Uploaded image for project: 'Infrastructure'
  1. Infrastructure
  2. INFRA-2684

Debian Stable repo - GPG key URL returning 503

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Critical
    • Resolution: Fixed
    • Component/s: core, pkg.jenkins.io
    • Labels:
    • Environment:
      Jenkins Version: Latest Stable Release
      Operating systems:
        - Ubuntu 20.04
        - Ubuntu 18.04
        - Ubuntu 16.04
        - Debian 9
    • Similar Issues:

      Description

      While trying to import the GPG key for debian-stable, it is returning back with a 503.

       

      For example, output of curl below:

       

      $ curl -ILv https://pkg.jenkins.io/debian-stable/jenkins.io.key
      * Trying 2a04:4e42:46::645...
      * TCP_NODELAY set
      * Connected to pkg.jenkins.io (2a04:4e42:46::645) port 443 (#0)
      * ALPN, offering h2
      * ALPN, offering http/1.1
      * successfully set certificate verify locations:
      * CAfile: /etc/ssl/certs/ca-certificates.crt
       CApath: /etc/ssl/certs
      * TLSv1.3 (OUT), TLS handshake, Client hello (1):
      * TLSv1.3 (IN), TLS handshake, Server hello (2):
      * TLSv1.2 (IN), TLS handshake, Certificate (11):
      * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
      * TLSv1.2 (IN), TLS handshake, Server finished (14):
      * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
      * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
      * TLSv1.2 (OUT), TLS handshake, Finished (20):
      * TLSv1.2 (IN), TLS handshake, Finished (20):
      * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
      * ALPN, server accepted to use h2
      * Server certificate:
      * subject: CN=pkg.jenkins.io
      * start date: Jun 21 11:44:30 2020 GMT
      * expire date: Sep 19 11:44:30 2020 GMT
      * subjectAltName: host "pkg.jenkins.io" matched cert's "pkg.jenkins.io"
      * issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
      * SSL certificate verify ok.
      * Using HTTP2, server supports multi-use
      * Connection state changed (HTTP/2 confirmed)
      * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
      * Using Stream ID: 1 (easy handle 0x562e3c396580)
      > HEAD /debian-stable/jenkins.io.key HTTP/2
      > Host: pkg.jenkins.io
      > User-Agent: curl/7.58.0
      > Accept: */*
      > 
      * Connection state changed (MAX_CONCURRENT_STREAMS updated)!
      < HTTP/2 503 
      HTTP/2 503 
      < server: Varnish
      server: Varnish
      < retry-after: 0
      retry-after: 0
      < content-type: text/html; charset=utf-8
      content-type: text/html; charset=utf-8
      < accept-ranges: bytes
      accept-ranges: bytes
      < accept-ranges: bytes
      accept-ranges: bytes
      < date: Sun, 19 Jul 2020 03:58:16 GMT
      date: Sun, 19 Jul 2020 03:58:16 GMT
      < via: 1.1 varnish
      via: 1.1 varnish
      < x-served-by: cache-lga21965-LGA
      x-served-by: cache-lga21965-LGA
      < x-cache: MISS
      x-cache: MISS
      < x-cache-hits: 0
      x-cache-hits: 0
      < x-timer: S1595131097.886497,VS0,VE23
      x-timer: S1595131097.886497,VS0,VE23
      < strict-transport-security: max-age=300
      strict-transport-security: max-age=300
      < content-length: 464
      content-length: 464
      
      < 
      * Connection #0 to host pkg.jenkins.io left intact
      

       

      I don't particularly use varnish, so not sure what the case is but according to the following as an example: https://docs.fastly.com/en/guides/common-503-errors#error-503-certificate-has-expired | suggests a certificate installed on origin may have expired.

        Attachments

          Issue Links

            Activity

            Hide
            rayzr522 Peter Blood added a comment -

            same issue here, this is preventing me from updating to get a critical security patch for Jenkins. hope this can be fixed soon!

            Show
            rayzr522 Peter Blood added a comment - same issue here, this is preventing me from updating to get a critical security patch for Jenkins. hope this can be fixed soon!
            Hide
            dhs Dirk Heinrichs added a comment -

            Hmm, the above shows that it's a LetsEncrypt cert. Shouldn't their "certbot" renew the certificates automatically before they expire?

            Show
            dhs Dirk Heinrichs added a comment - Hmm, the above shows that it's a LetsEncrypt cert. Shouldn't their "certbot" renew the certificates automatically before they expire?
            Hide
            agilmira Alfredo Gil Mira added a comment -

            I'm getting the same error: 

            sudo wget -O /etc/yum.repos.d/jenkins.repo https://pkg.jenkins.io/redhat-stable/jenkins.repo
            -2020-07-19 09:30:01- https://pkg.jenkins.io/redhat-stable/jenkins.repo
            Resolving pkg.jenkins.io (pkg.jenkins.io)... 199.232.26.133, 2a04:4e42:43::645
            Connecting to pkg.jenkins.io (pkg.jenkins.io)|199.232.26.133|:443... connected.
            HTTP request sent, awaiting response... 503 Backend unavailable, connection timeout
            2020-07-19 09:30:02 ERROR 503: Backend unavailable, connection timeout.

             

            curl -ILv https://pkg.jenkins.io/debian-stable/jenkins.io.key

            • Trying 199.232.26.133...
            • TCP_NODELAY set
            • Connected to pkg.jenkins.io (199.232.26.133) port 443 (#0)
            • ALPN, offering h2
            • ALPN, offering http/1.1
            • Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
            • successfully set certificate verify locations:
            • CAfile: /etc/pki/tls/certs/ca-bundle.crt
              CApath: none
            • TLSv1.2 (OUT), TLS header, Certificate Status (22):
            • TLSv1.2 (OUT), TLS handshake, Client hello (1):
            • TLSv1.2 (IN), TLS handshake, Server hello (2):
            • TLSv1.2 (IN), TLS handshake, Certificate (11):
            • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
            • TLSv1.2 (IN), TLS handshake, Server finished (14):
            • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
            • TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
            • TLSv1.2 (OUT), TLS handshake, Finished (20):
            • TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
            • TLSv1.2 (IN), TLS handshake, Finished (20):
            • SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
            • ALPN, server accepted to use h2
            • Server certificate:
            • subject: CN=pkg.jenkins.io
            • start date: Jun 21 11:44:30 2020 GMT
            • expire date: Sep 19 11:44:30 2020 GMT
            • subjectAltName: host "pkg.jenkins.io" matched cert's "pkg.jenkins.io"
            • issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
            • SSL certificate verify ok.
            • Using HTTP2, server supports multi-use
            • Connection state changed (HTTP/2 confirmed)
            • Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
            • Using Stream ID: 1 (easy handle 0x8dcb90)
              > HEAD /debian-stable/jenkins.io.key HTTP/2
              > Host: pkg.jenkins.io
              > User-Agent: curl/7.61.1
              > Accept: /
              >
            • Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
              < HTTP/2 503
              HTTP/2 503
              < server: Varnish
              server: Varnish
              < retry-after: 0
              retry-after: 0
              < content-type: text/html; charset=utf-8
              content-type: text/html; charset=utf-8
              < accept-ranges: bytes
              accept-ranges: bytes
              < accept-ranges: bytes
              accept-ranges: bytes
              < date: Sun, 19 Jul 2020 09:30:32 GMT
              date: Sun, 19 Jul 2020 09:30:32 GMT
              < via: 1.1 varnish
              via: 1.1 varnish
              < x-served-by: cache-dub4346-DUB
              x-served-by: cache-dub4346-DUB
              < x-cache: MISS
              x-cache: MISS
              < x-cache-hits: 0
              x-cache-hits: 0
              < x-timer: S1595151031.046343,VS0,VE1469
              x-timer: S1595151031.046343,VS0,VE1469
              < strict-transport-security: max-age=300
              strict-transport-security: max-age=300
              < content-length: 463
              content-length: 463

            <

            • Connection #0 to host pkg.jenkins.io left intact
            Show
            agilmira Alfredo Gil Mira added a comment - I'm getting the same error:  sudo wget -O /etc/yum.repos.d/jenkins.repo https://pkg.jenkins.io/redhat-stable/jenkins.repo - 2020-07-19 09:30:01 - https://pkg.jenkins.io/redhat-stable/jenkins.repo Resolving pkg.jenkins.io (pkg.jenkins.io)... 199.232.26.133, 2a04:4e42:43::645 Connecting to pkg.jenkins.io (pkg.jenkins.io)|199.232.26.133|:443... connected. HTTP request sent, awaiting response... 503 Backend unavailable, connection timeout 2020-07-19 09:30:02 ERROR 503: Backend unavailable, connection timeout.   curl -ILv https://pkg.jenkins.io/debian-stable/jenkins.io.key Trying 199.232.26.133... TCP_NODELAY set Connected to pkg.jenkins.io (199.232.26.133) port 443 (#0) ALPN, offering h2 ALPN, offering http/1.1 Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH successfully set certificate verify locations: CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none TLSv1.2 (OUT), TLS header, Certificate Status (22): TLSv1.2 (OUT), TLS handshake, Client hello (1): TLSv1.2 (IN), TLS handshake, Server hello (2): TLSv1.2 (IN), TLS handshake, Certificate (11): TLSv1.2 (IN), TLS handshake, Server key exchange (12): TLSv1.2 (IN), TLS handshake, Server finished (14): TLSv1.2 (OUT), TLS handshake, Client key exchange (16): TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): TLSv1.2 (OUT), TLS handshake, Finished (20): TLSv1.2 (IN), TLS change cipher, Change cipher spec (1): TLSv1.2 (IN), TLS handshake, Finished (20): SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 ALPN, server accepted to use h2 Server certificate: subject: CN=pkg.jenkins.io start date: Jun 21 11:44:30 2020 GMT expire date: Sep 19 11:44:30 2020 GMT subjectAltName: host "pkg.jenkins.io" matched cert's "pkg.jenkins.io" issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3 SSL certificate verify ok. Using HTTP2, server supports multi-use Connection state changed (HTTP/2 confirmed) Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 Using Stream ID: 1 (easy handle 0x8dcb90) > HEAD /debian-stable/jenkins.io.key HTTP/2 > Host: pkg.jenkins.io > User-Agent: curl/7.61.1 > Accept: / > Connection state changed (MAX_CONCURRENT_STREAMS == 100)! < HTTP/2 503 HTTP/2 503 < server: Varnish server: Varnish < retry-after: 0 retry-after: 0 < content-type: text/html; charset=utf-8 content-type: text/html; charset=utf-8 < accept-ranges: bytes accept-ranges: bytes < accept-ranges: bytes accept-ranges: bytes < date: Sun, 19 Jul 2020 09:30:32 GMT date: Sun, 19 Jul 2020 09:30:32 GMT < via: 1.1 varnish via: 1.1 varnish < x-served-by: cache-dub4346-DUB x-served-by: cache-dub4346-DUB < x-cache: MISS x-cache: MISS < x-cache-hits: 0 x-cache-hits: 0 < x-timer: S1595151031.046343,VS0,VE1469 x-timer: S1595151031.046343,VS0,VE1469 < strict-transport-security: max-age=300 strict-transport-security: max-age=300 < content-length: 463 content-length: 463 < Connection #0 to host pkg.jenkins.io left intact
            Hide
            rpofuk Robert Pofuk added a comment -
            Show
            rpofuk Robert Pofuk added a comment - Same thing for latest:  https://pkg.jenkins.io/debian/jenkins.io.key
            Hide
            oleg_nenashev Oleg Nenashev added a comment -
            Show
            oleg_nenashev Oleg Nenashev added a comment - FTR  https://groups.google.com/forum/#!topic/jenkins-infra/6J471_Q-kko  . The issue should be fixed now
            Hide
            markewaite Mark Waite added a comment -

            Confirmed fixed on the day it was reported.

            Still need to add SSL certificate expiration monitoring for pkg.origin.jenkins.io as we are monitoring for other SSL certificate expiration.

            Show
            markewaite Mark Waite added a comment - Confirmed fixed on the day it was reported. Still need to add SSL certificate expiration monitoring for pkg.origin.jenkins.io as we are monitoring for other SSL certificate expiration.

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              darkwizard242 Ali Muhammad
              Votes:
              3 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: