Jenkins Automatic Generation of a Self-Signed Certificate is Unreliable

Article ID:226744608
2 minute readKnowledge base

Issue

  • Jenkins fails on startup with the following stack trace:

SEVERE: Container startup failed
java.io.IOException: Failed to start a listener: winstone.HttpsConnectorFactory
    at winstone.Launcher.spawnListener(Launcher.java:209)
    at winstone.Launcher.<init>(Launcher.java:149)
    at winstone.Launcher.main(Launcher.java:354)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:606)
    at Main._main(Main.java:293)
    at Main.main(Main.java:98)
Caused by: java.lang.NoClassDefFoundError: sun/security/x509/CertAndKeyGen
    at winstone.HttpsConnectorFactory.start(HttpsConnectorFactory.java:100)
    at winstone.Launcher.spawnListener(Launcher.java:207)
    ... 8 more
Caused by: java.lang.ClassNotFoundException: sun.security.x509.CertAndKeyGen
    [...]
  • Jenkins startup logs show:

WARNING: Creating a self-signed certificate currently relies on unsupported APIs in the Oracle JRE.
Please create your own certificate using supported tools instead and use --httpsKeyStore.

Explanation

This is an issue related to the auto-generation of self-signed certificate carried out by the Jetty Winstone container. This feature fails with JDK 8+ as well as with the latest version of Open JDK 7. For more information, have a look at JENKINS-25333.

The problem occurs only if you use -httpsPort without providing a keystore or a certificate. In that case Jenkins tries to run with an auto-generated self-signed certificate.

Although the issue is fixed since Jenkins 2.38, the auto-generation of self-signed certificate currently relies on unsupported APIs and is deprecated.

Resolution

The recommended solution is to generate a custom key and certificate and provide the keystore like described in the following article How to setup HTTPS within Jetty

Another solution is to manage HTTPS with a reverse proxy, see Reverse proxy configuration.

This article is part of our Knowledge Base and is provided for guidance-based purposes only. The solutions or workarounds described here are not officially supported by CloudBees and may not be applicable in all environments. Use at your own discretion, and test changes in a safe environment before applying them to production systems.