Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-21984

java.security.cert.CertificateExpiredException: NotAfter: Thu Feb 27 04:21:29 JST 2014

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved (View Workflow)
    • Major
    • Resolution: Fixed
    • core
    • None
    • Jenkins 1.543, Jenkins 1.554-SNAPSHOT

    Description

      After installing jenkis, I am getting the following exception. It seems that the server certificate has expired.

      Attempting to reconnect slave
      2 27, 2014 9:57:02 午後 致命的 hudson.model.DownloadService$Downloadable doPostBack
      Signature verification failed in downloadable 'hudson.tools.JDKInstaller'
      java.security.cert.CertPathValidatorException: timestamp check failed
      at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)
      at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:330)
      at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)
      at java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)
      at org.jvnet.hudson.crypto.CertificateUtil.validatePath(CertificateUtil.java:93)
      at jenkins.util.JSONSignatureValidator.verifySignature(JSONSignatureValidator.java:92)
      at hudson.model.DownloadService$Downloadable.doPostBack(DownloadService.java:258)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:597)
      at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:298)
      at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:161)
      at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:96)
      at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:120)
      at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
      at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:728)
      at org.kohsuke.stapler.Stapler.invoke(Stapler.java:858)
      at org.kohsuke.stapler.MetaClass$6.doDispatch(MetaClass.java:248)
      at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
      at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:728)
      at org.kohsuke.stapler.Stapler.invoke(Stapler.java:858)
      at org.kohsuke.stapler.MetaClass$12.dispatch(MetaClass.java:390)
      at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:728)
      at org.kohsuke.stapler.Stapler.invoke(Stapler.java:858)
      at org.kohsuke.stapler.MetaClass$4.doDispatch(MetaClass.java:210)
      at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
      at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:728)
      at org.kohsuke.stapler.Stapler.invoke(Stapler.java:858)
      at org.kohsuke.stapler.Stapler.invoke(Stapler.java:631)
      at org.kohsuke.stapler.Stapler.service(Stapler.java:225)
      at javax.servlet.http.HttpServlet.service(Unknown Source)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown Source)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown Source)
      at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:96)
      at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:203)
      at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:181)
      at net.bull.javamelody.PluginMonitoringFilter.doFilter(PluginMonitoringFilter.java:86)
      at org.jvnet.hudson.plugins.monitoring.HudsonMonitoringFilter.doFilter(HudsonMonitoringFilter.java:90)
      at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:99)
      at com.cloudbees.jenkins.support.SupportMetricsFilter.doFilter(SupportMetricsFilter.java:105)
      at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:99)
      at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:88)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown Source)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown Source)
      at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:48)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown Source)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown Source)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
      at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      at org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:174)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      at jenkins.security.ApiTokenFilter.doFilter(ApiTokenFilter.java:64)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
      at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
      at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
      at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown Source)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown Source)
      at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:46)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown Source)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown Source)
      at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Unknown Source)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(Unknown Source)
      at org.apache.catalina.core.StandardWrapperValve.invoke(Unknown Source)
      at org.apache.catalina.core.StandardContextValve.invoke(Unknown Source)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Unknown Source)
      at org.apache.catalina.core.StandardHostValve.invoke(Unknown Source)
      at org.apache.catalina.valves.ErrorReportValve.invoke(Unknown Source)
      at org.apache.catalina.core.StandardEngineValve.invoke(Unknown Source)
      at org.apache.catalina.connector.CoyoteAdapter.service(Unknown Source)
      at org.apache.coyote.ajp.AjpAprProcessor.process(Unknown Source)
      at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(Unknown Source)
      at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(Unknown Source)
      at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)
      at java.lang.Thread.run(Thread.java:662)
      Caused by: java.security.cert.CertificateExpiredException: NotAfter: Thu Feb 27 04:21:29 JST 2014
      at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:256)
      at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:568)
      at sun.security.provider.certpath.BasicChecker.verifyTimestamp(BasicChecker.java:157)
      at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:109)
      at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:117)
      ... 88 more

      Attachments

        Issue Links

          Activity

            sogabe sogabe created issue -
            jglick Jesse Glick added a comment -

            Yes, and the corresponding functional tests are failing too.

            jglick Jesse Glick added a comment - Yes, and the corresponding functional tests are failing too.
            kohsuke Kohsuke Kawaguchi made changes -
            Field Original Value New Value
            Assignee Kohsuke Kawaguchi [ kohsuke ]

            Presumably the tool installer json files are signed with wrong certificates

            kohsuke Kohsuke Kawaguchi added a comment - Presumably the tool installer json files are signed with wrong certificates
            danielbeck Daniel Beck added a comment - - edited

            (my apologies, shouldn't be commenting while sick)

            danielbeck Daniel Beck added a comment - - edited (my apologies, shouldn't be commenting while sick)
            kohsuke Kohsuke Kawaguchi made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            kohsuke Kohsuke Kawaguchi added a comment - https://updates.jenkins-ci.org/updates/ regenerated

            Mirror triggered. Should propagate across mirrors in an hour or so. I'll come back and verify.

            kohsuke Kohsuke Kawaguchi added a comment - Mirror triggered. Should propagate across mirrors in an hour or so. I'll come back and verify.

            Verified the fix with a fresh installation

            kohsuke Kohsuke Kawaguchi added a comment - Verified the fix with a fresh installation
            kohsuke Kohsuke Kawaguchi made changes -
            Resolution Fixed [ 1 ]
            Status In Progress [ 3 ] Resolved [ 5 ]
            jglick Jesse Glick added a comment -

            Still broken in LTS. Checked in a fresh 1.532.2 installation (UC was OK but tool installations were not).

            Also UpdateSiteTest.updateDirectlyWithJson is failing, since it is using a downloaded copy of data, which I can fix.

            jglick Jesse Glick added a comment - Still broken in LTS. Checked in a fresh 1.532.2 installation (UC was OK but tool installations were not). Also UpdateSiteTest.updateDirectlyWithJson is failing, since it is using a downloaded copy of data, which I can fix.
            jglick Jesse Glick made changes -
            Resolution Fixed [ 1 ]
            Status Resolved [ 5 ] Reopened [ 4 ]
            jglick Jesse Glick added a comment -

            Additionally, JENKINS-19081 requires that the JSONP form of tool installer metadata include signature blocks. Currently signature blocks are available in the HTML (postMessage) variants of tool installer metadata files, and both JSONP and HTML variants of the update center.

            jglick Jesse Glick added a comment - Additionally, JENKINS-19081 requires that the JSONP form of tool installer metadata include signature blocks. Currently signature blocks are available in the HTML ( postMessage ) variants of tool installer metadata files, and both JSONP and HTML variants of the update center.
            jglick Jesse Glick made changes -
            Link This issue is blocking JENKINS-19081 [ JENKINS-19081 ]

            Code changed in jenkins
            User: Jesse Glick
            Path:
            test/src/test/java/hudson/model/UpdateCenterTest.java
            http://jenkins-ci.org/commit/jenkins/c87b7daf79f8613de7bfd3ee6745f66d5d1a14a3
            Log:
            JENKINS-21984 Checking stable UC as well. Cannot reproduce certificate problem in test.

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: test/src/test/java/hudson/model/UpdateCenterTest.java http://jenkins-ci.org/commit/jenkins/c87b7daf79f8613de7bfd3ee6745f66d5d1a14a3 Log: JENKINS-21984 Checking stable UC as well. Cannot reproduce certificate problem in test.

            Code changed in jenkins
            User: Jesse Glick
            Path:
            test/src/test/java/hudson/model/UpdateSiteTest.java
            http://jenkins-ci.org/commit/jenkins/334ce1be691c96ad63642c8301c4f0417a0705c3
            Log:
            JENKINS-21984 Disabling cert check on updateDirectlyWithJson since the certificate is now expired, and it is no good to have a test which is known to start failing at a particular time in the future!

            Compare: https://github.com/jenkinsci/jenkins/compare/a0d6e5286d94...334ce1be691c

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: test/src/test/java/hudson/model/UpdateSiteTest.java http://jenkins-ci.org/commit/jenkins/334ce1be691c96ad63642c8301c4f0417a0705c3 Log: JENKINS-21984 Disabling cert check on updateDirectlyWithJson since the certificate is now expired, and it is no good to have a test which is known to start failing at a particular time in the future! Compare: https://github.com/jenkinsci/jenkins/compare/a0d6e5286d94...334ce1be691c
            jglick Jesse Glick added a comment -

            Ah, of course: UpdateCenterTest checks only UC metadata, whereas it is tool installer metadata which appears to still have a bad signature. Would need a new test for that.

            jglick Jesse Glick added a comment - Ah, of course: UpdateCenterTest checks only UC metadata, whereas it is tool installer metadata which appears to still have a bad signature. Would need a new test for that.
            dogfood dogfood added a comment -

            Integrated in jenkins_main_trunk #3203
            JENKINS-21984 Checking stable UC as well. Cannot reproduce certificate problem in test. (Revision c87b7daf79f8613de7bfd3ee6745f66d5d1a14a3)
            JENKINS-21984 Disabling cert check on updateDirectlyWithJson since the certificate is now expired, and it is no good to have a test which is known to start failing at a particular time in the future! (Revision 334ce1be691c96ad63642c8301c4f0417a0705c3)

            Result = SUCCESS
            Jesse Glick : c87b7daf79f8613de7bfd3ee6745f66d5d1a14a3
            Files :

            • test/src/test/java/hudson/model/UpdateCenterTest.java

            Jesse Glick : 334ce1be691c96ad63642c8301c4f0417a0705c3
            Files :

            • test/src/test/java/hudson/model/UpdateSiteTest.java
            dogfood dogfood added a comment - Integrated in jenkins_main_trunk #3203 JENKINS-21984 Checking stable UC as well. Cannot reproduce certificate problem in test. (Revision c87b7daf79f8613de7bfd3ee6745f66d5d1a14a3) JENKINS-21984 Disabling cert check on updateDirectlyWithJson since the certificate is now expired, and it is no good to have a test which is known to start failing at a particular time in the future! (Revision 334ce1be691c96ad63642c8301c4f0417a0705c3) Result = SUCCESS Jesse Glick : c87b7daf79f8613de7bfd3ee6745f66d5d1a14a3 Files : test/src/test/java/hudson/model/UpdateCenterTest.java Jesse Glick : 334ce1be691c96ad63642c8301c4f0417a0705c3 Files : test/src/test/java/hudson/model/UpdateSiteTest.java

            Code changed in jenkins
            User: Jesse Glick
            Path:
            test/src/test/java/hudson/model/UpdateSiteTest.java
            http://jenkins-ci.org/commit/jenkins/1d29041372aeb77cab5a6aa4ce758ba5133c2f51
            Log:
            JENKINS-21984 Disabling cert check on updateDirectlyWithJson since the certificate is now expired, and it is no good to have a test which is known to start failing at a particular time in the future!
            (cherry picked from commit 334ce1be691c96ad63642c8301c4f0417a0705c3)

            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: test/src/test/java/hudson/model/UpdateSiteTest.java http://jenkins-ci.org/commit/jenkins/1d29041372aeb77cab5a6aa4ce758ba5133c2f51 Log: JENKINS-21984 Disabling cert check on updateDirectlyWithJson since the certificate is now expired, and it is no good to have a test which is known to start failing at a particular time in the future! (cherry picked from commit 334ce1be691c96ad63642c8301c4f0417a0705c3)
            dogfood dogfood added a comment -

            Integrated in jenkins_main_trunk #3715
            JENKINS-21984 Disabling cert check on updateDirectlyWithJson since the certificate is now expired, and it is no good to have a test which is known to start failing at a particular time in the future! (Revision 1d29041372aeb77cab5a6aa4ce758ba5133c2f51)

            Result = SUCCESS
            Jesse Glick : 1d29041372aeb77cab5a6aa4ce758ba5133c2f51
            Files :

            • test/src/test/java/hudson/model/UpdateSiteTest.java
            dogfood dogfood added a comment - Integrated in jenkins_main_trunk #3715 JENKINS-21984 Disabling cert check on updateDirectlyWithJson since the certificate is now expired, and it is no good to have a test which is known to start failing at a particular time in the future! (Revision 1d29041372aeb77cab5a6aa4ce758ba5133c2f51) Result = SUCCESS Jesse Glick : 1d29041372aeb77cab5a6aa4ce758ba5133c2f51 Files : test/src/test/java/hudson/model/UpdateSiteTest.java
            jglick Jesse Glick added a comment -

            Missing signature blocks is an unrelated issue (related to JENKINS-15105), so reclosing.

            jglick Jesse Glick added a comment - Missing signature blocks is an unrelated issue (related to JENKINS-15105 ), so reclosing.
            jglick Jesse Glick made changes -
            Resolution Fixed [ 1 ]
            Status Reopened [ 4 ] Resolved [ 5 ]
            rtyler R. Tyler Croy made changes -
            Workflow JNJira [ 154061 ] JNJira + In-Review [ 194775 ]

            People

              kohsuke Kohsuke Kawaguchi
              sogabe sogabe
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: