Error getting the SSL context object

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Error getting the SSL context object

shanmusu

After updating the renewed SSL cert into java keystore for HTTPS auth, Jenkins startup failed with below error. Still it works with the old expired SSL cert.

 

I have verified the verified the java keystore and key cert password, I was able to list the keystore content and view the content of the .pfx used in the keystore using the passwords.

 

Please assist to fix this error.

 

svmftadm 19916     1 99 05:49 pts/0    00:00:09 /opt/mft/shared/software/jdk/jdk1.7.0_51/bin/java -Djavax.net.ssl.trustStore=/opt/mft/admin/certs/ldapTrustStore -Djavax.net.ssl.keyStore=/opt/mft/admin/certs/ldapTrustStore -Djavax.net.ssl.keyStorePassword=xyz -jar /opt/mft/jenkins/jenkins.war --httpPort=-1 --httpsPort=9443 --httpsKeyStore=/opt/mft/jenkins/jenkins.jks --httpsKeyStorePassword=xyz

 

lx0001[/opt/mft/jenkins]> cat jenkins.log

Running from: /apps/mft/jenkins/jenkins.war

webroot: EnvVars.masterEnvVars.get("JENKINS_HOME")

Oct 10, 2014 5:36:02 AM winstone.Logger logInternal

INFO: Beginning extraction from war file

Oct 10, 2014 5:36:02 AM winstone.Logger logInternal

INFO: Winstone shutdown successfully

Oct 10, 2014 5:36:02 AM winstone.Logger logInternal

SEVERE: Container startup failed

java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory

        at winstone.Launcher.spawnListener(Launcher.java:209)

        at winstone.Launcher.<init>(Launcher.java:149)

        at winstone.Launcher.main(Launcher.java:354)

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

        at java.lang.reflect.Method.invoke(Method.java:606)

        at Main._main(Main.java:293)

        at Main.main(Main.java:98)

Caused by: winstone.WinstoneException: Error getting the SSL context object

        at winstone.HttpsConnectorFactory.getSSLContext(HttpsConnectorFactory.java:218)

        at winstone.HttpsConnectorFactory.createConnector(HttpsConnectorFactory.java:127)

        at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:116)

        at winstone.Launcher.spawnListener(Launcher.java:207)

        ... 8 more

 

Regards,

Sudhakar

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Error getting the SSL context object

Steven Erat
I encountered the same exception.  The short answer is that the privateKey password did not match the keyStore password, at first.   When I realized this could be a problem, I tried setting the JENKINS_ARG option —httpsPrivateKeyPassword to in addition to the --httpsKeyStorePassword, but I got a "Unrecognized option" from Winstone which didn't make sense.

Here's a snippet of correspondence when I was describing the situation to a colleague:
---------

Looking at the Winstone class where the last exception came from:
https://github.com/jenkinsci/winstone/blob/master/src/java/winstone/HttpsConnectorFactory.java

There was the following comment block:

// There are many legacy setups in which the KeyStore password and the
// key password are identical and people will not even be aware that these
// are two different things
// Therefore if no httpsPrivateKeyPassword is explicitely set we try to
// use the KeyStore password also for the key password not to break
// backward compatibility
// Otherwise the following code will completely break the startup of
// Jenkins in case the --httpsPrivateKeyPassword parameter is not set
privateKeyPassword = Option.HTTPS_PRIVATE_KEY_PASSWORD.get(args, keystorePassword);

Then I found the Winstone options class, which also showed that a ‘httpsPrivateKeyPassword’ option could be passed.  So I changed the /etc/sysconfig/jenkins to use this instead:

JENKINS_ARGS="--httpsPort=443 --httpsKeyStore=/usr/lib/jenkins/certs/jenkins.jks  --httpsKeyStorePassword=abc --httpsPrivateKeyPassword=xyz"

However, starting Jenkins still failed, but this time with “java.lang.IllegalArgumentException: Unrecognized option: —httpsPrivateKeyPassword”, and that doesn’t make sense at all.

I going try to recreate the jenkins.jks keystone that I’m using, but match the private key password that I used originally.    If they both have the same password, then I don’t have to pass in "—httpsPrivateKeyPassword” separately.

Ok,  recreating the jks file with the same password used for the private key password worked.  Jenkins would start and the SSL cert was verified in the browser.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/d8e7c337-c287-47f3-86c9-5c182e466d6e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Error getting the SSL context object

shanmusu
Thanks Steve. I created a new jenkins.jks keystore with same password as the private key which is imported into the keystore, it worked!!
Reply | Threaded
Open this post in threaded view
|

Re: Error getting the SSL context object

raghavendra.br436
In reply to this post by Steven Erat
Thanks for the post steven, I had the same issue i.e. different password for keystore and key. recreating the keystore and key with the same resolved it.


On Friday, December 19, 2014 at 2:05:59 PM UTC-5, Steven Erat wrote:
I encountered the same exception.  The short answer is that the privateKey password did not match the keyStore password, at first.   When I realized this could be a problem, I tried setting the JENKINS_ARG option —httpsPrivateKeyPassword to in addition to the --httpsKeyStorePassword, but I got a "Unrecognized option" from Winstone which didn't make sense.

Here's a snippet of correspondence when I was describing the situation to a colleague:
---------

Looking at the Winstone class where the last exception came from:
<a href="https://github.com/jenkinsci/winstone/blob/master/src/java/winstone/HttpsConnectorFactory.java" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fwinstone%2Fblob%2Fmaster%2Fsrc%2Fjava%2Fwinstone%2FHttpsConnectorFactory.java\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNErqxGfIDz5GUvz4mCEik0r-Q1Igg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fwinstone%2Fblob%2Fmaster%2Fsrc%2Fjava%2Fwinstone%2FHttpsConnectorFactory.java\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNErqxGfIDz5GUvz4mCEik0r-Q1Igg&#39;;return true;">https://github.com/jenkinsci/winstone/blob/master/src/java/winstone/HttpsConnectorFactory.java

There was the following comment block:

// There are many legacy setups in which the KeyStore password and the
// key password are identical and people will not even be aware that these
// are two different things
// Therefore if no httpsPrivateKeyPassword is explicitely set we try to
// use the KeyStore password also for the key password not to break
// backward compatibility
// Otherwise the following code will completely break the startup of
// Jenkins in case the --httpsPrivateKeyPassword parameter is not set
privateKeyPassword = Option.HTTPS_PRIVATE_KEY_PASSWORD.get(args, keystorePassword);

Then I found the Winstone options class, which also showed that a ‘httpsPrivateKeyPassword’ option could be passed.  So I changed the /etc/sysconfig/jenkins to use this instead:

JENKINS_ARGS="--httpsPort=443 --httpsKeyStore=/usr/lib/jenkins/certs/jenkins.jks  --httpsKeyStorePassword=abc --httpsPrivateKeyPassword=xyz"

However, starting Jenkins still failed, but this time with “java.lang.IllegalArgumentException: Unrecognized option: —httpsPrivateKeyPassword”, and that doesn’t make sense at all.

I going try to recreate the jenkins.jks keystone that I’m using, but match the private key password that I used originally.    If they both have the same password, then I don’t have to pass in "—httpsPrivateKeyPassword” separately.

Ok,  recreating the jks file with the same password used for the private key password worked.  Jenkins would start and the SSL cert was verified in the browser.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/15a04278-8d23-4796-a8e9-2fb5f33a373d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Error getting the SSL context object

Joey Piccola
Also had this issue, matching the privateKey and keyStore solved it. 

On Monday, March 6, 2017 at 9:26:59 AM UTC-7, [hidden email] wrote:
Thanks for the post steven, I had the same issue i.e. different password for keystore and key. recreating the keystore and key with the same resolved it.


On Friday, December 19, 2014 at 2:05:59 PM UTC-5, Steven Erat wrote:
I encountered the same exception.  The short answer is that the privateKey password did not match the keyStore password, at first.   When I realized this could be a problem, I tried setting the JENKINS_ARG option —httpsPrivateKeyPassword to in addition to the --httpsKeyStorePassword, but I got a "Unrecognized option" from Winstone which didn't make sense.

Here's a snippet of correspondence when I was describing the situation to a colleague:
---------

Looking at the Winstone class where the last exception came from:
<a href="https://github.com/jenkinsci/winstone/blob/master/src/java/winstone/HttpsConnectorFactory.java" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fwinstone%2Fblob%2Fmaster%2Fsrc%2Fjava%2Fwinstone%2FHttpsConnectorFactory.java\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNErqxGfIDz5GUvz4mCEik0r-Q1Igg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Fjenkinsci%2Fwinstone%2Fblob%2Fmaster%2Fsrc%2Fjava%2Fwinstone%2FHttpsConnectorFactory.java\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNErqxGfIDz5GUvz4mCEik0r-Q1Igg&#39;;return true;">https://github.com/jenkinsci/winstone/blob/master/src/java/winstone/HttpsConnectorFactory.java

There was the following comment block:

// There are many legacy setups in which the KeyStore password and the
// key password are identical and people will not even be aware that these
// are two different things
// Therefore if no httpsPrivateKeyPassword is explicitely set we try to
// use the KeyStore password also for the key password not to break
// backward compatibility
// Otherwise the following code will completely break the startup of
// Jenkins in case the --httpsPrivateKeyPassword parameter is not set
privateKeyPassword = Option.HTTPS_PRIVATE_KEY_PASSWORD.get(args, keystorePassword);

Then I found the Winstone options class, which also showed that a ‘httpsPrivateKeyPassword’ option could be passed.  So I changed the /etc/sysconfig/jenkins to use this instead:

JENKINS_ARGS="--httpsPort=443 --httpsKeyStore=/usr/lib/jenkins/certs/jenkins.jks  --httpsKeyStorePassword=abc --httpsPrivateKeyPassword=xyz"

However, starting Jenkins still failed, but this time with “java.lang.IllegalArgumentException: Unrecognized option: —httpsPrivateKeyPassword”, and that doesn’t make sense at all.

I going try to recreate the jenkins.jks keystone that I’m using, but match the private key password that I used originally.    If they both have the same password, then I don’t have to pass in "—httpsPrivateKeyPassword” separately.

Ok,  recreating the jks file with the same password used for the private key password worked.  Jenkins would start and the SSL cert was verified in the browser.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/62d9e104-0b5f-462a-9db2-67e0858e7dac%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.