Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-32376

Private certifacates doesn't work with server-based download (Jenkins >= 1.557)

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Critical Critical
    • None
    • update-sites-manager 1.0.1
      Jenkins >= 1.557 (affected depending on configurations)
      Jenkins >= 1.600, 1.596.1 (affected by default)

      • Jenkins 1.557 introduced server-based download of lists of plugins. (1ac7775, 33d88c0, )
        • This feature is enabled when disable "Download Preferences > Use Browser" in the system configurqation.
      • This feature is enabled by default since Jenkins 1.600 and Jenkins 1.596.1. (6b71fac)

      Access to updater centers requiring private CA certificates fails with

      Jan 10, 2016 9:42:31 AM hudson.model.UpdateSite updateData
      INFO: Obtained the latest update center data file for UpdateSource default
      Jan 10, 2016 9:42:31 AM hudson.model.UpdateSite updateData
      SEVERE: ERROR: Signature verification failed in update site &#039;ikedam-update-center&#039; <a href='#' class='showDetails'>(show details)
      yle='display:none'>java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
              at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:208)
              at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)
              at org.jvnet.hudson.crypto.CertificateUtil.validatePath(CertificateUtil.java:93)
              at jenkins.util.JSONSignatureValidator.verifySignature(JSONSignatureValidator.java:92)
              at hudson.model.UpdateSite.verifySignature(UpdateSite.java:221)
              at hudson.model.UpdateSite.updateData(UpdateSite.java:200)
              at hudson.model.UpdateSite.updateDirectlyNow(UpdateSite.java:170)
              at hudson.PluginManager.doCheckUpdatesServer(PluginManager.java:824)
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.lang.reflect.Method.invoke(Method.java:606)
              at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:298)
              at org.kohsuke.stapler.interceptor.RequirePOST$Processor.invoke(RequirePOST.java:46)
              at org.kohsuke.stapler.Function$InterceptedFunction.invoke(Function.java:399)
              at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:161)
              at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:96)
              at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:120)
              at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
              at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:728)
              at org.kohsuke.stapler.Stapler.invoke(Stapler.java:858)
              at org.kohsuke.stapler.MetaClass$3.doDispatch(MetaClass.java:182)
              at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
              at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:728)
              at org.kohsuke.stapler.Stapler.invoke(Stapler.java:858)
              at org.kohsuke.stapler.Stapler.invoke(Stapler.java:631)
              at org.kohsuke.stapler.Stapler.service(Stapler.java:225)
              at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
              at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:686)
              at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1494)
              at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:96)
              at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:88)
              at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
              at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:48)
              at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
              at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
              at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
              at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
              at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
              at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:46)
              at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
              at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
              at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474)
              at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
              at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
              at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:533)
              at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
              at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
              at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
              at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
              at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
              at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
              at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
              at org.eclipse.jetty.server.Server.handle(Server.java:370)
              at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)
              at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:960)
              at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1021)
              at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:865)
              at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240)
              at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
              at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)
              at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
              at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
              at java.lang.Thread.run(Thread.java:745)
      

          [JENKINS-32376] Private certifacates doesn't work with server-based download (Jenkins >= 1.557)

          Daniel Beck added a comment -

          To clarify, this also happens when specifying a certification with the custom update site?

          Daniel Beck added a comment - To clarify, this also happens when specifying a certification with the custom update site?

          ikedam added a comment -

          > To clarify, this also happens when specifying a certification with the custom update site?

          Exactly.
          The process injecting the specified certificate isn't performed in server-based download.
          That process is implemented as wrapper of UpdateSite#doPostBack, which is for client-based download and not invoked for server-based download.

          ikedam added a comment - > To clarify, this also happens when specifying a certification with the custom update site? Exactly. The process injecting the specified certificate isn't performed in server-based download. That process is implemented as wrapper of UpdateSite#doPostBack , which is for client-based download and not invoked for server-based download.

          ikedam added a comment - https://github.com/jenkinsci/update-sites-manager-plugin/pull/3 https://github.com/jenkinsci/update-sites-manager-plugin/pull/5

          Code changed in jenkins
          User: ikedam
          Path:
          pom.xml
          src/main/java/jp/ikedam/jenkins/plugins/updatesitesmanager/internal/ExtendedCertJsonSignValidator.java
          src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/DescribedUpdateSiteJenkinsTest.java
          src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/ManagedUpdateSiteJenkinsTest.java
          src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/UpdateSitesManagerJenkinsTest.java
          src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/internal/ExtendedCertJsonSignValidatorTest.java
          http://jenkins-ci.org/commit/update-sites-manager-plugin/d5d4f7ebd550bd015a35e224edcfea21f81417f0
          Log:
          JENKINS-32376 Changed the target to the least LTS 1.596.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: pom.xml src/main/java/jp/ikedam/jenkins/plugins/updatesitesmanager/internal/ExtendedCertJsonSignValidator.java src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/DescribedUpdateSiteJenkinsTest.java src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/ManagedUpdateSiteJenkinsTest.java src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/UpdateSitesManagerJenkinsTest.java src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/internal/ExtendedCertJsonSignValidatorTest.java http://jenkins-ci.org/commit/update-sites-manager-plugin/d5d4f7ebd550bd015a35e224edcfea21f81417f0 Log: JENKINS-32376 Changed the target to the least LTS 1.596.

          Code changed in jenkins
          User: ikedam
          Path:
          src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/ManagedUpdateSiteJenkinsTest.java
          http://jenkins-ci.org/commit/update-sites-manager-plugin/a4e9b85239b415f3a66776f7d8e93111c1aabec4
          Log:
          JENKINS-32376 Integration tests with client-based download and server-based download.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/ManagedUpdateSiteJenkinsTest.java http://jenkins-ci.org/commit/update-sites-manager-plugin/a4e9b85239b415f3a66776f7d8e93111c1aabec4 Log: JENKINS-32376 Integration tests with client-based download and server-based download.

          Code changed in jenkins
          User: ikedam
          Path:
          pom.xml
          src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/ManagedUpdateSiteJenkinsTest.java
          http://jenkins-ci.org/commit/update-sites-manager-plugin/cf71b464e80372ff906e0d81d5113d6f4e4b2892
          Log:
          JENKINS-32376 Jenkins < 1.600 have a problem with the server-side download feature (Downloadable refers URLs without signatures) and cannot test the behavior. I decided to target 1.609.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: pom.xml src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/ManagedUpdateSiteJenkinsTest.java http://jenkins-ci.org/commit/update-sites-manager-plugin/cf71b464e80372ff906e0d81d5113d6f4e4b2892 Log: JENKINS-32376 Jenkins < 1.600 have a problem with the server-side download feature (Downloadable refers URLs without signatures) and cannot test the behavior. I decided to target 1.609.

          Code changed in jenkins
          User: ikedam
          Path:
          pom.xml
          src/main/java/jp/ikedam/jenkins/plugins/updatesitesmanager/ManagedUpdateSite.java
          src/main/java/jp/ikedam/jenkins/plugins/updatesitesmanager/internal/ExtendedCertJsonSignValidator.java
          src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/ManagedUpdateSiteJenkinsTest.java
          src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/UpdateSitesManagerJenkinsTest.java
          src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/internal/ExtendedCertJsonSignValidatorTest.java
          http://jenkins-ci.org/commit/update-sites-manager-plugin/45819d10f539ca6afe4cf51386efdab9db04ad25
          Log:
          Merge pull request #5 from ikedam/feature/JENKIS-32376_ServerBasedDownloading

          [FIXED JENKINS-32376] Supports server-based downloading

          Compare: https://github.com/jenkinsci/update-sites-manager-plugin/compare/b8bfa335c508...45819d10f539

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: ikedam Path: pom.xml src/main/java/jp/ikedam/jenkins/plugins/updatesitesmanager/ManagedUpdateSite.java src/main/java/jp/ikedam/jenkins/plugins/updatesitesmanager/internal/ExtendedCertJsonSignValidator.java src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/ManagedUpdateSiteJenkinsTest.java src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/UpdateSitesManagerJenkinsTest.java src/test/java/jp/ikedam/jenkins/plugins/updatesitesmanager/internal/ExtendedCertJsonSignValidatorTest.java http://jenkins-ci.org/commit/update-sites-manager-plugin/45819d10f539ca6afe4cf51386efdab9db04ad25 Log: Merge pull request #5 from ikedam/feature/JENKIS-32376_ServerBasedDownloading [FIXED JENKINS-32376] Supports server-based downloading Compare: https://github.com/jenkinsci/update-sites-manager-plugin/compare/b8bfa335c508...45819d10f539

          ikedam added a comment -

          Fixed in update-sites-manager-2.0.0.
          It will be available in the update center in a day.

          ikedam added a comment - Fixed in update-sites-manager-2.0.0. It will be available in the update center in a day.

            ikedam ikedam
            ikedam ikedam
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: