The use of Jetty --httpsCertificate and --httpsPrivateKey in CI instances after 2.361.* is not supported

1 minute readKnowledge base

Issue

After upgrading my Jenkins instance to a version newer than 2.361.*, I am unable to start it and I get one of the following exceptions:

Exception in thread "main" java.lang.IllegalArgumentException: Unrecognized option: --httpsPrivateKey

or

Exception in thread "main" java.lang.IllegalArgumentException: Unrecognized option: --httpsCertificate

Explanation

Support for OpenSSL-style PEM-encoded RSA private keys has been removed when running Jenkins with the embedded Jetty (Winstone) container and TLS. Specifically, the --httpsPrivateKey and --httpsCertificate flags have been removed in favor of the --httpsKeyStore flag. The removed flags have printed deprecation warnings since 2016 and were implemented with non-standard APIs that have since been removed from Java 17.

See Changes since 2.361: Winstone 6.1: at https://www.jenkins.io/doc/upgrade-guide/2.361/#updated-jetty-version, https://github.com/jenkinsci/jenkins/pull/6801, https://github.com/jenkinsci/winstone/pull/232.

In past versions, they were recommended to be used when you wanted to Enable SSL without using a keystore password.

Environment

Resolution

The recommendation is to migrate to the --httpsKeyStore option, which takes a keystore as described in the documentation. As of JEP 229, PKCS12 is the recommended keystore type.

References

This article is part of our Knowledge Base and is provided for guidance-based purposes only. The solutions or workarounds described here are not officially supported by CloudBees and may not be applicable in all environments. Use at your own discretion, and test changes in a safe environment before applying them to production systems.