Algorithm constraints check failed on keysize limits

Hi
I have a Jenkins instance 2.479.3 with openjdk 17.0.15 2025-04-15 LTS that installed on a RHEL server.
I’m using nginx/1.14.1 to configure URL with 8443 port.
Jobs are not executing because of below error, Could someone please help here? Will add if any details are required.

image1577×911 47.6 KB

Hi @Spandana.

You’re hitting the “Algorithm constraints check failed on keysize limits” error, which usually means (at least to me) Java’s security policy is rejecting small or insecure cryptographic keys.

This commonly affects:

• Jenkins core or agents connecting over SSH
• Nginx reverse proxy using outdated SSL certificates
• Any HTTPS/TLS connection using keys < 2048 bits (like 1024-bit RSA)

Ideas to fix it

1. Update keys/certificates to secure sizes

• Make sure all keys/certs used are ≥ 2048 bits (preferably 3072 or 4096 bits)
• This includes:
  • Jenkins controller/agent SSH keys
  • TLS/SSL certificates used by Nginx or Jenkins
  • Any internal CA or keystore certificates
• Regenerate any keys still using 1024 bits.

2. Adjust Java security policy if needed

• Open your Java security policy file:

sudo nano /usr/lib/jvm/java-17-openjdk/conf/security/java.security

• Look for these lines:

jdk.certpath.disabledAlgorithms
jdk.tls.disabledAlgorithms

• Ensure they don’t block the algorithms/key sizes you use.
  For example, if you see:

RSA keySize < 2048

…then any 1024-bit RSA key will be rejected.

• Only relax these rules temporarily for testing, prefer regenerating weak keys.

3. Restart services

After fixing keys or policies:

sudo systemctl restart jenkins
sudo systemctl restart nginx

Bottom line

• Preferred fix: Use 2048+ bit keys everywhere
• Optional fallback: Adjust java.security policy if you absolutely must allow smaller keys (not recommended for production)

Here’s a quick shell script to scan your system for keys/certificates < 2048 bits (RSA or similar) that could cause the Java keysize error with Jenkins or entity[“software”,“Nginx”].

Script: check_key_sizes.sh

#!/bin/bash
# Scan for private keys and certificates < 2048 bits

echo "=== Checking private keys ==="
find /etc/ssl /etc/nginx /var/lib/jenkins -type f \( -name "*.key" -o -name "*.pem" \) 2>/dev/null | while read -r key; do
  bits=$(openssl rsa -in "$key" -noout -text 2>/dev/null | awk '/Private-Key:/{gsub(/\(| bit\)/,""); print $2}')
  if [[ -n "$bits" && "$bits" -lt 2048 ]]; then
    echo "⚠️ Weak key ($bits bits): $key"
  fi
done

echo ""
echo "=== Checking certificates ==="
find /etc/ssl /etc/nginx /var/lib/jenkins -type f \( -name "*.crt" -o -name "*.pem" \) 2>/dev/null | while read -r crt; do
  bits=$(openssl x509 -in "$crt" -noout -text 2>/dev/null | awk -F'[()]' '/Public-Key:/{gsub(/ bit/,"",$2); print $2}')
  if [[ -n "$bits" && "$bits" -lt 2048 ]]; then
    echo "⚠️ Weak certificate ($bits bits): $crt"
  fi
done

Usage

chmod +x check_key_sizes.sh
sudo ./check_key_sizes.sh

It will:

• Search typical locations (/etc/ssl, /etc/nginx, /var/lib/jenkins)
• Detect RSA keys and certs
• Print a warning for anything < 2048 bits