Details
-
Bug
-
Status: Resolved (View Workflow)
-
Major
-
Resolution: Fixed
-
None
-
Jenkins 1.543, Jenkins 1.554-SNAPSHOT
Description
After installing jenkis, I am getting the following exception. It seems that the server certificate has expired.
Attempting to reconnect slave
2 27, 2014 9:57:02 午後 致命的 hudson.model.DownloadService$Downloadable doPostBack
Signature verification failed in downloadable 'hudson.tools.JDKInstaller'
java.security.cert.CertPathValidatorException: timestamp check failed
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)
at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:330)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)
at org.jvnet.hudson.crypto.CertificateUtil.validatePath(CertificateUtil.java:93)
at jenkins.util.JSONSignatureValidator.verifySignature(JSONSignatureValidator.java:92)
at hudson.model.DownloadService$Downloadable.doPostBack(DownloadService.java:258)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:298)
at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:161)
at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:96)
at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:120)
at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:728)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:858)
at org.kohsuke.stapler.MetaClass$6.doDispatch(MetaClass.java:248)
at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:728)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:858)
at org.kohsuke.stapler.MetaClass$12.dispatch(MetaClass.java:390)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:728)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:858)
at org.kohsuke.stapler.MetaClass$4.doDispatch(MetaClass.java:210)
at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:728)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:858)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:631)
at org.kohsuke.stapler.Stapler.service(Stapler.java:225)
at javax.servlet.http.HttpServlet.service(Unknown Source)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown Source)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown Source)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:96)
at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:203)
at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:181)
at net.bull.javamelody.PluginMonitoringFilter.doFilter(PluginMonitoringFilter.java:86)
at org.jvnet.hudson.plugins.monitoring.HudsonMonitoringFilter.doFilter(HudsonMonitoringFilter.java:90)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:99)
at com.cloudbees.jenkins.support.SupportMetricsFilter.doFilter(SupportMetricsFilter.java:105)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:99)
at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:88)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown Source)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown Source)
at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:48)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown Source)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown Source)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:174)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at jenkins.security.ApiTokenFilter.doFilter(ApiTokenFilter.java:64)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown Source)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown Source)
at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:46)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown Source)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown Source)
at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown Source)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown Source)
at org.apache.catalina.core.StandardWrapperValve.invoke(Unknown Source)
at org.apache.catalina.core.StandardContextValve.invoke(Unknown Source)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Unknown Source)
at org.apache.catalina.core.StandardHostValve.invoke(Unknown Source)
at org.apache.catalina.valves.ErrorReportValve.invoke(Unknown Source)
at org.apache.catalina.core.StandardEngineValve.invoke(Unknown Source)
at org.apache.catalina.connector.CoyoteAdapter.service(Unknown Source)
at org.apache.coyote.ajp.AjpAprProcessor.process(Unknown Source)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(Unknown Source)
at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)
at java.lang.Thread.run(Thread.java:662)
Caused by: java.security.cert.CertificateExpiredException: NotAfter: Thu Feb 27 04:21:29 JST 2014
at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:256)
at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:568)
at sun.security.provider.certpath.BasicChecker.verifyTimestamp(BasicChecker.java:157)
at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:109)
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:117)
... 88 more
Attachments
Issue Links
- is blocking
-
-
- Resolved
-
Activity
Presumably the tool installer json files are signed with wrong certificates
Mirror triggered. Should propagate across mirrors in an hour or so. I'll come back and verify.
Still broken in LTS. Checked in a fresh 1.532.2 installation (UC was OK but tool installations were not).
Also UpdateSiteTest.updateDirectlyWithJson is failing, since it is using a downloaded copy of data, which I can fix.
Additionally, JENKINS-19081 requires that the JSONP form of tool installer metadata include signature blocks. Currently signature blocks are available in the HTML (postMessage) variants of tool installer metadata files, and both JSONP and HTML variants of the update center.
Code changed in jenkins
User: Jesse Glick
Path:
test/src/test/java/hudson/model/UpdateCenterTest.java
http://jenkins-ci.org/commit/jenkins/c87b7daf79f8613de7bfd3ee6745f66d5d1a14a3
Log:
JENKINS-21984 Checking stable UC as well. Cannot reproduce certificate problem in test.
Code changed in jenkins
User: Jesse Glick
Path:
test/src/test/java/hudson/model/UpdateSiteTest.java
http://jenkins-ci.org/commit/jenkins/334ce1be691c96ad63642c8301c4f0417a0705c3
Log:
JENKINS-21984 Disabling cert check on updateDirectlyWithJson since the certificate is now expired, and it is no good to have a test which is known to start failing at a particular time in the future!
Compare: https://github.com/jenkinsci/jenkins/compare/a0d6e5286d94...334ce1be691c
Ah, of course: UpdateCenterTest checks only UC metadata, whereas it is tool installer metadata which appears to still have a bad signature. Would need a new test for that.
Integrated in 
jenkins_main_trunk #3203
JENKINS-21984 Checking stable UC as well. Cannot reproduce certificate problem in test. (Revision c87b7daf79f8613de7bfd3ee6745f66d5d1a14a3)
JENKINS-21984 Disabling cert check on updateDirectlyWithJson since the certificate is now expired, and it is no good to have a test which is known to start failing at a particular time in the future! (Revision 334ce1be691c96ad63642c8301c4f0417a0705c3)
Result = SUCCESS
Jesse Glick : c87b7daf79f8613de7bfd3ee6745f66d5d1a14a3
Files :
- test/src/test/java/hudson/model/UpdateCenterTest.java
Jesse Glick : 334ce1be691c96ad63642c8301c4f0417a0705c3
Files :
- test/src/test/java/hudson/model/UpdateSiteTest.java
Code changed in jenkins
User: Jesse Glick
Path:
test/src/test/java/hudson/model/UpdateSiteTest.java
http://jenkins-ci.org/commit/jenkins/1d29041372aeb77cab5a6aa4ce758ba5133c2f51
Log:
JENKINS-21984 Disabling cert check on updateDirectlyWithJson since the certificate is now expired, and it is no good to have a test which is known to start failing at a particular time in the future!
(cherry picked from commit 334ce1be691c96ad63642c8301c4f0417a0705c3)
Integrated in jenkins_main_trunk #3715
JENKINS-21984 Disabling cert check on updateDirectlyWithJson since the certificate is now expired, and it is no good to have a test which is known to start failing at a particular time in the future! (Revision 1d29041372aeb77cab5a6aa4ce758ba5133c2f51)
Result = SUCCESS
Jesse Glick : 1d29041372aeb77cab5a6aa4ce758ba5133c2f51
Files :
- test/src/test/java/hudson/model/UpdateSiteTest.java
Missing signature blocks is an unrelated issue (related to JENKINS-15105), so reclosing.
Yes, and the corresponding functional tests are failing too.