I have a Jenkins 2.371 instance. In order to be secure, I have requested SSL certificates and implemented it. Jenkins UI is now running fine use servername.domain.com with https.
The problem comes with the agents. I have imported my jks certificate chain into the jdk using keytool, so not a problem with the certificates at all. When I startup the agent, I get an error:
SEVERE: serverdetail /tcpSlaveAgentListener/ appears to be publishing an invalid X-Instance-Identity.
java.io.IOException: serverdetail /tcpSlaveAgentListener/ appears to be publishing an invalid X-Instance-Identity.
at org.jenkinsci.remoting.engine.JnlpAgentEndpointResolver.resolve(JnlpAgentEndpointResolver.java:28
So, it seems that the url advertised by the server is not what is expected by the agent.
For reference purpose (not relevant however), the keytool command to add the jks to the cacerts store used:
keytool -import -alias /tmp/jenkins.jks -cacerts -keypass 'Password' -file servername_domain_com.cer -storepass 'changeit'
As for agent startup. I have downloaded the agent.jar again, since the move to https then the usual:
java -jar agent.jar -jnlpUrl servername.domain.com/computer/agenthostname/jenkins-agent.jnlp -secret @secret-file -workDir "/opt/jenkins"
The agent startup includes the jnlp. I say this because, the only articles I’ve found on a similar error, states that the jnlp path should be excluded, but sadly, that makes little sense, yet I did try it, however the agent now just retries connectivity as it does not get the expected response.
.