dannynash/gist:a1182484e2c588e63031334174e21116

## gistfile1.md

      
    Raw
  

              gistfile1.md
            
          
    browser 透過 ssl 連線到 jenkins，但 jenkins 沒有跑 ssl 模式

Dec 02, 2017 6:52:57 AM org.eclipse.jetty.util.log.JavaUtilLog warn
WARNING: Illegal character 0x16 in state=START for buffer HeapByteBuffer@54552548[p=1,l=202,c=16384,r=201]={\x16<<<\x03\x01\x00\xC5\x01\x00\x00\xC1\x03\x03\x9b\xCc\xE5\x94\x813\x08...\x00\x08\xCa\xCa\x00\x1d\x00\x17\x00\x18\x9a\x9a\x00\x01\x00>>>\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
Dec 02, 2017 6:52:57 AM org.eclipse.jetty.util.log.JavaUtilLog warn
WARNING: Illegal character 0x16 in state=START for buffer HeapByteBuffer@7b77077a[p=1,l=202,c=16384,r=201]={\x16<<<\x03\x01\x00\xC5\x01\x00\x00\xC1\x03\x03\x8e\x19\xE0\xBbL\xAd\x91...\x00\x08\x1a\x1a\x00\x1d\x00\x17\x00\x18\xBa\xBa\x00\x01\x00>>>\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00}
Dec 02, 2017 6:52:57 AM org.eclipse.jetty.util.log.JavaUtilLog warn
WARNING: badMessage: 400 Illegal character 0x16 for HttpChannelOverHttp@348dfc5f{r=0,c=false,a=IDLE,uri=}
Dec 02, 2017 6:52:57 AM org.eclipse.jetty.util.log.JavaUtilLog warn
WARNING: badMessage: 400 Illegal character 0x16 for HttpChannelOverHttp@1bafcb89{r=0,c=false,a=IDLE,uri=}
--> setting agent port for jnlp
--> setting agent port for jnlp... done

jenkins ssl 設定


官方教學
https://hub.docker.com/_/jenkins/

裡面有提到可以在 docker file 裡指定好 ssl 參數，但這樣一改憑證就要重新在打包一次
FROM jenkins:1.565.3

COPY https.pem /var/lib/jenkins/cert
COPY https.key /var/lib/jenkins/pk
ENV JENKINS_OPTS --httpPort=-1 --httpsPort=8083 --httpsCertificate=/var/lib/jenkins/cert --httpsPrivateKey=/var/lib/jenkins/pk
EXPOSE 8083


docker run 動態 assign ssl 設定

docker run … —env JENKINS_OPTS="--httpsCertificate=/etc/certs/domain.crt --httpsPrivateKey=/etc/certs/domain.key --httpPort=-1 --httpsPort=8083" \
{image}

認證有兩種方式
http://balodeamit.blogspot.tw/2014/03/jenkins-switch-to-ssl-https-mode.html
SSL Certificate

遇到另外一個問題
java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory
	at winstone.Launcher.spawnListener(Launcher.java:207)
	at winstone.Launcher.<init>(Launcher.java:149)
	at winstone.Launcher.main(Launcher.java:352)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at Main._main(Main.java:264)
	at Main.main(Main.java:112)
Caused by: winstone.WinstoneException: Cannot load private key; try using a Java keystore instead.
	at winstone.HttpsConnectorFactory.readPEMRSAPrivateKey(HttpsConnectorFactory.java:196)
	at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:88)
	at winstone.Launcher.spawnListener(Launcher.java:205)
	... 8 more
Caused by: java.lang.reflect.InvocationTargetException
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at winstone.HttpsConnectorFactory.readPEMRSAPrivateKey(HttpsConnectorFactory.java:191)
	... 10 more
Caused by: java.io.IOException: DerValue.getBigInteger, not an int 48
	at sun.security.util.DerValue.getBigInteger(DerValue.java:511)
	... 15 more

SSL KeyStore （上面文章說透過這個方法可以解決，但我遇到另外一個問題。最後透過最下面的方式解決）

在 Java 1.8 or 1.9 version 似乎第一個方法會有問題
文章有教學怎麼把 crt & key 轉成 jks, 其中 keytool 是 java 套件，記得要先安裝 java （這方法仍然遇到問題，最後是透過最底下的方式解決問題）
--env JENKINS_OPTS="--httpsKeyStore=/etc/certs/jenkins.jks --httpsKeyStorePassword='123456' --httpsPort=8443" \
之後到另外一個問題，google 到的都是說密碼不符合。但用 keytool 改密碼的方式驗證過，確認沒輸入錯誤。
也嘗試 --httpsKeyStorePassword='123456' / --httpsKeyStorePassword=123456 兩種組合，依然沒用。
java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory
	at winstone.Launcher.spawnListener(Launcher.java:207)
	at winstone.Launcher.<init>(Launcher.java:149)
	at winstone.Launcher.main(Launcher.java:352)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at Main._main(Main.java:264)
	at Main.main(Main.java:112)
Caused by: winstone.WinstoneException: Error getting the SSL context object
	at winstone.HttpsConnectorFactory.getSSLContext(HttpsConnectorFactory.java:261)
	at winstone.HttpsConnectorFactory.createConnector(HttpsConnectorFactory.java:144)
	at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:129)
	at winstone.Launcher.spawnListener(Launcher.java:205)
	... 8 more
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
	at sun.security.provider.KeyProtector.recover(KeyProtector.java:328)
	at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:146)
	at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:56)
	at sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96)
	at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:70)
	at java.security.KeyStore.getKey(KeyStore.java:1023)
	at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133)
	at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)
	at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
	at winstone.HttpsConnectorFactory.getSSLContext(HttpsConnectorFactory.java:229)
	... 11 more

解決 crt & key 遇到的錯誤

https://issues.jenkins-ci.org/browse/JENKINS-22448
“The problem is that Jenkins expects a RSA key, not a private key”
把 key 轉成 RSA，使用 SSL Certificate 執行就沒問題了