[JIRA] (OVIRT-1692) GetBadges notification broken
[ https://ovirt-jira.atlassian.net/browse/OVIRT-1692?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Evgheni Dereveanchin reassigned OVIRT-1692: --- Assignee: Evgheni Dereveanchin (was: infra) > GetBadges notification broken > - > > Key: OVIRT-1692 > URL: https://ovirt-jira.atlassian.net/browse/OVIRT-1692 > Project: oVirt - virtualization made easy > Issue Type: Bug > Components: oVirt CI >Reporter: Evgheni Dereveanchin >Assignee: Evgheni Dereveanchin >Priority: High > > getbadges.io changed their certificate yesterday. This is causing webhook to > fail as Java does not trust this cert: > 10:14:15 Failed to notify endpoint with url > 'https://ovirt-ovirt-engine.getbadges.io/api/app/webhook/66f43bb2-6b98-4aab-8d1a-7acca6704dab' > - javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > Jenkins was updated yesterday as well so Java is the latest version. We may > need to disable this webhook in order not to confuse users with irrelevant > stack traces > Sample jobs: > http://jenkins.ovirt.org/job/jenkins_master_check-patch-el7-x86_64/2798/console > http://jenkins.ovirt.org/job/jenkins_master_check-patch-fcraw-x86_64/12/console > Both of them failed for other reasons, but the stack trace at the end is > misleading and confusing. > More info on the certificate: > Issued To > Common Name (CN) *.getbadges.io > Organizational Unit (OU) Domain Control Validated > Issued By > Common Name (CN) AlphaSSL CA - SHA256 - G2 > Organization (O) GlobalSign nv-sa > Organizational Unit (OU) > Validity Period > Issued On Wednesday, October 11, 2017 at 2:31:02 PM > Expires OnFriday, October 12, 2018 at 2:31:02 PM > Fingerprints > SHA-256 Fingerprint C4 06 EB 35 C4 CF CB FB 6E 0B CF 2D E3 39 5E E8 94 03 > 2F 7C 5D E6 8A B6 F7 EE C6 1E 05 89 C8 7D > SHA-1 Fingerprint DF 87 99 7E 0A E7 98 21 D4 13 9A 49 BE 86 1C 87 6B A0 > BA 5B -- This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100065) ___ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra
[JIRA] (OVIRT-1692) GetBadges notification broken
[ https://ovirt-jira.atlassian.net/browse/OVIRT-1692?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=35139#comment-35139 ] Evgheni Dereveanchin commented on OVIRT-1692: - Just some more info on where I expect this error to come from: - java should use $JAVA_HOME/lib/security/cacerts file as its trust store - in our case, this is a symlink: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/lib/security/cacerts -> ../../../../../../../etc/pki/java/cacerts - this file is owned by ca-certificates rpm -qf /etc/pki/java/cacerts ca-certificates-2017.2.14-71.el7.noarch - this file does not contain the intermediate CA, just the top one: keytool -v -list -keystore /etc/pki/java/cacerts | grep -e "52:A4:1D:82:9C" -e "58:94:9C:F9:EC" Enter keystore password: changeit SHA1: B1:BC:96:8B:D4:F4:9D:62:2A:A8:9A:81:F2:15:01:52:A4:1D:82:9C This means that the web server does not send the full trust chain, and Jenkins cannot reconstruct it. It is a web server misconfiguration, as confirmed by SSL tests: https://www.ssllabs.com/ssltest/analyze.html?d=ovirt-ovirt-engine.getbadges.io&latest Will send this info to GetBadges as it should be fixed on their side. > GetBadges notification broken > - > > Key: OVIRT-1692 > URL: https://ovirt-jira.atlassian.net/browse/OVIRT-1692 > Project: oVirt - virtualization made easy > Issue Type: Bug > Components: oVirt CI >Reporter: Evgheni Dereveanchin >Assignee: infra >Priority: High > > getbadges.io changed their certificate yesterday. This is causing webhook to > fail as Java does not trust this cert: > 10:14:15 Failed to notify endpoint with url > 'https://ovirt-ovirt-engine.getbadges.io/api/app/webhook/66f43bb2-6b98-4aab-8d1a-7acca6704dab' > - javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > Jenkins was updated yesterday as well so Java is the latest version. We may > need to disable this webhook in order not to confuse users with irrelevant > stack traces > Sample jobs: > http://jenkins.ovirt.org/job/jenkins_master_check-patch-el7-x86_64/2798/console > http://jenkins.ovirt.org/job/jenkins_master_check-patch-fcraw-x86_64/12/console > Both of them failed for other reasons, but the stack trace at the end is > misleading and confusing. > More info on the certificate: > Issued To > Common Name (CN) *.getbadges.io > Organizational Unit (OU) Domain Control Validated > Issued By > Common Name (CN) AlphaSSL CA - SHA256 - G2 > Organization (O) GlobalSign nv-sa > Organizational Unit (OU) > Validity Period > Issued On Wednesday, October 11, 2017 at 2:31:02 PM > Expires OnFriday, October 12, 2018 at 2:31:02 PM > Fingerprints > SHA-256 Fingerprint C4 06 EB 35 C4 CF CB FB 6E 0B CF 2D E3 39 5E E8 94 03 > 2F 7C 5D E6 8A B6 F7 EE C6 1E 05 89 C8 7D > SHA-1 Fingerprint DF 87 99 7E 0A E7 98 21 D4 13 9A 49 BE 86 1C 87 6B A0 > BA 5B -- This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100065) ___ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra
[JIRA] (OVIRT-1692) GetBadges notification broken
[ https://ovirt-jira.atlassian.net/browse/OVIRT-1692?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=35138#comment-35138 ] eyal edri commented on OVIRT-1692: -- I merged https://gerrit.ovirt.org/#/c/82795/ to fix the error for now, but please folllow up with GetBadges and see if they can fix it, I'll add you as Game admin as well. > GetBadges notification broken > - > > Key: OVIRT-1692 > URL: https://ovirt-jira.atlassian.net/browse/OVIRT-1692 > Project: oVirt - virtualization made easy > Issue Type: Bug > Components: oVirt CI >Reporter: Evgheni Dereveanchin >Assignee: infra >Priority: High > > getbadges.io changed their certificate yesterday. This is causing webhook to > fail as Java does not trust this cert: > 10:14:15 Failed to notify endpoint with url > 'https://ovirt-ovirt-engine.getbadges.io/api/app/webhook/66f43bb2-6b98-4aab-8d1a-7acca6704dab' > - javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > Jenkins was updated yesterday as well so Java is the latest version. We may > need to disable this webhook in order not to confuse users with irrelevant > stack traces > Sample jobs: > http://jenkins.ovirt.org/job/jenkins_master_check-patch-el7-x86_64/2798/console > http://jenkins.ovirt.org/job/jenkins_master_check-patch-fcraw-x86_64/12/console > Both of them failed for other reasons, but the stack trace at the end is > misleading and confusing. > More info on the certificate: > Issued To > Common Name (CN) *.getbadges.io > Organizational Unit (OU) Domain Control Validated > Issued By > Common Name (CN) AlphaSSL CA - SHA256 - G2 > Organization (O) GlobalSign nv-sa > Organizational Unit (OU) > Validity Period > Issued On Wednesday, October 11, 2017 at 2:31:02 PM > Expires OnFriday, October 12, 2018 at 2:31:02 PM > Fingerprints > SHA-256 Fingerprint C4 06 EB 35 C4 CF CB FB 6E 0B CF 2D E3 39 5E E8 94 03 > 2F 7C 5D E6 8A B6 F7 EE C6 1E 05 89 C8 7D > SHA-1 Fingerprint DF 87 99 7E 0A E7 98 21 D4 13 9A 49 BE 86 1C 87 6B A0 > BA 5B -- This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100065) ___ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra
[JIRA] (OVIRT-1692) GetBadges notification broken
[ https://ovirt-jira.atlassian.net/browse/OVIRT-1692?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=35130#comment-35130 ] eyal edri commented on OVIRT-1692: -- Can you please try to contact them and see if they can fix it? they are usually quite fast in responding via chat even on the website: https://ovirt-ovirt-engine.getbadges.io/activity ( contact us on the bottom right ) If they are not able to fix it, let's disable this integration for now. > GetBadges notification broken > - > > Key: OVIRT-1692 > URL: https://ovirt-jira.atlassian.net/browse/OVIRT-1692 > Project: oVirt - virtualization made easy > Issue Type: Bug > Components: oVirt CI >Reporter: Evgheni Dereveanchin >Assignee: infra >Priority: High > > getbadges.io changed their certificate yesterday. This is causing webhook to > fail as Java does not trust this cert: > 10:14:15 Failed to notify endpoint with url > 'https://ovirt-ovirt-engine.getbadges.io/api/app/webhook/66f43bb2-6b98-4aab-8d1a-7acca6704dab' > - javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > Jenkins was updated yesterday as well so Java is the latest version. We may > need to disable this webhook in order not to confuse users with irrelevant > stack traces > Sample jobs: > http://jenkins.ovirt.org/job/jenkins_master_check-patch-el7-x86_64/2798/console > http://jenkins.ovirt.org/job/jenkins_master_check-patch-fcraw-x86_64/12/console > Both of them failed for other reasons, but the stack trace at the end is > misleading and confusing. > More info on the certificate: > Issued To > Common Name (CN) *.getbadges.io > Organizational Unit (OU) Domain Control Validated > Issued By > Common Name (CN) AlphaSSL CA - SHA256 - G2 > Organization (O) GlobalSign nv-sa > Organizational Unit (OU) > Validity Period > Issued On Wednesday, October 11, 2017 at 2:31:02 PM > Expires OnFriday, October 12, 2018 at 2:31:02 PM > Fingerprints > SHA-256 Fingerprint C4 06 EB 35 C4 CF CB FB 6E 0B CF 2D E3 39 5E E8 94 03 > 2F 7C 5D E6 8A B6 F7 EE C6 1E 05 89 C8 7D > SHA-1 Fingerprint DF 87 99 7E 0A E7 98 21 D4 13 9A 49 BE 86 1C 87 6B A0 > BA 5B -- This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100065) ___ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra
[JIRA] (OVIRT-1692) GetBadges notification broken
[ https://ovirt-jira.atlassian.net/browse/OVIRT-1692?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=35112#comment-35112 ] Evgheni Dereveanchin commented on OVIRT-1692: - Double-checked Java on the jenkins system - it has java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64 isntalled which is the latest version and was installed a month ago, on Sep 14 so this is definitely an issue with the new certificate on GetBadges side, not on Java side. The certification path in my browser to https://ovirt-ovirt-engine.getbadges.io/ looks as follows: GlobalSign Root CA (SHA-1 B1 BC 96 8B D4 F4 9D 62 2A A8 9A 81 F2 15 01 52 A4 1D 82 9C) AlphaSSL CA - SHA256 - G2 (SHA-1 4C 27 43 17 17 56 5A 3A 07 F3 E6 D0 03 2C 42 58 94 9C F9 EC) *.getbadges.io As Java cannot reconstruct the trust path, it means that one of these certs is missing from the trust store (probably the top one) > GetBadges notification broken > - > > Key: OVIRT-1692 > URL: https://ovirt-jira.atlassian.net/browse/OVIRT-1692 > Project: oVirt - virtualization made easy > Issue Type: Bug > Components: oVirt CI >Reporter: Evgheni Dereveanchin >Assignee: infra >Priority: High > > getbadges.io changed their certificate yesterday. This is causing webhook to > fail as Java does not trust this cert: > 10:14:15 Failed to notify endpoint with url > 'https://ovirt-ovirt-engine.getbadges.io/api/app/webhook/66f43bb2-6b98-4aab-8d1a-7acca6704dab' > - javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > Jenkins was updated yesterday as well so Java is the latest version. We may > need to disable this webhook in order not to confuse users with irrelevant > stack traces > Sample jobs: > http://jenkins.ovirt.org/job/jenkins_master_check-patch-el7-x86_64/2798/console > http://jenkins.ovirt.org/job/jenkins_master_check-patch-fcraw-x86_64/12/console > Both of them failed for other reasons, but the stack trace at the end is > misleading and confusing. > More info on the certificate: > Issued To > Common Name (CN) *.getbadges.io > Organizational Unit (OU) Domain Control Validated > Issued By > Common Name (CN) AlphaSSL CA - SHA256 - G2 > Organization (O) GlobalSign nv-sa > Organizational Unit (OU) > Validity Period > Issued On Wednesday, October 11, 2017 at 2:31:02 PM > Expires OnFriday, October 12, 2018 at 2:31:02 PM > Fingerprints > SHA-256 Fingerprint C4 06 EB 35 C4 CF CB FB 6E 0B CF 2D E3 39 5E E8 94 03 > 2F 7C 5D E6 8A B6 F7 EE C6 1E 05 89 C8 7D > SHA-1 Fingerprint DF 87 99 7E 0A E7 98 21 D4 13 9A 49 BE 86 1C 87 6B A0 > BA 5B -- This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100065) ___ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra
[JIRA] (OVIRT-1692) GetBadges notification broken
Evgheni Dereveanchin created OVIRT-1692: --- Summary: GetBadges notification broken Key: OVIRT-1692 URL: https://ovirt-jira.atlassian.net/browse/OVIRT-1692 Project: oVirt - virtualization made easy Issue Type: Bug Components: oVirt CI Reporter: Evgheni Dereveanchin Assignee: infra Priority: High getbadges.io changed their certificate yesterday. This is causing webhook to fail as Java does not trust this cert: 10:14:15 Failed to notify endpoint with url 'https://ovirt-ovirt-engine.getbadges.io/api/app/webhook/66f43bb2-6b98-4aab-8d1a-7acca6704dab' - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Jenkins was updated yesterday as well so Java is the latest version. We may need to disable this webhook in order not to confuse users with irrelevant stack traces Sample jobs: http://jenkins.ovirt.org/job/jenkins_master_check-patch-el7-x86_64/2798/console http://jenkins.ovirt.org/job/jenkins_master_check-patch-fcraw-x86_64/12/console Both of them failed for other reasons, but the stack trace at the end is misleading and confusing. More info on the certificate: Issued To Common Name (CN)*.getbadges.io Organizational Unit (OU)Domain Control Validated Issued By Common Name (CN)AlphaSSL CA - SHA256 - G2 Organization (O)GlobalSign nv-sa Organizational Unit (OU) Validity Period Issued On Wednesday, October 11, 2017 at 2:31:02 PM Expires On Friday, October 12, 2018 at 2:31:02 PM Fingerprints SHA-256 Fingerprint C4 06 EB 35 C4 CF CB FB 6E 0B CF 2D E3 39 5E E8 94 03 2F 7C 5D E6 8A B6 F7 EE C6 1E 05 89 C8 7D SHA-1 Fingerprint DF 87 99 7E 0A E7 98 21 D4 13 9A 49 BE 86 1C 87 6B A0 BA 5B -- This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100065) ___ Infra mailing list Infra@ovirt.org http://lists.ovirt.org/mailman/listinfo/infra
