Dec 02, 2017 6:52:57 AM org.eclipse.jetty.util.log.JavaUtilLog warn
WARNING: Illegal character 0x16 in state=START for buffer HeapByteBuffer@54552548[p=1,l=202,c=16384,r=201]={\x16<<<\x03\x01\x00\xC5\x01\x00\x00\xC1\x03\x03\x9b\xCc\xE5\x94\x813\x08...\x00\x08\xCa\xCa\x00\x1d\x00\x17\x00\x18\x9a\x9a\x00\x01\x00>>>\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
Dec 02, 2017 6:52:57 AM org.eclipse.jetty.util.log.JavaUtilLog warn
WARNING: Illegal character 0x16 in state=START for buffer HeapByteBuffer@7b77077a[p=1,l=202,c=16384,r=201]={\x16<<<\x03\x01\x00\xC5\x01\x00\x00\xC1\x03\x03\x8e\x19\xE0\xBbL\xAd\x91...\x00\x08\x1a\x1a\x00\x1d\x00\x17\x00\x18\xBa\xBa\x00\x01\x00>>>\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
Dec 02, 2017 6:52:57 AM org.eclipse.jetty.util.log.JavaUtilLog warn
WARNING: badMessage: 400 Illegal character 0x16 for HttpChannelOverHttp@348dfc5f{r=0,c=false,a=IDLE,uri=}
Dec 02, 2017 6:52:57 AM org.eclipse.jetty.util.log.JavaUtilLog warn
WARNING: badMessage: 400 Illegal character 0x16 for HttpChannelOverHttp@1bafcb89{r=0,c=false,a=IDLE,uri=}
--> setting agent port for jnlp
--> setting agent port for jnlp... done
裡面有提到可以在 docker file 裡指定好 ssl 參數,但這樣一改憑證就要重新在打包一次
FROM jenkins:1.565.3
COPY https.pem /var/lib/jenkins/cert
COPY https.key /var/lib/jenkins/pk
ENV JENKINS_OPTS --httpPort=-1 --httpsPort=8083 --httpsCertificate=/var/lib/jenkins/cert --httpsPrivateKey=/var/lib/jenkins/pk
EXPOSE 8083
- docker run 動態 assign ssl 設定
docker run … —env JENKINS_OPTS="--httpsCertificate=/etc/certs/domain.crt --httpsPrivateKey=/etc/certs/domain.key --httpPort=-1 --httpsPort=8083" \
{image}
認證有兩種方式 http://balodeamit.blogspot.tw/2014/03/jenkins-switch-to-ssl-https-mode.html
遇到另外一個問題
java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory
at winstone.Launcher.spawnListener(Launcher.java:207)
at winstone.Launcher.<init>(Launcher.java:149)
at winstone.Launcher.main(Launcher.java:352)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at Main._main(Main.java:264)
at Main.main(Main.java:112)
Caused by: winstone.WinstoneException: Cannot load private key; try using a Java keystore instead.
at winstone.HttpsConnectorFactory.readPEMRSAPrivateKey(HttpsConnectorFactory.java:196)
at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:88)
at winstone.Launcher.spawnListener(Launcher.java:205)
... 8 more
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at winstone.HttpsConnectorFactory.readPEMRSAPrivateKey(HttpsConnectorFactory.java:191)
... 10 more
Caused by: java.io.IOException: DerValue.getBigInteger, not an int 48
at sun.security.util.DerValue.getBigInteger(DerValue.java:511)
... 15 more
在 Java 1.8 or 1.9 version 似乎第一個方法會有問題
文章有教學怎麼把 crt & key 轉成 jks, 其中 keytool 是 java 套件,記得要先安裝 java (這方法仍然遇到問題,最後是透過最底下的方式解決問題)
--env JENKINS_OPTS="--httpsKeyStore=/etc/certs/jenkins.jks --httpsKeyStorePassword='123456' --httpsPort=8443" \
之後到另外一個問題,google 到的都是說密碼不符合。但用 keytool 改密碼的方式驗證過,確認沒輸入錯誤。
也嘗試 --httpsKeyStorePassword='123456' / --httpsKeyStorePassword=123456 兩種組合,依然沒用。
java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory
at winstone.Launcher.spawnListener(Launcher.java:207)
at winstone.Launcher.<init>(Launcher.java:149)
at winstone.Launcher.main(Launcher.java:352)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at Main._main(Main.java:264)
at Main.main(Main.java:112)
Caused by: winstone.WinstoneException: Error getting the SSL context object
at winstone.HttpsConnectorFactory.getSSLContext(HttpsConnectorFactory.java:261)
at winstone.HttpsConnectorFactory.createConnector(HttpsConnectorFactory.java:144)
at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:129)
at winstone.Launcher.spawnListener(Launcher.java:205)
... 8 more
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
at sun.security.provider.KeyProtector.recover(KeyProtector.java:328)
at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:146)
at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:70)
at java.security.KeyStore.getKey(KeyStore.java:1023)
at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133)
at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
at winstone.HttpsConnectorFactory.getSSLContext(HttpsConnectorFactory.java:229)
... 11 more
https://issues.jenkins-ci.org/browse/JENKINS-22448
“The problem is that Jenkins expects a RSA key, not a private key”
把 key 轉成 RSA,使用 SSL Certificate 執行就沒問題了