agent can't connect to Master through JNLP
  • assignee: bcygan
  • status: Reopened
  • priority: Blocker
  • resolution: Unresolved
  • imported: 2022/01/10
timja commented 7 years ago

oleg_nenashev:

So I am mostly aware about the JNLP4 protocol failure

Caused by: java.security.cert.CertificateException: Public key of the first certificate in chain (subject: C=US, OU=jenkins.io, O=instances, CN=74df086770b5c378864b03273a8576ae) is
{{ not in the list of trusted keys}}
{{ at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkPublicKey(PublicKeyMatchingX509ExtendedTrustManager.java:216)}}
{{ at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkServerTrusted(PublicKeyMatchingX509ExtendedTrustManager.java:263)}}
{{ at org.jenkinsci.remoting.protocol.cert.DelegatingX509ExtendedTrustManager.checkServerTrusted(DelegatingX509ExtendedTrustManager.java:148)}}
{{ ... 17 more}}Mõr 30, 2017 9:29:36 AM hudson.remoting.jnlp.Main$CuiListener status
INFORMATION: Protocol JNLP4-connect encountered an unexpected exception
java.util.concurrent.ExecutionException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

Due to whatever reason the agent does not consider master's certificate as a trusted one. It should never happen for auto-generated certificates AFAIK, so I would assume your master is available over HTTPS and has untrusted certificate.

Please provide more information about your master settings. Jenkins System logs would be also useful.

timja commented 7 years ago

bcygan:

The master is not available via HTTPS, that is why I am not worried about the JNLP v3 and v4 errors. But JNLP v2 should work, and it doesn't. I can provide more details if needed (including logs from the master) beginning of next week.

timja commented 7 years ago

oleg_nenashev:

OK, looking forward to get logs

timja commented 7 years ago

bcygan:

I checked, and couldn't find any meaningful entries in the logs. In the meantime, I have switched off JNLP3 and JNLP4. Additional information: This is going through an Apache Reverse Proxy and uses central authentication from Jenkins Operations. Which protocol might help in this case ?

The Apache Reverse Proxy ist configured with the "nocanon" option.

 

timja commented 7 years ago

oleg_nenashev:

Does the issue still happen with disabled JNLP3 ?

timja commented 7 years ago

oleg_nenashev:

bcygan ping

timja commented 7 years ago

oleg_nenashev:

No response from the requester. I assume it was a JNLP3 issue, hence closing with "Won't fix". The protocol is deprecated

timja commented 7 years ago

bcygan:

I could track this down to happening with JDK Mixed Mode on the Windows Client side. When I used pure 64 bit mode, the problem went away. Couldn't narrow it down because of changing environments.

timja commented 6 years ago

allan_burdajewicz:

Also if you are running Jenkins behind a proxy, ensure you have the system property `-Dhudson.TcpSlaveAgentListener.hostName=` set up on the Jenkins master. See https://wiki.jenkins.io/display/JENKINS/Features+controlled+by+system+properties

timja commented 6 years ago

matthiasb:

We have currently also this issue with different versions of Jenkins 107.x, 121.x, 138.x with the JNLP v4 - all other protocols are disabled.
As soon this problem occurs it does not matter if down- or upgrade the Jenkins instance, however it will occur every time.
When we just enabled the JNLP v3 the Slave did not connect to the master and the container died after some seconds because of `no supported JNLP protocol`.
We also tried your property allan_burdajewicz, but this does not changed the behavior.

This issue does just occur with Jenkins instances we create since this summer, so there must be a change between May and July - maybe in the 107er versions.

We know, when we deploy an older Jenkins version (like <=89x) it will work, but we do not know from where we get this Jenkins.io cert.
Because the CN is not correct and we already set the Jenkins.io cert in the truststore, so it should be allowed and trusted.
I think Jenkins generates this cert itself -> Can you oleg_nenashev answer the question where this cert is generated and why?
Is this a problem by updateing on a specific version of a plugin? Or is it a "problem" of Jenkins itself?

For me, this issue is not solved.

Following we add our configuration/logs:

 

INFO: Trying protocol: JNLP4-connect
Sep 19, 2018 11:25:02 AM org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer onRecv
SEVERE: [JNLP4-connect connection to vjkm01.pnet.ch/172.18.15.26:33529] 
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529)
    at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
    at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214)
    at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186)
    at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
    at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.processRead(SSLEngineFilterLayer.java:392)
    at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.onRecv(SSLEngineFilterLayer.java:117)
    at org.jenkinsci.remoting.protocol.ProtocolStack$Ptr.onRecv(ProtocolStack.java:669)
    at org.jenkinsci.remoting.protocol.impl.AckFilterLayer.onRecv(AckFilterLayer.java:255)
    at org.jenkinsci.remoting.protocol.ProtocolStack$Ptr.onRecv(ProtocolStack.java:669)
    at org.jenkinsci.remoting.protocol.NetworkLayer.onRead(NetworkLayer.java:136)
    at org.jenkinsci.remoting.protocol.impl.BIONetworkLayer.access$2200(BIONetworkLayer.java:48)
    at org.jenkinsci.remoting.protocol.impl.BIONetworkLayer$Reader.run(BIONetworkLayer.java:283)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at hudson.remoting.Engine$1.lambda$newThread$0(Engine.java:93)
    at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:330)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:992)
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:989)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467)
    at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.processRead(SSLEngineFilterLayer.java:382)
    ... 11 more
Caused by: java.security.cert.CertificateException: Public key of the first certificate in chain (subject: C=US, OU=jenkins.io, O=instances, CN=9dd32b243d0da3c30cff1c129ec3be8c) is not in the list of trusted keys
    at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkPublicKey(PublicKeyMatchingX509ExtendedTrustManager.java:217)
    at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkServerTrusted(PublicKeyMatchingX509ExtendedTrustManager.java:263)
    at org.jenkinsci.remoting.protocol.cert.DelegatingX509ExtendedTrustManager.checkServerTrusted(DelegatingX509ExtendedTrustManager.java:148)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1601)
    ... 18 more
Sep 19, 2018 11:25:02 AM hudson.remoting.jnlp.Main$CuiListener status
INFO: Protocol JNLP4-connect encountered an unexpected exception
java.util.concurrent.ExecutionException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at org.jenkinsci.remoting.util.SettableFuture.get(SettableFuture.java:223)
    at hudson.remoting.Engine.innerRun(Engine.java:614)
    at hudson.remoting.Engine.run(Engine.java:474)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529)
    at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
    at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214)
    at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186)
    at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
    at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.processRead(SSLEngineFilterLayer.java:392)
    at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.onRecv(SSLEngineFilterLayer.java:117)
    at org.jenkinsci.remoting.protocol.ProtocolStack$Ptr.onRecv(ProtocolStack.java:669)
    at org.jenkinsci.remoting.protocol.impl.AckFilterLayer.onRecv(AckFilterLayer.java:255)
    at org.jenkinsci.remoting.protocol.ProtocolStack$Ptr.onRecv(ProtocolStack.java:669)
    at org.jenkinsci.remoting.protocol.NetworkLayer.onRead(NetworkLayer.java:136)
    at org.jenkinsci.remoting.protocol.impl.BIONetworkLayer.access$2200(BIONetworkLayer.java:48)
    at org.jenkinsci.remoting.protocol.impl.BIONetworkLayer$Reader.run(BIONetworkLayer.java:283)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at hudson.remoting.Engine$1.lambda$newThread$0(Engine.java:93)
    at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:330)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:992)
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:989)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467)
    at org.jenkinsci.remoting.protocol.impl.SSLEngineFilterLayer.processRead(SSLEngineFilterLayer.java:382)
    ... 11 more
Caused by: java.security.cert.CertificateException: Public key of the first certificate in chain (subject: C=US, OU=jenkins.io, O=instances, CN=9dd32b243d0da3c30cff1c129ec3be8c) is not in the list of trusted keys
    at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkPublicKey(PublicKeyMatchingX509ExtendedTrustManager.java:217)
    at org.jenkinsci.remoting.protocol.cert.PublicKeyMatchingX509ExtendedTrustManager.checkServerTrusted(PublicKeyMatchingX509ExtendedTrustManager.java:263)
    at org.jenkinsci.remoting.protocol.cert.DelegatingX509ExtendedTrustManager.checkServerTrusted(DelegatingX509ExtendedTrustManager.java:148)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1601)
    ... 18 more
Sep 19, 2018 11:25:02 AM hudson.remoting.jnlp.Main$CuiListener status
INFO: Connecting to vjkm01.pnet.ch:33529
Sep 19, 2018 11:25:02 AM hudson.remoting.jnlp.Main$CuiListener status
INFO: Server reports protocol JNLP4-plaintext not supported, skipping
Sep 19, 2018 11:25:02 AM hudson.remoting.jnlp.Main$CuiListener status
INFO: Server reports protocol JNLP3-connect not supported, skipping
Sep 19, 2018 11:25:02 AM hudson.remoting.jnlp.Main$CuiListener status
INFO: Server reports protocol JNLP2-connect not supported, skipping
Sep 19, 2018 11:25:02 AM hudson.remoting.jnlp.Main$CuiListener status
INFO: Server reports protocol JNLP-connect not supported, skipping
Sep 19, 2018 11:25:02 AM hudson.remoting.jnlp.Main$CuiListener error
SEVERE: The server rejected the connection: None of the protocols were accepted
java.lang.Exception: The server rejected the connection: None of the protocols were accepted
    at hudson.remoting.Engine.onConnectionRejected(Engine.java:675)
    at hudson.remoting.Engine.innerRun(Engine.java:639)
    at hudson.remoting.Engine.run(Engine.java:474)

 

docker-compose configuration for Jenkins (startup conf / Java opts):

 

    environment:
      - JAVA_OPTS="-Djava.awt.headless=true -Dhudson.model.DirectoryBrowserSupport.CSP='' -Dhudson.model.DownloadService.noSignatureCheck=true"
      - JENKINS_OPTS="--requestHeaderSize=16384"

 

 

timja commented 5 years ago

pcarenza:

I am also having this issue with the current Jenkins release, but only from a docker container.(exposed ports 8084:8080, 50000:50000).

The standalone version from whence we derived the container works perfectly well. We are currently only using JNLP4.

timja commented 5 years ago

rzteux:

I have exactly same issue using docker image jenkins:jenkins:2.154-slim version and using swarm client plugin 3.14 on a Windows slave in a VM.

I have also tried swarm-client command line options -disableSslVerification without success.

See attachement : jenkins-43210-issue.txt

 

timja commented 5 years ago

gnuheidix:

In reference to my code comment, why is the certificate of the JNLP4-Protocol being generated during runtime and not changable by configuration? How is the agent supposed to validate the certificate? Am I missing something? My agents always report the following during JNLP4 connection attempts:

Caused by: java.security.cert.CertificateException: Public key of the first certificate in chain (subject: C=US, OU=jenkins.io, O=instances, CN=deadbeefdeadbeefdeadbeef) is not in the list of trusted keys

JNLP3 works fine though, but I want the newer secure stuff.

Is the public key supposed to be transferred in the encrypted and authenticated transfer of slave-agent.jnlp?

UPDATED: Interesting, debugging the agent revealed that the publicKey seems to be transferred, but in my case, this doesn't seem to work.

INFORMATION: Agent discovery successful
  Agent address: jenkins.mycorp
  Agent port:    50000
  Identity:      null

RESOLVED:
My reverse proxy dropped the header X-Instance-Identity which is being used in the remoting lib to transfer the public key to the agents. The following Apache directive is a bad idea in case one wants to use agents.

Header unset X-Instance-Identity
timja commented 5 years ago

matthiasb:

gnuheidix thank you for the information.
We checked our Apache config too, but it seems, that our proxy do not reject this headers, so it have to be an other problem.
But a workaround is for us currently to deploy first an old Jenkins version and then we can update it without any problems to the newest one.

I tried it shortly again with the newest version of Jenkins (2.150.1) and one Slave on the same maschine. Both tests with Docker containers were successful on Windows and on Linux.
As soon I can test it, I will try something with a proxy and over multiple servers, maybe it will work now.

And I will update the plugins, maybe it is not an issue of Jenkins itself, it could be, that we hit it because of a plugin update.