Plugin can not connect to Jenkins anmyore with: [Fail] CSRF enabled -> Missing or bad crumb data

[ststoessel]

The Jenkins-Control-Plugin 1.8.3 stopped working.
It worked prior to the update.

If I test the connection I got the error message:
[Fail] CSRF enabled -> Missing or bad crumb data
We already used an application token for authentification.

IntelliJ 2023.2 (Ultimate)
Jenkins 2.346.1

Message shown:
HTTP ERROR 403 No valid crumb was included in the request
URI:
/api/json
STATUS:
403
MESSAGE:
No valid crumb was included in the request
SERVLET:
Stapler
Powered by Jetty:// 9.4.45.v2022020

[MCMicS]

Hi
i have to investigate this because in my test machines/setups it still works.
from which version do you have updated?

is the application token still valid or expired?

Can you test following from terminal please:

curl -u user:apiToken http://jenkins.server:8080/api/json?tree=nodeName,url,description,primaryView%5Bname,url%5D

[ststoessel]

Thanks for you fast response. I got an authorization error and so I removed the old token and created a new one. It's working again. You are doing an incredible job with the plugin.

[MCMicS]

Thanks a lot
nice to hear that it works now for you

[erickne]

@MCMicS
Same problem here.

WebStorm 2023.1
Jenkins 2.417

1. Created a new token
2. Error 403 : missing crumbs
3. Executed cURL command and got the response:

{"_class":"hudson.model.Hudson","nodeName":"","description":null,"primaryView":{"_class":"hudson.model.AllView","name":"all","url":"https://jenkins.*******/"},"url":"https://jenkins.******/"}

I tried server address with (and without) suffix:

• https://jenkins.*******/crumbIssuer/api/xml?tree=crumb
• https://jenkins.*******/

[MCMicS]

And used api token instead of password?
because password require crumb which ist not supported anymore

[ststoessel]

My solution was:

1. Delete your old token from your account within Jenkins
2. Create a new token
3. Use this new token in the plugin

[MCMicS]

Hi
can you repeat the cur command with -v and share the infos?

[erickne]

And used api token instead of password? because password require crumb which ist not supported anymore

I tried with password and token.

My solution was:

1. Delete your old token from your account within Jenkins
2. Create a new token
3. Use this new token in the plugin

I tried with new token :( .

Hi can you repeat the cur command with -v and share the infos?

Sure!

*   Trying x.x.x.x:443...
* TCP_NODELAY set
* Connected to jenkins.xxx.br (x.x.x.x) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=jenkins.xxxx.br
*  start date: Aug  7 20:55:12 2023 GMT
*  expire date: Nov  5 20:55:11 2023 GMT
*  subjectAltName: host "jenkins.xxxxxxxxxxxxxxx.br" matched cert's "jenkins.xxxxxxxxxxxxxx.br"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Server auth using Basic with user 'erick.engelhardt'
* Using Stream ID: 1 (easy handle 0x564faaed78d0)
> GET /api/json?tree=nodeName,url,description,primaryView%5Bname,url%5D HTTP/2
> Host: jenkins.xxxxxxxxxxxxxxxxx.br
> authorization: Basic xxxxxxxxxxxxxxxxxxxTOKENxxxxxxxxxxxx
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< server: nginx
< date: Fri, 25 Aug 2023 23:23:34 GMT
< content-type: application/json;charset=utf-8
< content-length: 222
< x-content-type-options: nosniff
< access-control-allow-credentials: true
< access-control-allow-origin: https://observability.browserstack.com
< access-control-allow-methods: POST, GET, OPTIONS, PUT
< access-control-allow-headers: *
< access-control-expose-headers: *
< access-control-max-age: 999
< x-jenkins: 2.417
< x-jenkins-session: 5deddbd9
< x-frame-options: deny
< x-powered-by: PleskLin
<
* Connection #0 to host jenkins.xxxxxxx.br left intact

Just to let you know, this instance is running in a Docker with Nginx reverse proxy.

[erickne]

I used the same token in another plugin (Jenkins Pipeline Linter) and it's working.

[MCMicS]

Is this aerver public visible and can you geant me access for test?
You can contact me privatly on gitter/matrix

Channel: https://matrix.to/#/#jenkins-control-plugin_community:gitter.im
Me:
https://matrix.to/#/@mcmics-58e400f2d73408ce4f561945:gitter.im

If not possible to grant access I can provide a version with extended logging

If you have any proxy configured in webstorm to use?

Ist this a new installation or was this working before and happens after an update?

Can you retry curl with Post please?
I will figure out if configuration/netwowork issue exists
curl -v -X Post -u user:apiToken http://jenkins.server:8080/api/json?tree=nodeName,url,description,primaryView%5Bname,url%5D

[erickne]

Is this aerver public visible and can you geant me access for test? You can contact me privatly on gitter/matrix

Channel: https://matrix.to/#/#jenkins-control-plugin_community:gitter.im Me: https://matrix.to/#/@mcmics-58e400f2d73408ce4f561945:gitter.im

If not possible to grant access I can provide a version with extended logging

If you have any proxy configured in webstorm to use?

Ist this a new installation or was this working before and happens after an update?

Can you retry curl with Post please? I will figure out if configuration/netwowork issue exists curl -v -X Post -u user:apiToken http://jenkins.server:8080/api/json?tree=nodeName,url,description,primaryView%5Bname,url%5D

It's working again! Please see my past message #512 (comment) .

[MCMicS]

Ai thought you mean with the comment that your token worls in the linter plugin but not in jenkins control.

So its working for +u now? Then can this be closed?

[erickne]

Yes, it's perfect. You can close this issue. Em dom., 27 de ago. de 2023 às 16:18, MCMicS ***@***.***> escreveu:

…

Ai thought you mean with the comment that your token worls in the linter plugin but not in jenkins control. So its working for +u now? Then can this be closed? — Reply to this email directly, view it on GitHub <#512 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAM75ZE742YCXPYKGU5LS3LXXOMO5ANCNFSM6AAAAAA3ZUQ5Z4> . You are receiving this because you commented.Message ID: ***@***.***>

[theandrewlane]

Hey @MCMicS!

I'm on 0.13.19-2023.2 and still facing this issue. My Jenkins is a CloudBees Ci Managed Controller, and the Jenkins Linter plugin is able to connect with the same username/token I'm trying here - I was actually configuring both plugins at the same time :)

My Jenkins configuration is a bit different - https://jenkins.server/api/json returns a 503 whereas https://jenkins.server/my-team-name/api/json returns the expected json.

The following curl command returns the expected result:

curl -v -X Post -u user:apiToken https://jenkins.server/my-team-name/api/json?tree=nodeName,url,description,primaryView%5Bname,url%5D

I've also tried these settings with the v0.13.17 (before the crumb config was removed) and got the same result.

Actual configuration params omitted

[MCMicS]

hmm strange if you use api token the crumb shoulb be not needed. I can have look next week.
it is possible to grant access to check against?

[theandrewlane]

hmm strange if you use api token the crumb shoulb be not needed. I can have look next week. it is possible to grant access to check against?

Interesting... Welp I can assure you I'm using a Jenkins token - the same token I'm using for the Jenkins Linter plugin. I unfortunately cannot grant you access to my server, but I'm happy to help you debug!

[MCMicS]

hmm I created special version with additinal logs a time ago (see #69 (comment)). may you can use this to get further informations or I add additional logs the days in a newer version

org.codinjutsu.tools.jenkins
#org.codinjutsu.tools.jenkins:trace

Plugin: https://github.com/MCMicS/jenkins-control-plugin/files/12533934/jenkins-control-plugin-0.13.19-eap3-2023.2-signed.zip