Re: Error updating plugins from Jenkins
Mark, Daniel, According to the logs I can confirm that I got the certificate error when there was no server_name sent in the ClientHello message. Actually the log shows that the SNI was tried to be set, but failed. javax.net.ssl|DEBUG|49|Update center installer thread [#1]|2021-11-22 09:15:12.165 CET|Utilities.java:73|the previous server name in SNI (type=host_name (0), value=get.jenkins.io) was replaced with (type=host_name (0), value=get.jenkins.io) javax.net.ssl|WARNING|49|Update center installer thread [#1]|2021-11-22 09:15:12.166 CET|ServerNameExtension.java:255|*Unable to indicate server name* I've found this Java bug https://bugs.openjdk.java.net/browse/JDK-8220564, which seems to be related and fixed since then. I managed to upgrade my java and it seems it solved the issue. Thank you both. -- Tamas On Friday, November 19, 2021 at 11:18:26 PM UTC+1 Daniel Beck wrote: > > > > On 19. Nov 2021, at 20:52, Mark Waite wrote: > > > > I thought that certificate could be reported when a request is made to > the IP address of an HTTP server hosted in Kubernetes. The Kubernetes > server needs the hostname in order to use the correct SSL certificate (or > something like that). > > > > https://en.wikipedia.org/wiki/Server_Name_Indication > > The Kubernetes cert in the first message is the one for get.jenkins.io > without SNI. > > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/ade70882-9df7-4fe5-8198-d2650a524ab5n%40googlegroups.com.
Re: Error updating plugins from Jenkins
> On 19. Nov 2021, at 20:52, Mark Waite wrote: > > I thought that certificate could be reported when a request is made to the IP > address of an HTTP server hosted in Kubernetes. The Kubernetes server needs > the hostname in order to use the correct SSL certificate (or something like > that). > https://en.wikipedia.org/wiki/Server_Name_Indication The Kubernetes cert in the first message is the one for get.jenkins.io without SNI. -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/FB5C5087-FB3F-436D-8B30-946BCEB9CBDD%40beckweb.net.
Re: Error updating plugins from Jenkins
On Friday, November 19, 2021 at 12:35:36 PM UTC-7 you wrote: > Mark, > > Thank you for your response. > > Yes I'm running Linux. (sorry for missing this information) > > I suspected the Let's Encrypt certificates earlier, so I've already added > ISRG Root X1 (the issuer of Let's Encrypt) to the cacerts file. > Nevertheless I just replaced my cacerts file with the one in the most > recent java 8 release, restarted jenkins but did not help. The first plugin > was downloaded successfully, the second failed as before. > > Actually what I don't understand is how downloading the very first plugin > succeeds. It's consistently the first plugin which succeeds and the others > fail. > If downloading the other plugins fail due to a missing/expired Let's > Encrypt certificate, the first one should also fail. It should not be able > to connect to updates.jenkins.io at all. > > If there are multiple Jenkins mirrors that are roughly the same distance to you, then the mirrorbits response from https://get.jenkins.io might redirect the second request to a different HTTP server than the first request. However, if you confirmed that they are all working, that seems unlikely to be the cause. > Also, I have a standalone application which I use to check the HTTP > redirects and certificates, and this never fail to download the plugins > (the URLs are taken from Jenkins log), even though I use the very same jre > instance on the very same machine. > I assume that curl or wget from that machine will successfully retrieve https://updates.jenkins.io/latest/antisamy-markup-formatter.hpi and https://updates.jenkins.io/latest/ant.hpi and https://updates.jenkins.io/latest/adoptopenjdk.hpi. If not, then the issue is related to something outside of Java (like the ca-certs file). > My application use HttpsUrlConnection to download the files. I don't know > whether Jenkins use the same or some framework. > > The other thing I don't see is how the "CN=Kubernetes Ingress Controller > Fake Certificate, O=Acme Co" comes into the picture. According to the logs > (see my original e-mail) the SSL handshake fails on this certificate, but I > don't really see which server this certificate comes from. > > I thought that certificate could be reported when a request is made to the IP address of an HTTP server hosted in Kubernetes. The Kubernetes server needs the hostname in order to use the correct SSL certificate (or something like that). > I've also checked the mirrorlist as you suggested. All mirrors listed in > the response look good, that is have a valid certificate chain according to > my cacerts file. > Unfortunately, I'm out of ideas if one of those do not resolve the issue. Mark Waite -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/8ab8f80e-cc61-4ec9-a4f4-5581f4876adan%40googlegroups.com.
Re: Error updating plugins from Jenkins
Mark, Thank you for your response. Yes I'm running Linux. (sorry for missing this information) I suspected the Let's Encrypt certificates earlier, so I've already added ISRG Root X1 (the issuer of Let's Encrypt) to the cacerts file. Nevertheless I just replaced my cacerts file with the one in the most recent java 8 release, restarted jenkins but did not help. The first plugin was downloaded successfully, the second failed as before. Actually what I don't understand is how downloading the very first plugin succeeds. It's consistently the first plugin which succeeds and the others fail. If downloading the other plugins fail due to a missing/expired Let's Encrypt certificate, the first one should also fail. It should not be able to connect to updates.jenkins.io at all. Also, I have a standalone application which I use to check the HTTP redirects and certificates, and this never fail to download the plugins (the URLs are taken from Jenkins log), even though I use the very same jre instance on the very same machine. My application use HttpsUrlConnection to download the files. I don't know whether Jenkins use the same or some framework. The other thing I don't see is how the "CN=Kubernetes Ingress Controller Fake Certificate, O=Acme Co" comes into the picture. According to the logs (see my original e-mail) the SSL handshake fails on this certificate, but I don't really see which server this certificate comes from. I've also checked the mirrorlist as you suggested. All mirrors listed in the response look good, that is have a valid certificate chain according to my cacerts file. -- Tamas On Friday, November 19, 2021 at 6:34:17 PM UTC+1 Mark Waite wrote: > I think that the output of > https://updates.jenkins.io/latest/antisamy-markup-formatter.hpi?mirrorlist > will show that your location may be served by multiple Jenkins mirrors. > > You can then check each of the mirrors to identify if one of them is > responding with an incorrect SSL certificate. > > It could also be that the JDK on your Jenkins controller or the > ca-certificates package on your Jenkins controller are too old to recognize > the September 2021 updates to Let's Encrypt root certificates. I suspect > that Java 11.0.1+13-LTS on the controller likely indicates that the > ca-certificates package is also similarly out of date (assuming you're > running Linux). Update the packages on your controller so that you have > the latest security fixes for Java and for the operating system. > > Mark Waite > > > On Friday, November 19, 2021 at 10:26:26 AM UTC-7 you wrote: > >> Hello, >> >> When I try updating plugins, the very first plugin gets downloaded >> successfully, but the subsequent ones fail to download. >> >> [image: Jenkins.png] >> According to *Details* the SSL handshake fails due to a certificate >> error: >> >> -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/c4293fc2-ba65-4bfd-9fce-91813868d744n%40googlegroups.com.
Re: Error updating plugins from Jenkins
I think that the output of https://updates.jenkins.io/latest/antisamy-markup-formatter.hpi?mirrorlist will show that your location may be served by multiple Jenkins mirrors. You can then check each of the mirrors to identify if one of them is responding with an incorrect SSL certificate. It could also be that the JDK on your Jenkins controller or the ca-certificates package on your Jenkins controller are too old to recognize the September 2021 updates to Let's Encrypt root certificates. I suspect that Java 11.0.1+13-LTS on the controller likely indicates that the ca-certificates package is also similarly out of date (assuming you're running Linux). Update the packages on your controller so that you have the latest security fixes for Java and for the operating system. Mark Waite On Friday, November 19, 2021 at 10:26:26 AM UTC-7 you wrote: > Hello, > > When I try updating plugins, the very first plugin gets downloaded > successfully, but the subsequent ones fail to download. > > [image: Jenkins.png] > According to *Details* the SSL handshake fails due to a certificate error: > > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/cec5c693-b8b8-480e-9bad-262f16e401fdn%40googlegroups.com.