Uploaded image for project: 'Infrastructure'
  1. Infrastructure
  2. INFRA-229

Expired Certificate in tool update center

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Blocker
    • Resolution: Fixed
    • Component/s: www
    • Environment:
      jenkins versions 1.529, 1.597, 1.598. JRE 1.7.0_45-b18
    • Similar Issues:

      Description

      Since last night (Jan 27) I've been getting the exception below. It seems to be exactly the bug that's been fixed in https://issues.jenkins-ci.org/browse/INFRA-219?page=com.atlassian.streams.streams-jira-plugin:activity-stream-issue-tab

      Jan 28, 2015 11:43:55 AM hudson.model.DownloadService$Downloadable doPostBack
      SEVERE: <div class=error><img src='/static/93b0df6f/images/none.gif' height=16 width=1>Signature verification failed in downloadable
      'hudson.tasks.Maven.MavenInstaller' <a href='#' class='showDetails'>(show details)</a><pre style='display:none'>java.secu
      rity.cert.CertPathValidatorException: timestamp check failed
      at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:159)
      at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:351)
      at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:191)
      at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)
      at org.jvnet.hudson.crypto.CertificateUtil.validatePath(CertificateUtil.java:93)
      at jenkins.util.JSONSignatureValidator.verifySignature(JSONSignatureValidator.java:76)
      at hudson.model.DownloadService$Downloadable.load(DownloadService.java:305)
      at hudson.model.DownloadService$Downloadable.doPostBack(DownloadService.java:293)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:606)
      at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:298)
      at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:161)
      at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:96)
      at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:121)
      at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
      at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:746)
      at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876)
      at org.kohsuke.stapler.MetaClass$6.doDispatch(MetaClass.java:249)
      at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
      at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:746)
      at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876)
      at org.kohsuke.stapler.MetaClass$12.dispatch(MetaClass.java:391)
      at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:746)
      at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876)
      at org.kohsuke.stapler.MetaClass$4.doDispatch(MetaClass.java:211)
      at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
      at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:746)
      at org.kohsuke.stapler.Stapler.invoke(Stapler.java:876)
      at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649)
      at org.kohsuke.stapler.Stapler.service(Stapler.java:238)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
      at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:686)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1494)
      at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:123)
      at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:114)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
      at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:48)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
      at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
      at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
      at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
      at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
      at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
      at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474)
      at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
      at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
      at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:533)
      at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
      at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
      at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
      at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
      at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
      at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
      at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
      at org.eclipse.jetty.server.Server.handle(Server.java:370)
      at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)
      at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:960)
      at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1021)
      at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:865)
      at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240)
      at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
      at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)
      at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
      at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      at java.lang.Thread.run(Thread.java:744)
      Caused by: java.security.cert.CertificateExpiredException: NotAfter: Tue Jan 27 21:04:07 UTC 2015
      at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:273)
      at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:575)
      at sun.security.provider.certpath.BasicChecker.verifyTimestamp(BasicChecker.java:184)
      at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:136)
      at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:133)
      ... 72 more

        Attachments

          Issue Links

            Activity

            Hide
            orrc Christopher Orr added a comment -

            I believe this is a duplicate of INFRA-225 — the installer metadata files (in this case, for the Maven installer) have not been generated since October 2014, and therefore have been signed with the old certificate (i.e. the one that was replaced in INFRA-219).

            Show
            orrc Christopher Orr added a comment - I believe this is a duplicate of INFRA-225 — the installer metadata files (in this case, for the Maven installer) have not been generated since October 2014, and therefore have been signed with the old certificate (i.e. the one that was replaced in INFRA-219 ).
            Hide
            jglick Jesse Glick added a comment -

            The fix of INFRA-219 apparently only covered the certificate used by the plugin update center. The one for tools is still broken, and I guess UpdateCenterTest is not checking that. (My new DownloadService2Test does.)

            Show
            jglick Jesse Glick added a comment - The fix of INFRA-219 apparently only covered the certificate used by the plugin update center. The one for tools is still broken, and I guess UpdateCenterTest is not checking that. (My new DownloadService2Test does.)
            Hide
            smox Simon R added a comment -

            Is there any known workarounds? Is it possible to use another host or access the host without SSL?

            Show
            smox Simon R added a comment - Is there any known workarounds? Is it possible to use another host or access the host without SSL?
            Hide
            jglick Jesse Glick added a comment -

            This ticket most directly expresses that the tool update center, not the plugin update center, is bad.

            Show
            jglick Jesse Glick added a comment - This ticket most directly expresses that the tool update center, not the plugin update center, is bad.
            Hide
            jglick Jesse Glick added a comment -

            Simon R SSL is not the issue, but rather the in-band signature.

            The only workaround I know of is to run Jenkins with -Dhudson.model.DownloadService.noSignatureCheck. Important: this mode should never be used in an installation with security configured, unless you first uncheck Use Browser in Download Preferences in global configuration.

            Show
            jglick Jesse Glick added a comment - Simon R SSL is not the issue, but rather the in-band signature. The only workaround I know of is to run Jenkins with -Dhudson.model.DownloadService.noSignatureCheck . Important: this mode should never be used in an installation with security configured, unless you first uncheck Use Browser in Download Preferences in global configuration.
            Hide
            kohsuke Kohsuke Kawaguchi added a comment -

            Resolved by resolving INFRA-225

            Show
            kohsuke Kohsuke Kawaguchi added a comment - Resolved by resolving INFRA-225

              People

              • Assignee:
                kohsuke Kohsuke Kawaguchi
                Reporter:
                ahendriksza Anton Hendriks
              • Votes:
                3 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: