InfrastructureIcon indicating the project type

Infrastructure

Uploaded image for project: 'Infrastructure'
  1. Infrastructure
  2. INFRA-587

repo.jenkins-ci.org returning invalid TLS certificate

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      It appears that `http://maven.jenkins-ci.org/...` redirects to `https://repo.jenkins-ci.org/...`, which has a bad TLS cert.

      This has at least broken puppet-jenkins.

      ```
      $ curl -I http://maven.jenkins-ci.org/content/repositories/releases/org/jenkins-ci/plugins/swarm-client/1.22//swarm-client-1.22-jar-with-dependencies.jar
      HTTP/1.1 302 Found
      Date: Tue, 01 Mar 2016 18:01:22 GMT
      Server: Apache/2.2.14 (Ubuntu)
      Location: https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/swarm-client/1.22//swarm-client-1.22-jar-with-dependencies.jar
      Vary: Accept-Encoding
      Content-Type: text/html; charset=iso-8859-1
      Set-Cookie: SERVERID=local; path=/

      $ curl -I https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/swarm-client/1.22//swarm-client-1.22-jar-with-dependencies.jar
      curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.
      ```

      ```
      $ openssl s_client -showcerts -connect repo.jenkins-ci.org:443 </dev/null
      CONNECTED(00000003)
      depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
      verify return:1
      depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
      verify return:1
      depth=1 C = US, O = GeoTrust Inc., CN = GeoTrust SSL CA - G3
      verify return:1
      depth=0 C = IL, ST = Israel, L = Netanya, O = Jfrog Ltd., CN = *.jfrog.org
      verify return:1

      Certificate chain
      0 s:/C=IL/ST=Israel/L=Netanya/O=Jfrog Ltd./CN=*.jfrog.org
      i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
      ----BEGIN CERTIFICATE----
      MIIE1zCCA7+gAwIBAgIQMJw5zifVURC2xTf5BJYCwzANBgkqhkiG9w0BAQsFADBE
      MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UEAxMU
      R2VvVHJ1c3QgU1NMIENBIC0gRzMwHhcNMTUwMjI2MDAwMDAwWhcNMTcwMjI1MjM1
      OTU5WjBbMQswCQYDVQQGEwJJTDEPMA0GA1UECBMGSXNyYWVsMRAwDgYDVQQHFAdO
      ZXRhbnlhMRMwEQYDVQQKFApKZnJvZyBMdGQuMRQwEgYDVQQDFAsqLmpmcm9nLm9y
      ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALlueJsw1g+Vp05X/6E0
      XrFZE617RumstSbYr0E5wM+oXOmgsQL6aHQf6mScY6QZ4ur1OXQeFrxNM2hb93mX
      /jJQR0AaYT0JAPrLVS2uS2iX701QHbhYvEL0WmG0bMAKH/T2B+JbHRvZnKh2+0q1
      NMudM2y9sPmN01kF0mwov+1MkrOBBL9wLM57nYDNZVMv70EM15HlBC/MFmkA5k0H
      tJag31PgYtjqgiDQe6ic4NueTpmD4u+6dulaNO/mg6n/O5aie9eJ7AZkUMhaFtLe
      PB4dhfbV/RR68k/a2oj5WuUnJhWu43UTTYqGVc8MgWVk4Cm9NP8c7JFmb3ibCE4L
      MKcCAwEAAaOCAawwggGoMCEGA1UdEQQaMBiCCyouamZyb2cub3JngglqZnJvZy5v
      cmcwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAwKwYDVR0fBCQwIjAgoB6gHIYa
      aHR0cDovL2duLnN5bWNiLmNvbS9nbi5jcmwwgaEGA1UdIASBmTCBljCBkwYKYIZI
      AYb4RQEHNjCBhDA/BggrBgEFBQcCARYzaHR0cHM6Ly93d3cuZ2VvdHJ1c3QuY29t
      L3Jlc291cmNlcy9yZXBvc2l0b3J5L2xlZ2FsMEEGCCsGAQUFBwICMDUMM2h0dHBz
      Oi8vd3d3Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvcmVwb3NpdG9yeS9sZWdhbDAd
      BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAU0m/3lvSF
      P3I8MH0j2oV4m6N8WnwwVwYIKwYBBQUHAQEESzBJMB8GCCsGAQUFBzABhhNodHRw
      Oi8vZ24uc3ltY2QuY29tMCYGCCsGAQUFBzAChhpodHRwOi8vZ24uc3ltY2IuY29t
      L2duLmNydDANBgkqhkiG9w0BAQsFAAOCAQEAgskg2K9U+Fe9WijmHsWbO3yELDwt
      BLdkmJSImlb1Ok0I4u/hA9JoUO4CVAxTYrE5vn81+MyfSjE5xlvCYenrc+BLK3D8
      khC6JL5DJq63+7JPFHgdmSVjRovXEUbEE4Bc+adcYYj5pGW3pI3AdqMSB3vZAKNl
      580a2dQjBDzmVs9vp1E21aIACc+l80SMdCU7PTcENm1Wsso9IdYb7raZwloOlyr3
      5PLyqyTJC/getVceSIOP7tliyzJDYjUg0Xxei78FuXs2XRQo8ZmjRLKGzngHdZKg
      hJpb/ERmhN6bmVAp5tORSzFbwRXB9oSTMWSuWSjPwHuZix0aOsQ/LDbiYA==
      ----END CERTIFICATE----
      1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
      i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
      ----BEGIN CERTIFICATE----
      MIIETzCCAzegAwIBAgIDAjpvMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT
      MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
      YWwgQ0EwHhcNMTMxMTA1MjEzNjUwWhcNMjIwNTIwMjEzNjUwWjBEMQswCQYDVQQG
      EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UEAxMUR2VvVHJ1c3Qg
      U1NMIENBIC0gRzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDjvn4K
      hqPPa209K6GXrUkkTdd3uTR5CKWeop7eRxKSPX7qGYax6E89X/fQp3eaWx8KA7UZ
      U9ulIZRpY51qTJEMEEe+EfpshiW3qwRoQjgJZfAU2hme+msLq2LvjafvY3AjqK+B
      89FuiGdT7BKkKXWKp/JXPaKDmJfyCn3U50NuMHhiIllZuHEnRaoPZsZVP/oyFysx
      j0ag+mkUfJ2fWuLrM04QprPtd2PYw5703d95mnrU7t7dmszDt6ldzBE6B7tvl6QB
      I0eVH6N3+liSxsfQvc+TGEK3fveeZerVO8rtrMVwof7UEJrwEgRErBpbeFBFV0xv
      vYDLgVwts7x2oR5lAgMBAAGjggFKMIIBRjAfBgNVHSMEGDAWgBTAephojYn7qwVk
      DBF9qn1luMrMTjAdBgNVHQ4EFgQU0m/3lvSFP3I8MH0j2oV4m6N8WnwwEgYDVR0T
      AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwNgYDVR0fBC8wLTAroCmgJ4Yl
      aHR0cDovL2cxLnN5bWNiLmNvbS9jcmxzL2d0Z2xvYmFsLmNybDAvBggrBgEFBQcB
      AQQjMCEwHwYIKwYBBQUHMAGGE2h0dHA6Ly9nMi5zeW1jYi5jb20wTAYDVR0gBEUw
      QzBBBgpghkgBhvhFAQc2MDMwMQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuZ2VvdHJ1
      c3QuY29tL3Jlc291cmNlcy9jcHMwKQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVN5
      bWFudGVjUEtJLTEtNTM5MA0GCSqGSIb3DQEBCwUAA4IBAQCg1Pcs+3QLf2TxzUNq
      n2JTHAJ8mJCi7k9o1CAacxI+d7NQ63K87oi+fxfqd4+DYZVPhKHLMk9sIb7SaZZ9
      Y73cK6gf0BOEcP72NZWJ+aZ3sEbIu7cT9clgadZM/tKO79NgwYCA4ef7i28heUrg
      3Kkbwbf7w0lZXLV3B0TUl/xJAIlvBk4BcBmsLxHA4uYPL4ZLjXvDuacu9PGsFj45
      SVGeF0tPEDpbpaiSb/361gsDTUdWVxnzy2v189bPsPX1oxHSIFMTNDcFLENaY9+N
      QNaFHlHpURceA1bJ8TCt55sRornQMYGbaLHZ6PPmlH7HrhMvh+3QJbBo+d4IWvMp
      zNSS
      ----END CERTIFICATE----
      2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
      i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
      ----BEGIN CERTIFICATE----
      MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
      MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
      aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
      WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
      AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
      CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
      OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
      T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
      JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
      Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
      PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
      aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
      TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
      LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
      BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
      dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
      AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
      NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
      b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
      ----END CERTIFICATE----
      3 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
      i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
      ----BEGIN CERTIFICATE----
      MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV
      UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy
      dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1
      MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0VxdWlmYXgxLTArBgNVBAsTJEVx
      dWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCBnzANBgkqhkiG9w0B
      AQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPRfM6f
      BeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+A
      cJkVV5MW8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kC
      AwEAAaOCAQkwggEFMHAGA1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQ
      MA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlm
      aWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoGA1UdEAQTMBGBDzIwMTgw
      ODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvSspXXR9gj
      IBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQF
      MAMBAf8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUA
      A4GBAFjOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y
      7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh
      1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4
      ----END CERTIFICATE----

      Server certificate
      subject=/C=IL/ST=Israel/L=Netanya/O=Jfrog Ltd./CN=*.jfrog.org
      issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3

      No client certificate CA names sent
      Peer signing digest: SHA512
      Server Temp Key: ECDH, P-256, 256 bits

      SSL handshake has read 4714 bytes and written 327 bytes

      New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
      Server public key is 2048 bit
      Secure Renegotiation IS supported
      Compression: NONE
      Expansion: NONE
      No ALPN negotiated
      SSL-Session:
      Protocol : TLSv1.2
      Cipher : ECDHE-RSA-AES128-GCM-SHA256
      Session-ID: E6C42ABB5F3E1E23746C6CDEC257D5A3E1EE776B5672FFECFBA08032488A1570
      Session-ID-ctx:
      Master-Key: 2A46AE21D3336D83136DFAC554407D364AE720587050896D8FB7B7FCEC130DE396BDD05649F26DE9B469D9D254480AA0
      Key-Arg : None
      Krb5 Principal: None
      PSK identity: None
      PSK identity hint: None
      TLS session ticket lifetime hint: 300 (seconds)
      TLS session ticket:
      0000 - 61 5b 25 d7 67 26 5a 92-b0 27 08 fb ca 08 c2 a9 a[%.g&Z..'......
      0010 - e4 94 2b 14 7f 86 97 ac-0d 4e 21 d7 81 79 22 e7 ..+......N!..y".
      0020 - eb aa 6c 1d db 20 54 54-6b c2 95 da a0 8c ae 82 ..l.. TTk.......
      0030 - b5 55 94 d9 dc 62 04 09-fe bf 0b d2 ed 16 7d fb .U...b........}.
      0040 - 76 a9 67 fe 27 4d 4a c5-d9 a6 04 b4 4a 2f 93 24 v.g.'MJ.....J/.$
      0050 - 4f 79 f0 26 7a b3 f6 81-3f 5b a4 57 b6 cc 2c 4c Oy.&z...?[.W..,L
      0060 - 9c cb 61 af cf 06 3e ec-61 7e 38 78 16 73 8c b9 ..a...>.a~8x.s..
      0070 - 6d 57 03 1d 80 f6 69 c6-e8 36 ac 3c 84 cd e0 a2 mW....i..6.<....
      0080 - 14 c5 36 7d 84 6f ab 1e-53 fe f6 3f f1 65 a9 eb ..6}.o..S..?.e..
      0090 - b6 6f 27 dc a1 e7 18 cf-55 cd 22 15 5b 5a 48 f7 .o'.....U.".[ZH.

      Start Time: 1456854975
      Timeout : 300 (sec)
      Verify return code: 0 (ok)

      DONE
      ```

        Attachments

          Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. INFRA-588 maven.j.o redirect does not allow Maven uploads

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. INFRA-109 Invalid certificate warning on repo-jenkins-ci.org

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

            Activity

            Ascending order - Click to sort in descending order
            Hide
            Permalink
            rtyler R. Tyler Croy added a comment -

            In my work this morning reducing load on the Apache servers which host maven.jenkins-ci.org I introduced this redirect. Previously we were using mod_proxy to send binaries from repo.jenkins-ci.org through the Apache servers (derp!).

            You've correctly linked INFRA-109. We've got an outstanding ticket with JFrog support to address this, I'll see if I can unblock some stuff here

            Show
            rtyler R. Tyler Croy added a comment - In my work this morning reducing load on the Apache servers which host maven.jenkins-ci.org I introduced this redirect. Previously we were using mod_proxy to send binaries from repo.jenkins-ci.org through the Apache servers (derp!). You've correctly linked INFRA-109 . We've got an outstanding ticket with JFrog support to address this, I'll see if I can unblock some stuff here
            Hide
            Permalink
            jhoblitt Joshua Hoblitt added a comment -

            I suspect the load has been successfully reduced...

            Show
            jhoblitt Joshua Hoblitt added a comment - I suspect the load has been successfully reduced...
            Hide
            Permalink
            rtyler R. Tyler Croy added a comment -

            Joshua Hoblitt indeed! Turns out not piping thousands of KB through mod_proxy (the worst proxy) definitely helps!

            Show
            rtyler R. Tyler Croy added a comment - Joshua Hoblitt indeed! Turns out not piping thousands of KB through mod_proxy (the worst proxy) definitely helps!
            Hide
            Permalink
            rtyler R. Tyler Croy added a comment -

            Joshua Hoblitt I went ahead and changed the protocol that we use back to HTTP, so now requesting http://maven.jenkins-ci.org will just redirect on the same (shit) protocol as the originating request.

            I believe that should address the issue for puppet-jenkins

            Show
            rtyler R. Tyler Croy added a comment - Joshua Hoblitt I went ahead and changed the protocol that we use back to HTTP, so now requesting http://maven.jenkins-ci.org will just redirect on the same (shit) protocol as the originating request. I believe that should address the issue for puppet-jenkins
            Hide
            Permalink
            jhoblitt Joshua Hoblitt added a comment -

            Which FQDN should be considered canonical?

            Show
            jhoblitt Joshua Hoblitt added a comment - Which FQDN should be considered canonical?
            Hide
            Permalink
            rtyler R. Tyler Croy added a comment -

            Joshua Hoblitt repo.jenkins-ci.org, which has been out for a while, almost as long as INFRA-109 has been running

            Show
            rtyler R. Tyler Croy added a comment - Joshua Hoblitt repo.jenkins-ci.org, which has been out for a while, almost as long as INFRA-109 has been running
            Hide
            Permalink
            rtyler R. Tyler Croy added a comment -

            repo.jenkins-ci.org has since had the appropriate certificate applied

            Show
            rtyler R. Tyler Croy added a comment - repo.jenkins-ci.org has since had the appropriate certificate applied

              People

              • Assignee:
                rtyler R. Tyler Croy
                Reporter:
                jhoblitt Joshua Hoblitt
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: