java.io.IOException: No X-Jenkins-CLI2-Port (jenkins cli not working )

Asked 24/5, 2016 at 4:3 Answered 10/5, 2017 at 11:45

java exception jenkins http-status-code-403 jenkins-cli

I'm trying to run the following command:

java -jar jenkins-cli.jar -s http://jenkins_URL/ --username myusername --password mypassword help

But I'm getting the error :

java.io.IOException: No X-Jenkins-CLI2-Port among [null, X-Required-Permission, X-Jenkins, X-You-Are-In-Group, X-Hudson, Content-Length, Expires, X-You-Are-Authenticated-As, X-Permission-Implied-By, Set-Cookie, Server, X-Content-Type-Options, Date, X-Jenkins-Session, Content-Type] at hudson.cli.CLI.getCliTcpPort(CLI.java:284) at hudson.cli.CLI.(CLI.java:128) at hudson.cli.CLIConnectionFactory.connect(CLIConnectionFactory.java:72) at hudson.cli.CLI._main(CLI.java:473) at hudson.cli.CLI.main(CLI.java:384) Suppressed: java.io.IOException: Server returned HTTP response code: 403 for URL: http://52.9.217.252:8888/cli at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1628) at hudson.cli.FullDuplexHttpStream.(FullDuplexHttpStream.java:78) at hudson.cli.CLI.connectViaHttp(CLI.java:152) at hudson.cli.CLI.(CLI.java:132) ... 3 more

my config.xml file

<?xml version='1.0' encoding='UTF-8'?>
<hudson>
  <disabledAdministrativeMonitors/>
  <version>1.0</version>
  <numExecutors>2</numExecutors>
  <mode>NORMAL</mode>
  <useSecurity>true</useSecurity>
  <authorizationStrategy class="hudson.security.FullControlOnceLoggedInAuthorizationStrategy">
    <denyAnonymousReadAccess>false</denyAnonymousReadAccess>
  </authorizationStrategy>
  <securityRealm class="hudson.security.HudsonPrivateSecurityRealm">
    <disableSignup>true</disableSignup>
    <enableCaptcha>false</enableCaptcha>
  </securityRealm>
  <disableRememberMe>false</disableRememberMe>
  <projectNamingStrategy class="jenkins.model.ProjectNamingStrategy$DefaultProjectNamingStrategy"/>
  <workspaceDir>${ITEM_ROOTDIR}/workspace</workspaceDir>
  <buildsDir>${ITEM_ROOTDIR}/builds</buildsDir>
  <jdks/>
  <viewsTabBar class="hudson.views.DefaultViewsTabBar"/>
  <myViewsTabBar class="hudson.views.DefaultMyViewsTabBar"/>
  <clouds/>
  <scmCheckoutRetryCount>0</scmCheckoutRetryCount>
  <views>
    <hudson.model.AllView>
      <owner class="hudson" reference="../../.."/>
      <name>All</name>
      <filterExecutors>false</filterExecutors>
      <filterQueue>false</filterQueue>
      <properties class="hudson.model.View$PropertyList"/>
    </hudson.model.AllView>
  </views>
  <primaryView>All</primaryView>
  <slaveAgentPort>-1</slaveAgentPort>
  <label></label>
  <crumbIssuer class="hudson.security.csrf.DefaultCrumbIssuer">
    <excludeClientIPFromCrumb>false</excludeClientIPFromCrumb>
  </crumbIssuer>
  <nodeProperties/>
  <globalNodeProperties/>
</hudson>

Pusey answered 24/5, 2016 at 4:3 Comment(0)

There is an official solution at the Jenkins Wiki Page for CLI.

The solution is

Go to Manage Jenkins (in the Jenkins UI)
-> Configure Global Security
-> "TCP port for JNLP agents": choose fixed or random

Issuance answered 22/8, 2016 at 14:40 Comment(0)

For those looking on how to make this work programatically (unattended). You have to change

    <jenkins.CLI>
      <enabled>false</enabled>
    </jenkins.CLI>

    <jenkins.CLI>
      <enabled>true</enabled>
    </jenkins.CLI>

in /var/lib/jenkins/jenkins.CLI.xml and restart jenkins

Recto answered 10/5, 2017 at 11:45 Comment(1)

That will allow the -remoting option without enabling security, not changing anything manually. – Recto 10/5, 2017 at 11:46

To be sure it's not an username and/or password error change this line:

<denyAnonymousReadAccess>true</denyAnonymousReadAccess>

into:

<denyAnonymousReadAccess>false</denyAnonymousReadAccess>

in your config.xml file.

Now you can connect to your jenkins interface to debug your credentials

Don't forget to reset it to true.

Arleen answered 24/5, 2016 at 10:41 Comment(5)

I'm able to see the jenkins interface. I'm not able to run the CLI commands. I tried doing what you said, I'm still not able to run the CLI commands/ – Pusey 25/5, 2016 at 4:26

You have a 403 error, if it's not a credential issue, maybe it's about your web server config. Can you put your web server config? With more informations (port, proxy port etc...) – Arleen 25/5, 2016 at 8:0

I've added my config.xml to the description. – Pusey 26/5, 2016 at 2:42

Can you put your jenkins web server config? (apache or nginx etc...) – Arleen 26/5, 2016 at 16:57

I'm sorry, I'm not able to understand...why would I install an apache or nginx server? – Pusey 27/5, 2016 at 1:45

If you're not clear why it fails, run under strace/dtruss debugger, e.g.

$ strace -fs1000 -e trace=network java -jar jenkins-cli.jar -s http://localhost:8080/ help

If you've got:

HTTP/1.1 403 No valid crumb was included in the request

error, then you need to either provide crumb in the request, or disable CSRF Protection.

Using Jenkins CLI it's not working yet when the crumb issuer is enabled, so you can use curl instead. For example (replace localhost with your Jenkins address):

Note your user API Token (/user/USER/configure).

Get your crumb:

CRUMB=$(curl -s 'http://USER:TOKEN@localhost:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')

Invoke some command (e.g. list the jobs):

curl -H $CRUMB http://USER:TOKEN@localhost:8080/api/json

Related: Jenkins REST API Create job

Afterwards answered 11/7, 2016 at 18:54 Comment(0)

Recommended topics

Hot tags