Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Blocker
    • Resolution: Fixed
    • Component/s: update-center
    • Labels:
      None
    • Environment:
    • Similar Issues:

      Description

      Hi,

       

      Have seen this a few times, trying to search for plugins brings me an error page:

      Signature verification failed in update site 'default'

      And in the logs:

      ERROR: Signature verification failed in update site 'default' <a href='#' class='showDetails'>(show details)</a><pre style='display:none'>java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits. RSA 1024bit key used with certificate: CN=Community Update Center, O=Jenkins Project, ST=California, C=US.<br> at sun.security.util.DisabledAlgorithmConstraints$KeySizeConstraint.permits(DisabledAlgorithmConstraints.java:817)<br> at sun.security.util.DisabledAlgorithmConstraints$Constraints.permits(DisabledAlgorithmConstraints.java:419)<br> at sun.security.util.DisabledAlgorithmConstraints.permits(DisabledAlgorithmConstraints.java:167)<br> at sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:326)<br>

       

      So I tried editing my java.security file to remove RSA and 1024 cert requirements on the jdk.certpath.disabledAlgorithms. Even commented it out.

      Added -Dhudson.model.DownloadService.noSignatureCheck=true to the jenkins startup as a java args.

       

      Have had no success at all, not sure what the problem is. 

        Attachments

          Issue Links

            Activity

            Hide
            lvotypkova Lucie Votypkova added a comment -

            Thank you Alex, this explain the behavior. It seems we need more secure certificate.

            Show
            lvotypkova Lucie Votypkova added a comment - Thank you Alex, this explain the behavior. It seems we need more secure certificate.
            Hide
            olblak Olivier Vernin added a comment -

            This issue is related to INFRA-974, the update center certificate need to be updated

            Show
            olblak Olivier Vernin added a comment - This issue is related to INFRA-974 , the update center certificate need to be updated
            Hide
            richardfearn Richard Fearn added a comment -

            I too have had to change /etc/crypto-policies/back-ends/java.config on my F29 server, but I don't understand something:

            Caused: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits. RSA 1024bit key used with certificate: CN=Community Update Center, O=Jenkins Project, ST=California, C=US.
            

            Where is the 1024-bit key?

            • The certificate in the update metadata JSON (the "Community Update Center" one mentioned in the error) looks to be RSA 2048-bit
            • The certificates in WEB-INF/update-center-rootCAs - jenkins-update-center-root-ca and jenkins-update-center-root-ca-2 - look to be RSA 2048-bit and RSA 4096-bit respectively

            What is the validator actually complaining about?!

            Show
            richardfearn Richard Fearn added a comment - I too have had to change /etc/crypto-policies/back-ends/java.config on my F29 server, but I don't understand something: Caused: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits. RSA 1024bit key used with certificate: CN=Community Update Center, O=Jenkins Project, ST=California, C=US. Where is the 1024-bit key? The certificate in the update metadata JSON (the "Community Update Center" one mentioned in the error) looks to be RSA 2048-bit The certificates in WEB-INF/update-center-rootCAs - jenkins-update-center-root-ca and jenkins-update-center-root-ca-2 - look to be RSA 2048-bit and RSA 4096-bit respectively What is the validator actually complaining about?!
            Hide
            richardfearn Richard Fearn added a comment -

            What is the validator actually complaining about?!

            Ah - figured it out. In fact the answer was right there in the log:

            WARNING: signature check failed for https://updates.jenkins-ci.org/updates/hudson.tools.JDKInstaller.json
            ERROR: Signature verification failed in downloadable &#039;hudson.tools.JDKInstaller&#039; [...]
            

            The top-level update metadata uses a 2048-bit certificate:

            $ curl -sL https://updates.jenkins-ci.org/update-center.json | tail -n +2 | head -n -1 | jq -r .signature.certificates[0] | base64 -d | openssl x509 -inform der -text -noout | fgrep Public-Key
                            Public-Key: (2048 bit)
            

            But hudson.tools.JDKInstaller.json uses a 1024-bit certificate:

            $ curl -s https://updates.jenkins-ci.org/updates/hudson.tools.JDKInstaller.json.html | tail -n +2 | head -n -1 | jq -r .signature.certificates[0] | base64 -d | openssl x509 -inform der -text -noout | fgrep Public-Key
                            Public-Key: (1024 bit)
            
            Show
            richardfearn Richard Fearn added a comment - What is the validator actually complaining about?! Ah - figured it out. In fact the answer was right there in the log: WARNING: signature check failed for https://updates.jenkins-ci.org/updates/hudson.tools.JDKInstaller.json ERROR: Signature verification failed in downloadable &#039;hudson.tools.JDKInstaller&#039; [...] The top-level update metadata uses a 2048-bit certificate: $ curl -sL https://updates.jenkins-ci.org/update-center.json | tail -n +2 | head -n -1 | jq -r .signature.certificates[0] | base64 -d | openssl x509 -inform der -text -noout | fgrep Public-Key Public-Key: (2048 bit) But hudson.tools.JDKInstaller.json uses a 1024-bit certificate: $ curl -s https://updates.jenkins-ci.org/updates/hudson.tools.JDKInstaller.json.html | tail -n +2 | head -n -1 | jq -r .signature.certificates[0] | base64 -d | openssl x509 -inform der -text -noout | fgrep Public-Key Public-Key: (1024 bit)
            Hide
            danielbeck Daniel Beck added a comment -

            I believe this has finally been addressed thanks to INFRA-1944 in December.

            While it's still just 2048, separate issues should be filed for further improvements if they don't exist yet.

            Show
            danielbeck Daniel Beck added a comment - I believe this has finally been addressed thanks to INFRA-1944 in December. While it's still just 2048, separate issues should be filed for further improvements if they don't exist yet.

              People

              • Assignee:
                Unassigned
                Reporter:
                sheepykins Chris P
              • Votes:
                4 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: