Uploaded image for project: 'Infrastructure'
  1. Infrastructure
  2. INFRA-2732

We need a new yearly cert for update-center2

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      00:00:30.266 Exception in thread "main" java.security.cert.CertificateExpiredException: NotAfter: Wed Oct 21 15:09:02 UTC 2020
      00:00:30.267 	at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274)
      00:00:30.267 	at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629)
      00:00:30.267 	at io.jenkins.update_center.Signer.getCertificateChain(Signer.java:180)
      00:00:30.267 	at io.jenkins.update_center.Signer.sign(Signer.java:82)
      00:00:30.267 	at io.jenkins.update_center.json.WithSignature.writeWithSignature(WithSignature.java:51)
      00:00:30.267 	at io.jenkins.update_center.json.WithSignature.encodeWithSignature(WithSignature.java:86)
      00:00:30.268 	at io.jenkins.update_center.Main.run(Main.java:247)
      00:00:30.268 	at io.jenkins.update_center.Main.run(Main.java:193)
      00:00:30.268 	at io.jenkins.update_center.Main.main(Main.java:167) 

      Like INFRA-1863, this is the yearly cert update we need.

        Attachments

          Activity

          danielbeck Daniel Beck created issue -
          Hide
          timja Tim Jacomb added a comment -

          I've generated a new cert but the trusted CI reverse proxy config is broken and many post requests don't work.

          Well, script console is the only post that seems to work.

          and my SSH key isn't on trusted ci .

          Show
          timja Tim Jacomb added a comment - I've generated a new cert but the trusted CI reverse proxy config is broken and many post requests don't work. Well, script console is the only post that seems to work. and my SSH key isn't on trusted ci .
          Hide
          timja Tim Jacomb added a comment - - edited

          I downloaded the existing cert / key and ran:

          openssl x509 -x509toreq -in existing.crt -signkey update-center.key -out new.csr
          openssl x509 -req -sha256 -days 365 -in new.csr -signkey update-center.key -out update-center.cert
          

          Downloading was done with:

          import com.cloudbees.plugins.credentials.*
          import com.cloudbees.plugins.credentials.common.*
          import com.cloudbees.plugins.credentials.domains.*
          import com.cloudbees.plugins.credentials.impl.*
          import com.cloudbees.jenkins.plugins.sshcredentials.impl.*
          import org.jenkinsci.plugins.plaincredentials.impl.*
          
            
          domain = Domain.global()
          store = SystemCredentialsProvider.getInstance().getStore()
          
          for (credential in store.getCredentials(domain)) {
            if (credential.getId() == 'update-center-signing') {
              def zip = new java.util.zip.ZipInputStream(credential.getContent());
              zip.getNextEntry();
          	def sc = new Scanner(zip);
           while (sc.hasNextLine()) {
               print(sc.nextLine());
           }
          println();
              zip.getNextEntry();
           sc = new Scanner(zip);
           while (sc.hasNextLine()) {
               print(sc.nextLine());
           }
              
            }
          }
          
          Show
          timja Tim Jacomb added a comment - - edited I downloaded the existing cert / key and ran: openssl x509 -x509toreq -in existing.crt -signkey update-center.key -out new .csr openssl x509 -req -sha256 -days 365 -in new .csr -signkey update-center.key -out update-center.cert Downloading was done with: import com.cloudbees.plugins.credentials.* import com.cloudbees.plugins.credentials.common.* import com.cloudbees.plugins.credentials.domains.* import com.cloudbees.plugins.credentials.impl.* import com.cloudbees.jenkins.plugins.sshcredentials.impl.* import org.jenkinsci.plugins.plaincredentials.impl.* domain = Domain.global() store = SystemCredentialsProvider.getInstance().getStore() for (credential in store.getCredentials(domain)) { if (credential.getId() == 'update-center-signing' ) { def zip = new java.util.zip.ZipInputStream(credential.getContent()); zip.getNextEntry(); def sc = new Scanner(zip); while (sc.hasNextLine()) { print(sc.nextLine()); } println(); zip.getNextEntry(); sc = new Scanner(zip); while (sc.hasNextLine()) { print(sc.nextLine()); } } }
          Hide
          danielbeck Daniel Beck added a comment -

          many post requests don't work.

          The requests themselves should work, the redirects that follow don't.

          Show
          danielbeck Daniel Beck added a comment - many post requests don't work. The requests themselves should work, the redirects that follow don't.
          Hide
          timja Tim Jacomb added a comment -

          Ok apparently there’s a specific root for this, docs are here:
          https://github.com/jenkins-infra/update-center2/tree/master/resources/certificates with an improvement PR pending Oleg's approval since May at https://github.com/jenkins-infra/update-center2/pull/379

          Show
          timja Tim Jacomb added a comment - Ok apparently there’s a specific root for this, docs are here: https://github.com/jenkins-infra/update-center2/tree/master/resources/certificates with an improvement PR pending Oleg's approval since May at https://github.com/jenkins-infra/update-center2/pull/379
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          I do not have bandwidth to properly test the certificate in https://github.com/jenkins-infra/update-center2/pull/379/files as Daniel Beck asked a while ago. TL;DR: I have no mental power to work on the infrastructure bits and to do them properly at the moment, and I do not want to do a shit job. I do not provide any commitment on a proper review, but I am ready to follow the communicated steps to unblock the team.

           

          Show
          oleg_nenashev Oleg Nenashev added a comment - I do not have bandwidth to properly test the certificate in https://github.com/jenkins-infra/update-center2/pull/379/files  as Daniel Beck asked a while ago. TL;DR: I have no mental power to work on the infrastructure bits and to do them properly at the moment, and I do not want to do a shit job. I do not provide any commitment on a proper review, but I am ready to follow the communicated steps to unblock the team.  
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          Status update: I have no access to the old private key, only to the new one which is not to be used until April 2021. We need an old private key, so it does not quite work. Daniel Beck will be applying a workaround for the tomorrow's release

          Show
          oleg_nenashev Oleg Nenashev added a comment - Status update: I have no access to the old private key, only to the new one which is not to be used until April 2021. We need an old private key, so it does not quite work. Daniel Beck will be applying a workaround for the tomorrow's release
          Hide
          danielbeck Daniel Beck added a comment -

          I reduced the expected minimum validity duration to 2 weeks for now, which means it'll blow up again on October 7.

          Show
          danielbeck Daniel Beck added a comment - I reduced the expected minimum validity duration to 2 weeks for now, which means it'll blow up again on October 7.
          markewaite Mark Waite made changes -
          Field Original Value New Value
          Assignee Olivier Vernin [ olblak ]
          Hide
          olblak Olivier Vernin added a comment - - edited

          Status update: I have no access to the old private key, only to the new one which is not to be used until April 2021. We need an old private key, so it does not quite work. Daniel Beck will be applying a workaround for the tomorrow's release

          I don't understand why we need the old ca private key, the new one validity is from Apr 8 19:57:10 2018 GMT to Apr 5 19:57:10 2028 GMT

          Show
          olblak Olivier Vernin added a comment - - edited Status update: I have no access to the old private key, only to the new one which is not to be used until April 2021. We need an old private key, so it does not quite work. Daniel Beck will be applying a workaround for the tomorrow's release I don't understand why we need the old ca private key, the new one validity is from Apr 8 19:57:10 2018 GMT to Apr 5 19:57:10 2028 GMT
          Hide
          danielbeck Daniel Beck added a comment -

          I don't understand why we need

          In an email thread I wrote we "ideally" use the existing cert one more time; the reason is to maximize the time between adding the root CA to Jenkins and making it a requirement. Jenkins older than 2.117 will no longer be able to obtain update site information. Plus we wouldn't need to rush documentation of workarounds, announcements, etc.

          Show
          danielbeck Daniel Beck added a comment - I don't understand why we need In an email thread I wrote we "ideally" use the existing cert one more time; the reason is to maximize the time between adding the root CA to Jenkins and making it a requirement. Jenkins older than 2.117 will no longer be able to obtain update site information. Plus we wouldn't need to rush documentation of workarounds, announcements, etc.
          olblak Olivier Vernin made changes -
          Status Open [ 1 ] In Progress [ 3 ]
          Hide
          olblak Olivier Vernin added a comment -

          > In an email thread I wrote we "ideally" use the existing cert one more time; the reason is to maximize the time between adding the root CA to Jenkins and making it a requirement. Jenkins older than 2.117 will no longer be able to obtain update site information. Plus we wouldn't need to rush documentation of workarounds, announcements, etc.

          So what you are suggesting is to not use the new root certificate until April the 16th 2021?

          Show
          olblak Olivier Vernin added a comment - > In an email thread I wrote we "ideally" use the existing cert one more time; the reason is to maximize the time between adding the root CA to Jenkins and making it a requirement. Jenkins older than 2.117 will no longer be able to obtain update site information. Plus we wouldn't need to rush documentation of workarounds, announcements, etc. So what you are suggesting is to not use the new root certificate until April the 16th 2021?
          Hide
          olblak Olivier Vernin added a comment -

          This would allow us to correctly warn the community that they must update their Jenkins version to a version newer than 2.117

           

          Show
          olblak Olivier Vernin added a comment - This would allow us to correctly warn the community that they must update their Jenkins version to a version newer than 2.117  
          Hide
          danielbeck Daniel Beck added a comment -

          So what you are suggesting is to not use the new root certificate until April the 16th 2021?

          Perhaps not that long, but March/April 2021.

          Show
          danielbeck Daniel Beck added a comment - So what you are suggesting is to not use the new root certificate until April the 16th 2021? Perhaps not that long, but March/April 2021.
          Hide
          timja Tim Jacomb added a comment -

          Not sure if I see the point in waiting?

          If you try start up a Jenkins on 2.117 I highly doubt you will be able to download many plugins without dependency errors.
          Given we aren't serving an LTS update site anywhere near that old, anyone on a version like that won't be able to update plugins?

          Many of the popular plugins now require 2.164 + baselines...

          Signing with the old key just pushes the problem down the line.

          but it would work fine too...

          Show
          timja Tim Jacomb added a comment - Not sure if I see the point in waiting? If you try start up a Jenkins on 2.117 I highly doubt you will be able to download many plugins without dependency errors. Given we aren't serving an LTS update site anywhere near that old, anyone on a version like that won't be able to update plugins? Many of the popular plugins now require 2.164 + baselines... Signing with the old key just pushes the problem down the line. but it would work fine too...
          Hide
          danielbeck Daniel Beck added a comment -

           highly doubt you will be able to download many plugins without dependency errors.
          Given we aren't serving an LTS update site anywhere near that old, anyone on a version like that won't be able to update plugins?

          You won't be able to download new Jenkins core releases from inside Jenkins either ("Update automatically").

          Show
          danielbeck Daniel Beck added a comment -  highly doubt you will be able to download many plugins without dependency errors. Given we aren't serving an LTS update site anywhere near that old, anyone on a version like that won't be able to update plugins? You won't be able to download new Jenkins core releases from inside Jenkins either ("Update automatically").
          Hide
          olblak Olivier Vernin added a comment -

          I generated a new update-center certificate valid until the 16th of April 2021 (when the root ca expire), then uploaded the zip file on trusted.ci

          Show
          olblak Olivier Vernin added a comment - I generated a new update-center certificate valid until the 16th of April 2021 (when the root ca expire), then uploaded the zip file on trusted.ci
          olblak Olivier Vernin made changes -
          Resolution Fixed [ 1 ]
          Status In Progress [ 3 ] Resolved [ 5 ]
          Hide
          olblak Olivier Vernin added a comment -

          I am reopening this as the key generated is too small

          Show
          olblak Olivier Vernin added a comment - I am reopening this as the key generated is too small
          olblak Olivier Vernin made changes -
          Resolution Fixed [ 1 ]
          Status Resolved [ 5 ] Reopened [ 4 ]
          Hide
          olblak Olivier Vernin added a comment -

          while I initially reused an old update-center key to generate the csr and the certificate, this time I generated a new key with a length of 4096 bits then updated trusted.ci 

          Show
          olblak Olivier Vernin added a comment - while I initially reused an old update-center key to generate the csr and the certificate, this time I generated a new key with a length of 4096 bits then updated trusted.ci 
          olblak Olivier Vernin made changes -
          Resolution Fixed [ 1 ]
          Status Reopened [ 4 ] Resolved [ 5 ]
          Hide
          olblak Olivier Vernin added a comment -

          Bumping this ticket, it's seems to be time to notify end users

          Show
          olblak Olivier Vernin added a comment - Bumping this ticket, it's seems to be time to notify end users
          Hide
          danielbeck Daniel Beck added a comment -

          Should be a separate task, this one was resolved.

          Show
          danielbeck Daniel Beck added a comment - Should be a separate task, this one was resolved.

            People

            Assignee:
            olblak Olivier Vernin
            Reporter:
            danielbeck Daniel Beck
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: