The use of Jetty --httpsCertificate and --httpsPrivateKey in CI instances after 2.361.* is not supported

1 minute readKnowledge base

Issue

After upgrading my Jenkins instance to a version newer than 2.361.*, I am unable to start it and I get one of the following exceptions:

Exception in thread "main" java.lang.IllegalArgumentException: Unrecognized option: --httpsPrivateKey

or

Exception in thread "main" java.lang.IllegalArgumentException: Unrecognized option: --httpsCertificate

Explanation

Support for OpenSSL-style PEM-encoded RSA private keys has been removed when running Jenkins with the embedded Jetty (Winstone) container and TLS. Specifically, the --httpsPrivateKey and --httpsCertificate flags have been removed in favor of the --httpsKeyStore flag. The removed flags have printed deprecation warnings since 2016 and were implemented with non-standard APIs that have since been removed from Java 17.

In past versions, they were recommended to be used when you wanted to Enable SSL without using a keystore password.

Resolution

The recommendation is to migrate to the --httpsKeyStore option, which takes a keystore as described in the documentation. As of JEP 229, PKCS12 is the recommended keystore type.