I/O exception (javax.net.ssl.SSLException) caught when processing request: hostname in certificate didn't match
thommelutten opened this issue · 4 comments
Hi, I've run into quite an odd error. When setting up from fresh it publishes the very first run without problems, however later it gives an odd certificate error and won't publish.
Version report
Jenkins version: 2.285
Office 365 Connector version: 4.15.0
Error
The following error is outputted in Jenkins System Log (with business name redacted):
jul. 12, 2021 10:39:44 AM INFO org.apache.commons.httpclient.HttpMethodDirector executeWithRetry
I/O exception (javax.net.ssl.SSLException) caught when processing request: hostname in certificate didn't match: <XX.webhook.office.com> != </*.internal.outlook.com/*.outlook.com/outlook.com/office365.com/*.office365.com/*.outlook.office365.com/*.office.com/outlook.office.com/substrate.office.com/attachment.outlook.live.net/attachment.outlook.office.net/attachment.outlook.officeppe.net/attachments.office.net/*.clo.footprintdns.com/*.nrb.footprintdns.com/ccs.login.microsoftonline.com/ccs-sdf.login.microsoftonline.com/substrate-sdf.office.com/attachments-sdf.office.net/*.live.com/mail.services.live.com/hotmail.com/*.hotmail.com/outlook.com>
Steps taken (but hard to reproduce I guess)
-
Install Office 365 Connector plugin on Jenkins
-
Setup Jenkins Connector on teams
-
Copy the URL given from Jenkins Connector (XX.webhook.office.com) and follow the guide. Paste into Freestyle job / pipeline job. (i.e)
office365ConnectorSend "https://XX.webhook.office.com/webhookb2/6f20852f-f639-4552-8689-96973e13bac4@28bd4fcf-62e4-472e-adbe-07863b92831c/JenkinsCI/3a173b01dcf14ca4bf5b30d01992d71b/f5f0722e-c59f-4eda-9304-25243bef4551"
Results
Expected result:
- The job publishes Job result to Teams at the end of job.
Actual result:
- First time plugin is installed, it publishes Job result to Teams, afterwards it outputs the previously mentioned error message in System Log. The job still turns green on Jenkins, but no message is received on Teams.
The error is pretty obvious I'd guess, being the hostname certificate is wrong, however the URL is generated from Teams, so it isn't really possible to change it.
It looks to me like the problem with your infrastructure or network
I don't think it's an infrastructure or network issue. I'm seeing this, today.
Jenkins version 2.277.4
Office 365 Connector 4.15.2
I wonder if it's an SNI issue. Without SNI, I get the certificate list from @thommelutten's exception (which I also see in Jenkins' console). With SNI from my laptop, I get the correct *.webhook.office.com CN and SAN.
Output from testssl.sh XX.webhook.office.com:
Common Name (CN) *.webhook.office.com (CN in response to request w/o SNI: outlook.com )
subjectAltName (SAN) *.webhook.office.com
Trust (hostname) Ok via SAN wildcard and CN wildcard (SNI mandatory)
Note the comment on the final line: SNI mandatory
I can almost see the fix, but it's about 10 years since I worked with Java more than 1 day every 6-9 months...
https://github.com/jenkinsci/office-365-connector-plugin/blob/master/src/main/java/jenkins/plugins/office365connector/HttpWorker.java#L68
Somewhere here, it needs to call httpclient.getHostConfiguration().setHost("www.whatever.com", 443, myhttps); but with the relevant host parsed from the string url.
I recommend not using regex or string parsing though; it needs to be done through the URL class, since there are waaaaaay too many edge cases.