Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Specifying a PEM-encoded self-signed root CA certificate via -cert does not work #908

Open
mickaelstrg opened this issue Nov 29, 2024 · 3 comments · May be fixed by #925
Open

Specifying a PEM-encoded self-signed root CA certificate via -cert does not work #908

mickaelstrg opened this issue Nov 29, 2024 · 3 comments · May be fixed by #925

Comments

@mickaelstrg
Copy link

mickaelstrg commented Nov 29, 2024
edited
Loading

Jenkins and plugins versions report

Environment 
Jenkins 2.462.2 running in Kubernetes
Using jenkins/inbound-agent:latest@sha256:7df39b03883b9741dacbaac976f054d584c21aeeb54474cf315c5b8dd03db7ef

What Operating System are you using (both controller, and any agents involved in the problem)?

Agent: Debian 12
Controller: Debian 12

both are running in kubernetes

Reproduction steps

  1. Create self-signed root ca certificate and jenkins certificate
  2. Configure jenkins to use the endpoint certificate in the truststore
  3. Mount the root ca certificate in inbound agent's container e.g. under /etc/ssl/certs/ca-certificates.crt
  4. Run job using agent by using -cert @/etc/ssl/certs/ca-certificates.crt argument (or -cert $ROOT_CA by dumping the root CA cert into the ROOT_CA environment variable)

Expected Results

Connection via HTTPS to jenkins controller works

Actual Results

Connection via HTTPS to jenkins controller does not work

When using the inbound agent to connect to Jenkins which is setup with a self-signed certificate, I'm using the -cert parameter from the agent.jar to specify the path to the root CA certificate that is used to sign the jenkins certificate:

/opt/java/openjdk/bin/java -jar /usr/share/jenkins/agent.jar -cert @/etc/ssl/certs/ca-certificates.crt -tunnel jenkins-agent.jenkins.svc.cluster.local:30001 -url https://jenkins.jenkins.svc.cluster.local:8080/ -workDir /home/jenkins/agent -noReconnectAfter 1d blablabla hostname 
"-----END CERTIFICATE-----" is not a valid option

Work-around by storing the root CA cert in an environment variable:

export ROOT_CA=$(cat /etc/ssl/certs/ca-certificates.crt)
/opt/java/openjdk/bin/java -jar /usr/share/jenkins/agent.jar -cert $ROOT_CA -tunnel jenkins-agent.jenkins.svc.cluster.local:30001 -url https://jenkins.jenkins.svc.cluster.local:8080/ -workDir /home/jenkins/agent -noReconnectAfter 1d blablabla hostname 
"-----END" is not a valid option

Cert is valid:

openssl x509 -in /etc/ssl/certs/ca-certificates.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            bf:c0:2a:84:f5:63:50:65:2d:9f:44:1a:8f:d2:e6:21
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = jenkins-ca.example.com
        Validity
            Not Before: Nov 26 07:38:52 2024 GMT
            Not After : Nov 24 07:38:52 2034 GMT
        Subject: CN = jenkins-ca.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:eb:73:51:64:a7:02:9f:a0:3b:2b:a9:2f:9f:6b:
                    9f:3e:ec:bf:f9:61:1b:95:10:2a:79:81:4b:72:6d:
                    73:49:f2:5f:60:a4:f8:28:4f:3d:95:34:58:b1:72:
                    c3:30:2f:1e:17:69:1e:4e:4f:58:8a:b2:27:d6:05:
                    f7:dc:93:79:f3:15:d2:48:c3:22:1b:7a:11:c3:4c:
                    b8:06:f8:b9:68:42:78:6e:33:f1:4c:cb:d8:9c:5b:
                    51:a6:8f:b8:3b:ad:bf:9b:50:81:c4:09:3c:50:c3:
                    67:c2:49:6a:d0:f9:44:94:5a:ae:fb:a8:c2:89:6c:
                    32:08:5f:86:5a:6d:f8:b9:a8:d7:f7:34:9e:0d:24:
[...]

This looks to me like something makes it that part of the certificate is considered an argument so the parsing does not work as expected.

Anything else?

No response

Are you interested in contributing a fix?

No response
@biru-codeastromer
Copy link

@mickaelstrg Hello Sir can i work on this issue ?

@mickaelstrg
Copy link
Author

hi @biru-codeastromer, yes, nobody prevents you from working on this I think :)

@biru-codeastromer
Copy link

@mickaelstrg Okay Sir will work on it. Thanks !

biru-codeastromer added a commit to biru-codeastromer/docker-agent that referenced this issue Jan 3, 2025
@biru-codeastromer
Fix handling of -cert parameter in inbound agent
4f60bda 
Fixes jenkinsci#908

Add handling for the `-cert` parameter in `jenkins-agent` and `jenkins-agent.ps1` scripts.

## jenkins-agent
  - Add logic to handle the `-cert` parameter by reading the certificate file content.
  - Update the `exec` command to include the `-cert` parameter if provided.

## jenkins-agent.ps1
  - Add logic to handle the `-cert` parameter by reading the certificate file content.
  - Update the `Start-Process` command to include the `-cert` parameter if provided.

## debian/Dockerfile
  - Add instructions to copy the certificate file to the container.
  - Update the `ENTRYPOINT` to include the `-cert` parameter if provided.

## alpine/Dockerfile
  - Add instructions to copy the certificate file to the container.
  - Update the `ENTRYPOINT` to include the `-cert` parameter if provided.
@biru-codeastromer biru-codeastromer linked a pull request Jan 3, 2025 that will close this issue
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix handling of -cert parameter in inbound agent biru-codeastromer/docker-agent
2 participants
@mickaelstrg @biru-codeastromer