[JENKINS-32376] Private certifacates doesn't work with server-based download (Jenkins >= 1.557)

Type: Bug
Resolution: Fixed
Priority: Critical
Component/s: update-sites-manager-plugin
Labels:
None
Environment:
update-sites-manager 1.0.1
Jenkins >= 1.557 (affected depending on configurations)
Jenkins >= 1.600, 1.596.1 (affected by default)

Similar Issues:
Powered by SuggestiMate

Show

Jenkins 1.557 introduced server-based download of lists of plugins. (1ac7775, 33d88c0, )
- This feature is enabled when disable "Download Preferences > Use Browser" in the system configurqation.
This feature is enabled by default since Jenkins 1.600 and Jenkins 1.596.1. (6b71fac)

Access to updater centers requiring private CA certificates fails with

Jan 10, 2016 9:42:31 AM hudson.model.UpdateSite updateData
INFO: Obtained the latest update center data file for UpdateSource default
Jan 10, 2016 9:42:31 AM hudson.model.UpdateSite updateData
SEVERE: ERROR: Signature verification failed in update site &#039;ikedam-update-center&#039; <a href='#' class='showDetails'>(show details)
yle='display:none'>java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
        at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:208)
        at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)
        at org.jvnet.hudson.crypto.CertificateUtil.validatePath(CertificateUtil.java:93)
        at jenkins.util.JSONSignatureValidator.verifySignature(JSONSignatureValidator.java:92)
        at hudson.model.UpdateSite.verifySignature(UpdateSite.java:221)
        at hudson.model.UpdateSite.updateData(UpdateSite.java:200)
        at hudson.model.UpdateSite.updateDirectlyNow(UpdateSite.java:170)
        at hudson.PluginManager.doCheckUpdatesServer(PluginManager.java:824)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:298)
        at org.kohsuke.stapler.interceptor.RequirePOST$Processor.invoke(RequirePOST.java:46)
        at org.kohsuke.stapler.Function$InterceptedFunction.invoke(Function.java:399)
        at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:161)
        at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:96)
        at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:120)
        at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
        at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:728)
        at org.kohsuke.stapler.Stapler.invoke(Stapler.java:858)
        at org.kohsuke.stapler.MetaClass$3.doDispatch(MetaClass.java:182)
        at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
        at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:728)
        at org.kohsuke.stapler.Stapler.invoke(Stapler.java:858)
        at org.kohsuke.stapler.Stapler.invoke(Stapler.java:631)
        at org.kohsuke.stapler.Stapler.service(Stapler.java:225)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:686)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1494)
        at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:96)
        at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:88)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
        at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:48)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
        at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
        at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
        at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:46)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
        at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474)
        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
        at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:533)
        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
        at org.eclipse.jetty.server.Server.handle(Server.java:370)
        at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)
        at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:960)
        at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1021)
        at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:865)
        at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240)
        at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
        at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)
        at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
        at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:745)

is related to

JENKINS-19081 Download update center from master by default

Resolved

ikedam created issue - 2016-01-10 00:48

ikedam made changes - 2016-01-10 00:52

Link

New: This issue is related to ~~JENKINS-19081~~ [ ~~JENKINS-19081~~ ]

ikedam made changes - 2016-01-10 00:54

Description

Original: * Jenkins 1.557 introduced server-based download of lists of plugins.
** This feature is enabled when disable "Download Preferences > Use Browser" in the system configurqation.
* This feature is enabled by default since Jenkins 1.600 and Jenkins 1.596.1.

Access to updater centers requiring private CA certificates fails with
{noformat}
Jan 10, 2016 9:42:31 AM hudson.model.UpdateSite updateData
INFO: Obtained the latest update center data file for UpdateSource default
Jan 10, 2016 9:42:31 AM hudson.model.UpdateSite updateData
SEVERE: ERROR: Signature verification failed in update site 'ikedam-update-center' <a href='#' class='showDetails'>(show details)
yle='display:none'>java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
        at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:208)
        at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)
        at org.jvnet.hudson.crypto.CertificateUtil.validatePath(CertificateUtil.java:93)
        at jenkins.util.JSONSignatureValidator.verifySignature(JSONSignatureValidator.java:92)
        at hudson.model.UpdateSite.verifySignature(UpdateSite.java:221)
        at hudson.model.UpdateSite.updateData(UpdateSite.java:200)
        at hudson.model.UpdateSite.updateDirectlyNow(UpdateSite.java:170)
        at hudson.PluginManager.doCheckUpdatesServer(PluginManager.java:824)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:298)
        at org.kohsuke.stapler.interceptor.RequirePOST$Processor.invoke(RequirePOST.java:46)
        at org.kohsuke.stapler.Function$InterceptedFunction.invoke(Function.java:399)
        at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:161)
        at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:96)
        at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:120)
        at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
        at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:728)
        at org.kohsuke.stapler.Stapler.invoke(Stapler.java:858)
        at org.kohsuke.stapler.MetaClass$3.doDispatch(MetaClass.java:182)
        at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
        at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:728)
        at org.kohsuke.stapler.Stapler.invoke(Stapler.java:858)
        at org.kohsuke.stapler.Stapler.invoke(Stapler.java:631)
        at org.kohsuke.stapler.Stapler.service(Stapler.java:225)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:686)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1494)
        at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:96)
        at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:88)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
        at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:48)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
        at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
        at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
        at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:46)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
        at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474)
        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
        at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:533)
        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
        at org.eclipse.jetty.server.Server.handle(Server.java:370)
        at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)
        at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:960)
        at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1021)
        at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:865)
        at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240)
        at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
        at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)
        at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
        at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:745)
{noformat}

New: * Jenkins 1.557 introduced server-based download of lists of plugins. ([1ac7775|https://github.com/jenkinsci/jenkins/commit/1ac77750e93f9a1970fecbecdf7f84279d0a62b9], [33d88c0|https://github.com/jenkinsci/jenkins/commit/33d88c015c7fc6c6cdb093d4a3d04a75aa85fa80], )
** This feature is enabled when disable "Download Preferences > Use Browser" in the system configurqation.
* This feature is enabled by default since Jenkins 1.600 and Jenkins 1.596.1. ([6b71fac|https://github.com/jenkinsci/jenkins/commit/6b71faccb95285fb15a72703b2c2e4efdc905512])

Access to updater centers requiring private CA certificates fails with
{noformat}
Jan 10, 2016 9:42:31 AM hudson.model.UpdateSite updateData
INFO: Obtained the latest update center data file for UpdateSource default
Jan 10, 2016 9:42:31 AM hudson.model.UpdateSite updateData
SEVERE: ERROR: Signature verification failed in update site 'ikedam-update-center' <a href='#' class='showDetails'>(show details)
yle='display:none'>java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
        at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:208)
        at java.security.cert.CertPathValidator.validate(CertPathValidator.java:279)
        at org.jvnet.hudson.crypto.CertificateUtil.validatePath(CertificateUtil.java:93)
        at jenkins.util.JSONSignatureValidator.verifySignature(JSONSignatureValidator.java:92)
        at hudson.model.UpdateSite.verifySignature(UpdateSite.java:221)
        at hudson.model.UpdateSite.updateData(UpdateSite.java:200)
        at hudson.model.UpdateSite.updateDirectlyNow(UpdateSite.java:170)
        at hudson.PluginManager.doCheckUpdatesServer(PluginManager.java:824)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:298)
        at org.kohsuke.stapler.interceptor.RequirePOST$Processor.invoke(RequirePOST.java:46)
        at org.kohsuke.stapler.Function$InterceptedFunction.invoke(Function.java:399)
        at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:161)
        at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:96)
        at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:120)
        at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
        at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:728)
        at org.kohsuke.stapler.Stapler.invoke(Stapler.java:858)
        at org.kohsuke.stapler.MetaClass$3.doDispatch(MetaClass.java:182)
        at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
        at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:728)
        at org.kohsuke.stapler.Stapler.invoke(Stapler.java:858)
        at org.kohsuke.stapler.Stapler.invoke(Stapler.java:631)
        at org.kohsuke.stapler.Stapler.service(Stapler.java:225)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
        at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:686)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1494)
        at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:96)
        at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:88)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
        at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:48)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
        at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
        at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
        at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
        at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:46)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
        at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1474)
        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:499)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
        at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:533)
        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086)
        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:428)
        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
        at org.eclipse.jetty.server.Server.handle(Server.java:370)
        at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:489)
        at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:960)
        at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1021)
        at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:865)
        at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240)
        at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
        at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:668)
        at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
        at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:745)
{noformat}

ikedam made changes - 2016-01-11 03:33

Status

Original: Open [ 1 ]

New: In Progress [ 3 ]

SCM/JIRA link daemon made changes - 2016-01-16 04:42

Resolution		New: Fixed [ 1 ]
Status	Original: In Progress [ 3 ]	New: Resolved [ 5 ]

ikedam made changes - 2016-02-28 02:45

Status

Original: Resolved [ 5 ]

New: Closed [ 6 ]

R. Tyler Croy made changes - 2016-07-26 00:01

Workflow

Original: JNJira [ 167989 ]

New: JNJira + In-Review [ 209596 ]

Assignee:: ikedam

Reporter:: ikedam

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2016-01-10 00:48

Updated:: 2016-02-28 02:45

Resolved:: 2016-01-16 04:42

Jenkins

Details

Description

Attachments

Issue Links

Activity

People

Dates