Uploaded image for project: 'Infrastructure'
  1. Infrastructure
  2. INFRA-109

Invalid certificate warning on repo-jenkins-ci.org

    Details

    • Similar Issues:

      Description

      The docs (https://wiki.jenkins-ci.org/display/JENKINS/Plugin+tutorial) say to put http://repo.jenkins-ci.org/public/ as a repository. It is a very bad idea to have this hosted on http and not https. For users who have an understanding of security and try to switch it to https they find that it is not even an option and are greeted with an error.

      This is probably not the site you are looking for!
      You attempted to reach repo.jenkins-ci.org, but instead you actually reached a server identifying itself as *.artifactoryonline.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of repo.jenkins-ci.org.
      You should not proceed, especially if you have never seen this warning before for this site.

      Sonatype just got some bad press for fetching jars over http by default and has now changed to https (http://blog.ontoillogical.com/blog/2014/07/28/how-to-take-over-any-java-developer/). I think we should follow their lead.

        Attachments

          Issue Links

            Activity

            chengas123 Ben McCann created issue -
            danielbeck Daniel Beck made changes -
            Field Original Value New Value
            Project Jenkins [ 10172 ] Infrastructure [ 10301 ]
            Key JENKINS-24191 INFRA-109
            Workflow JNJira [ 157069 ] jira [ 157070 ]
            Component/s artifactory [ 18923 ]
            Component/s security [ 15508 ]
            Component/s maven [ 16033 ]
            Hide
            danielbeck Daniel Beck added a comment -

            Seems more like a cosmetic issue. Just connect to

            http://jenkinsci.artifactoryonline.com/jenkinsci/

            instead.

            $ ping repo.jenkins-ci.org
            PING artifactoryonline-com-1665998254.us-east-1.elb.amazonaws.com (54.85.250.136): 56 data bytes
            64 bytes from 54.85.250.136: icmp_seq=0 ttl=45 time=121.190 ms

            Jenkins project uses Artifactory Cloud and uses its default cert.

            Show
            danielbeck Daniel Beck added a comment - Seems more like a cosmetic issue. Just connect to http://jenkinsci.artifactoryonline.com/jenkinsci/ instead. $ ping repo.jenkins-ci.org PING artifactoryonline-com-1665998254.us-east-1.elb.amazonaws.com (54.85.250.136): 56 data bytes 64 bytes from 54.85.250.136: icmp_seq=0 ttl=45 time=121.190 ms Jenkins project uses Artifactory Cloud and uses its default cert.
            danielbeck Daniel Beck made changes -
            Priority Critical [ 2 ] Minor [ 4 ]
            Hide
            chengas123 Ben McCann added a comment -

            Great, thanks! That's very helpful. Any objection to me updating the wiki to suggest putting https://jenkinsci.artifactoryonline.com/jenkinsci/public/ instead of http://repo.jenkins-ci.org/public/ in the ~/.m2/settings.xml file? I think it'd be nice to suggest a secure configuration by default. It also would take load off Jenkins servers since requests wouldn't be routed through jenkins-ci.org.

            Show
            chengas123 Ben McCann added a comment - Great, thanks! That's very helpful. Any objection to me updating the wiki to suggest putting https://jenkinsci.artifactoryonline.com/jenkinsci/public/ instead of http://repo.jenkins-ci.org/public/ in the ~/.m2/settings.xml file? I think it'd be nice to suggest a secure configuration by default. It also would take load off Jenkins servers since requests wouldn't be routed through jenkins-ci.org.
            Hide
            danielbeck Daniel Beck added a comment - - edited

            Yeah, that'll make things depend on a specific service, in this case Artifactory Cloud/Online. I think the goal is to have repo.jenkins-ci.org always point to the 'real' host, as it's in countless plugins' pom.xml files.

            Show
            danielbeck Daniel Beck added a comment - - edited Yeah, that'll make things depend on a specific service, in this case Artifactory Cloud/Online. I think the goal is to have repo.jenkins-ci.org always point to the 'real' host, as it's in countless plugins' pom.xml files.
            Hide
            chengas123 Ben McCann added a comment -

            Makes sense. Though in that case it would be nice to allow https://repo.jenkins-ci.org to be used. It currently cannot be because of the certificate warning. I think that it's probably proxying artifactory right now, but I believe if it were changed to a redirect instead that this issue would be fixed.

            Show
            chengas123 Ben McCann added a comment - Makes sense. Though in that case it would be nice to allow https://repo.jenkins-ci.org to be used. It currently cannot be because of the certificate warning. I think that it's probably proxying artifactory right now, but I believe if it were changed to a redirect instead that this issue would be fixed.
            Hide
            danielbeck Daniel Beck added a comment -

            Assigning to rtyler for review as discussed on IRC.

            Show
            danielbeck Daniel Beck added a comment - Assigning to rtyler for review as discussed on IRC.
            danielbeck Daniel Beck made changes -
            Assignee R. Tyler Croy [ rtyler ]
            Hide
            chengas123 Ben McCann added a comment -

            SBT just made the same change such that Maven Central Repository, Java.net Maven 2 Repository, and Typesafe Repository will now default to HTTPS (See release notes https://github.com/sbt/sbt/blob/0.13/notes/0.13.6.md). It would be really great if Jenkins could make its repositories available via https as well.

            Show
            chengas123 Ben McCann added a comment - SBT just made the same change such that Maven Central Repository, Java.net Maven 2 Repository, and Typesafe Repository will now default to HTTPS (See release notes https://github.com/sbt/sbt/blob/0.13/notes/0.13.6.md ). It would be really great if Jenkins could make its repositories available via https as well.
            Hide
            rtyler R. Tyler Croy added a comment -

            I'll have to find a contact at Artifactory since it's technically their certificate. We'll have to give them one for repo.jenkins-ci.org

            Show
            rtyler R. Tyler Croy added a comment - I'll have to find a contact at Artifactory since it's technically their certificate. We'll have to give them one for repo.jenkins-ci.org
            rtyler R. Tyler Croy made changes -
            Assignee R. Tyler Croy [ rtyler ]
            Hide
            daspilker Daniel Spilker added a comment -

            Is there a chance to get this fixed soon? Or is future proof and recommended to use the https://jenkins-ci.artifactoryonline.com/jenkinsci/releases/ URL?

            Show
            daspilker Daniel Spilker added a comment - Is there a chance to get this fixed soon? Or is future proof and recommended to use the https://jenkins-ci.artifactoryonline.com/jenkinsci/releases/ URL?
            Hide
            danielbeck Daniel Beck added a comment -

            Should be possible to point settings.xml there as a workaround (proxy repo or what it's called), but I doubt it's a good choice for pom.xml.

            Show
            danielbeck Daniel Beck added a comment - Should be possible to point settings.xml there as a workaround (proxy repo or what it's called), but I doubt it's a good choice for pom.xml.
            rtyler R. Tyler Croy made changes -
            Link This issue is duplicated by INFRA-519 [ INFRA-519 ]
            rtyler R. Tyler Croy made changes -
            Summary SSL configuration warning Invalid certificate warning on repo-jenkins-ci.org
            jhoblitt Joshua Hoblitt made changes -
            Link This issue is related to INFRA-587 [ INFRA-587 ]
            rtyler R. Tyler Croy made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            Assignee R. Tyler Croy [ rtyler ]
            Hide
            rtyler R. Tyler Croy added a comment -

            I have the certificates generated properly, just waiting on a response from JFrog support on how to get the certificates installed.

            Show
            rtyler R. Tyler Croy added a comment - I have the certificates generated properly, just waiting on a response from JFrog support on how to get the certificates installed.
            rtyler R. Tyler Croy made changes -
            Labels community-bee
            Hide
            rtyler R. Tyler Croy added a comment -

            I've uploaded the certs for JFrog to deploy, ball is in their court now.

            Show
            rtyler R. Tyler Croy added a comment - I've uploaded the certs for JFrog to deploy, ball is in their court now.
            Hide
            rtyler R. Tyler Croy added a comment -

            Our DevOps Team will add your certificate and key to your Artifactory SaaS server on Sunday March 6th, during your weekly maintenance.

            We're so close omehegan!

            Show
            rtyler R. Tyler Croy added a comment - Our DevOps Team will add your certificate and key to your Artifactory SaaS server on Sunday March 6th, during your weekly maintenance. We're so close omehegan !
            Hide
            rtyler R. Tyler Croy added a comment -

            The certificate was installed sometime last night by JFrog when I wasn't looking, yay

            Show
            rtyler R. Tyler Croy added a comment - The certificate was installed sometime last night by JFrog when I wasn't looking, yay
            rtyler R. Tyler Croy made changes -
            Status In Progress [ 3 ] Closed [ 6 ]
            Resolution Fixed [ 1 ]

              People

              • Assignee:
                rtyler R. Tyler Croy
                Reporter:
                chengas123 Ben McCann
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: