Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-32376

Private certifacates doesn't work with server-based download (Jenkins >= 1.557)

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Critical
    • Resolution: Fixed
    • Labels:
      None
    • Environment:
      update-sites-manager 1.0.1
      Jenkins >= 1.557 (affected depending on configurations)
      Jenkins >= 1.600, 1.596.1 (affected by default)
    • Similar Issues:

      Description

      • Jenkins 1.557 introduced server-based download of lists of plugins. (1ac7775, 33d88c0, )
        • This feature is enabled when disable "Download Preferences > Use Browser" in the system configurqation.
      • This feature is enabled by default since Jenkins 1.600 and Jenkins 1.596.1. (6b71fac)

      Access to updater centers requiring private CA certificates fails with

      Jan 10, 2016 9:42:31 AM hudson.model.UpdateSite updateData
      INFO: Obtained the latest update center data file for UpdateSource default
      Jan 10, 2016 9:42:31 AM hudson.model.UpdateSite updateData
      SEVERE: ERROR: Signature verification failed in update site &#039;ikedam-update-center&#039; <a href='#' class='showDetails'>(show details)
      yle='display:none'>java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
              at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:208)
              at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)
              at org.jvnet.hudson.crypto.CertificateUtil.validatePath(CertificateUtil.java:93)
              at jenkins.util.JSONSignatureValidator.verifySignature(JSONSignatureValidator.java:92)
              at hudson.model.UpdateSite.verifySignature(UpdateSite.java:221)
              at hudson.model.UpdateSite.updateData(UpdateSite.java:200)
              at hudson.model.UpdateSite.updateDirectlyNow(UpdateSite.java:170)
              at hudson.PluginManager.doCheckUpdatesServer(PluginManager.java:824)
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.lang.reflect.Method.invoke(Method.java:606)
              at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:298)
              at org.kohsuke.stapler.interceptor.RequirePOST$Processor.invoke(RequirePOST.java:46)
              at org.kohsuke.stapler.Function$InterceptedFunction.invoke(Function.java:399)
              at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:161)
              at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:96)
              at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:120)
              at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
              at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:728)
              at org.kohsuke.stapler.Stapler.invoke(Stapler.java:858)
              at org.kohsuke.stapler.MetaClass$3.doDispatch(MetaClass.java:182)
              at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
              at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:728)
              at org.kohsuke.stapler.Stapler.invoke(Stapler.java:858)
              at org.kohsuke.stapler.Stapler.invoke(Stapler.java:631)
              at org.kohsuke.stapler.Stapler.service(Stapler.java:225)
              at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
              at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:686)
              at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1494)
              at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:96)
              at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:88)
              at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
              at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:48)
              at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
              at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
              at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
              at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
              at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
              at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:46)
              at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
              at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
              at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474)
              at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
              at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
              at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:533)
              at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
              at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
              at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
              at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
              at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
              at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
              at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
              at org.eclipse.jetty.server.Server.handle(Server.java:370)
              at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)
              at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:960)
              at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1021)
              at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:865)
              at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240)
              at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
              at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)
              at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
              at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
              at java.lang.Thread.run(Thread.java:745)
      

        Attachments

          Issue Links

            Activity

            Hide
            danielbeck Daniel Beck added a comment -

            To clarify, this also happens when specifying a certification with the custom update site?

            Show
            danielbeck Daniel Beck added a comment - To clarify, this also happens when specifying a certification with the custom update site?
            Hide
            ikedam ikedam added a comment -

            > To clarify, this also happens when specifying a certification with the custom update site?

            Exactly.
            The process injecting the specified certificate isn't performed in server-based download.
            That process is implemented as wrapper of UpdateSite#doPostBack, which is for client-based download and not invoked for server-based download.

            Show
            ikedam ikedam added a comment - > To clarify, this also happens when specifying a certification with the custom update site? Exactly. The process injecting the specified certificate isn't performed in server-based download. That process is implemented as wrapper of UpdateSite#doPostBack , which is for client-based download and not invoked for server-based download.
            Show
            ikedam ikedam added a comment - https://github.com/jenkinsci/update-sites-manager-plugin/pull/3 https://github.com/jenkinsci/update-sites-manager-plugin/pull/5
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: ikedam
            Path:
            pom.xml
            src/main/java/jp/ikedam/jenkins/plugins/updatesitesmanager/internal/ExtendedCertJsonSignValidator.java
            src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/DescribedUpdateSiteJenkinsTest.java
            src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/ManagedUpdateSiteJenkinsTest.java
            src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/UpdateSitesManagerJenkinsTest.java
            src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/internal/ExtendedCertJsonSignValidatorTest.java
            http://jenkins-ci.org/commit/update-sites-manager-plugin/d5d4f7ebd550bd015a35e224edcfea21f81417f0
            Log:
            JENKINS-32376 Changed the target to the least LTS 1.596.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: pom.xml src/main/java/jp/ikedam/jenkins/plugins/updatesitesmanager/internal/ExtendedCertJsonSignValidator.java src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/DescribedUpdateSiteJenkinsTest.java src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/ManagedUpdateSiteJenkinsTest.java src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/UpdateSitesManagerJenkinsTest.java src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/internal/ExtendedCertJsonSignValidatorTest.java http://jenkins-ci.org/commit/update-sites-manager-plugin/d5d4f7ebd550bd015a35e224edcfea21f81417f0 Log: JENKINS-32376 Changed the target to the least LTS 1.596.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: ikedam
            Path:
            src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/ManagedUpdateSiteJenkinsTest.java
            http://jenkins-ci.org/commit/update-sites-manager-plugin/a4e9b85239b415f3a66776f7d8e93111c1aabec4
            Log:
            JENKINS-32376 Integration tests with client-based download and server-based download.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/ManagedUpdateSiteJenkinsTest.java http://jenkins-ci.org/commit/update-sites-manager-plugin/a4e9b85239b415f3a66776f7d8e93111c1aabec4 Log: JENKINS-32376 Integration tests with client-based download and server-based download.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: ikedam
            Path:
            pom.xml
            src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/ManagedUpdateSiteJenkinsTest.java
            http://jenkins-ci.org/commit/update-sites-manager-plugin/cf71b464e80372ff906e0d81d5113d6f4e4b2892
            Log:
            JENKINS-32376 Jenkins < 1.600 have a problem with the server-side download feature (Downloadable refers URLs without signatures) and cannot test the behavior. I decided to target 1.609.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: pom.xml src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/ManagedUpdateSiteJenkinsTest.java http://jenkins-ci.org/commit/update-sites-manager-plugin/cf71b464e80372ff906e0d81d5113d6f4e4b2892 Log: JENKINS-32376 Jenkins < 1.600 have a problem with the server-side download feature (Downloadable refers URLs without signatures) and cannot test the behavior. I decided to target 1.609.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: ikedam
            Path:
            pom.xml
            src/main/java/jp/ikedam/jenkins/plugins/updatesitesmanager/ManagedUpdateSite.java
            src/main/java/jp/ikedam/jenkins/plugins/updatesitesmanager/internal/ExtendedCertJsonSignValidator.java
            src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/ManagedUpdateSiteJenkinsTest.java
            src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/UpdateSitesManagerJenkinsTest.java
            src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/internal/ExtendedCertJsonSignValidatorTest.java
            http://jenkins-ci.org/commit/update-sites-manager-plugin/45819d10f539ca6afe4cf51386efdab9db04ad25
            Log:
            Merge pull request #5 from ikedam/feature/JENKIS-32376_ServerBasedDownloading

            [FIXED JENKINS-32376] Supports server-based downloading

            Compare: https://github.com/jenkinsci/update-sites-manager-plugin/compare/b8bfa335c508...45819d10f539

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: pom.xml src/main/java/jp/ikedam/jenkins/plugins/updatesitesmanager/ManagedUpdateSite.java src/main/java/jp/ikedam/jenkins/plugins/updatesitesmanager/internal/ExtendedCertJsonSignValidator.java src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/ManagedUpdateSiteJenkinsTest.java src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/UpdateSitesManagerJenkinsTest.java src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/internal/ExtendedCertJsonSignValidatorTest.java http://jenkins-ci.org/commit/update-sites-manager-plugin/45819d10f539ca6afe4cf51386efdab9db04ad25 Log: Merge pull request #5 from ikedam/feature/JENKIS-32376_ServerBasedDownloading [FIXED JENKINS-32376] Supports server-based downloading Compare: https://github.com/jenkinsci/update-sites-manager-plugin/compare/b8bfa335c508...45819d10f539
            Hide
            ikedam ikedam added a comment -

            Fixed in update-sites-manager-2.0.0.
            It will be available in the update center in a day.

            Show
            ikedam ikedam added a comment - Fixed in update-sites-manager-2.0.0. It will be available in the update center in a day.

              People

              • Assignee:
                ikedam ikedam
                Reporter:
                ikedam ikedam
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: