Jenkins Automatic Generation of a Self-Signed Certificate is Unreliable

Article ID:226744608
2 minute readKnowledge base


  • Jenkins fails on startup with the following stack trace:

SEVERE: Container startup failed Failed to start a listener: winstone.HttpsConnectorFactory
    at winstone.Launcher.spawnListener(
    at winstone.Launcher.<init>(
    at winstone.Launcher.main(
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(
    at java.lang.reflect.Method.invoke(
    at Main._main(
    at Main.main(
Caused by: java.lang.NoClassDefFoundError: sun/security/x509/CertAndKeyGen
    at winstone.HttpsConnectorFactory.start(
    at winstone.Launcher.spawnListener(
    ... 8 more
Caused by: java.lang.ClassNotFoundException:
  • Jenkins startup logs show:

WARNING: Creating a self-signed certificate currently relies on unsupported APIs in the Oracle JRE.
Please create your own certificate using supported tools instead and use --httpsKeyStore.


This is an issue related to the auto-generation of self-signed certificate carried out by the Jetty Winstone container. This feature fails with JDK 8+ as well as with the latest version of Open JDK 7. For more information, have a look at JENKINS-25333.

The problem occurs only if you use -httpsPort without providing a keystore or a certificate. In that case Jenkins tries to run with an auto-generated self-signed certificate.

Although the issue is fixed since Jenkins 2.38, the auto-generation of self-signed certificate currently relies on unsupported APIs and is deprecated.


The recommended solution is to generate a custom key and certificate and provide the keystore like described in the following article How to setup HTTPS within Jetty

Another solution is to manage HTTPS with a reverse proxy, see Reverse proxy configuration.