Uploaded image for project: 'Infrastructure'
  1. Infrastructure
  2. INFRA-1483

cmake isn't getting tool installers updated

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      See modification dates at https://updates.jenkins.io/updates/

      Flyway isn't a problem, it's just leftover from before https://github.com/jenkins-infra/crawler/commit/85597d46a0f0c867c0b154feb7d60ee266aed9d0#diff-81d31b3a09ab276b931570685cdc7d89 I think.

      But cmake now fails to download for users due to the outdated signatures.

      Errors:

      16:15:26 Caught: java.io.IOException: GET https://cmake.org/files/ failed
      16:15:26 java.io.IOException: GET https://cmake.org/files/ failed
      16:15:26 	at com.gargoylesoftware.htmlunit.HttpWebConnection.getResponse(HttpWebConnection.java:126)
      16:15:26 	at com.gargoylesoftware.htmlunit.WebClient.loadWebResponseFromWebConnection(WebClient.java:1456)
      16:15:26 	at com.gargoylesoftware.htmlunit.WebClient.loadWebResponse(WebClient.java:1387)
      16:15:26 	at com.gargoylesoftware.htmlunit.WebClient.getPage(WebClient.java:328)
      16:15:26 	at com.gargoylesoftware.htmlunit.WebClient.getPage(WebClient.java:389)
      16:15:26 	at com.gargoylesoftware.htmlunit.WebClient.getPage(WebClient.java:374)
      16:15:26 	at com.gargoylesoftware.htmlunit.WebClient$getPage$0.call(Unknown Source)
      16:15:26 	at cmake.run(cmake.groovy:16)
      16:15:26 	at runner$_run_closure1.doCall(runner.groovy:13)
      16:15:26 	at runner.run(runner.groovy:10)
      16:15:26 Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      16:15:26 	at org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:828)
      16:15:26 	at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.flushRequestOutputStream(MultiThreadedHttpConnectionManager.java:1565)
      16:15:26 	at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2116)
      16:15:26 	at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
      16:15:26 	at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
      16:15:26 	at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
      16:15:26 	at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
      16:15:26 	at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:346)
      16:15:26 	at com.gargoylesoftware.htmlunit.HttpWebConnection.getResponse(HttpWebConnection.java:97)
      16:15:26 	... 9 more
      16:15:26 Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      16:15:26 	... 18 more
      16:15:26 Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      16:15:26 	... 18 more
      

        Attachments

          Issue Links

            Activity

            Hide
            15knots Martin Weber added a comment -

            Looks like cmake.org updated their signatures now.

            I just ran

            ./cmake.groovy

            and it printed the list without exceptions:

            {"list": [
                {
                "id": "3.11.0",
                "name": "3.11.0",
                "variants":     [
            ...
            

            OS is openSUSE 42.3.

             

            Show
            15knots Martin Weber added a comment - Looks like cmake.org updated their signatures now. I just ran ./cmake.groovy and it printed the list without exceptions: { "list" : [     {     "id" : "3.11.0" ,     "name" : "3.11.0" ,     "variants" :     [ ... OS is openSUSE 42.3.  
            Hide
            danielbeck Daniel Beck added a comment -

            Martin Weber Still not updated on the live site at https://updates.jenkins-ci.org/updates/ so probably an infra issue.

            Show
            danielbeck Daniel Beck added a comment - Martin Weber Still not updated on the live site at https://updates.jenkins-ci.org/updates/ so probably an infra issue.
            Hide
            15knots Martin Weber added a comment -

            16:15:26 Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

            Definitely an issue on the infra side. Its JRE does not have the root certs for the cmake.org TLS key. I used openJDK 1.7.0_171 to test it.

            Show
            15knots Martin Weber added a comment - 16:15:26 Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Definitely an issue on the infra side. Its JRE does not have the root certs for the cmake.org TLS key. I used openJDK 1.7.0_171 to test it.
            Hide
            henryborchers Henry Borchers added a comment -

            Any updates on this or is there an issue preventing this from moving forward that I can keep an eye on? I love Jenkins but trying to get the latest versions of CMake onto build nodes is a pain. The CMake plugin should solve 99% of these issues.

            Show
            henryborchers Henry Borchers added a comment - Any updates on this or is there an issue preventing this from moving forward that I can keep an eye on? I love Jenkins but trying to get the latest versions of CMake onto build nodes is a pain. The CMake plugin should solve 99% of these issues.
            Hide
            15knots Martin Weber added a comment -

            Henry Borchers: The Cmake plugin cannot solve this, it relies on a file (https://updates.jenkins-ci.org/updates/hudson.plugins.cmake.CmakeInstaller.json) dowloaded by jenkins core. I see the following in my jenkins log

            Mai 05, 2018 2:18:04 PM hudson.model.DownloadService$Downloadable updateNow
            WARNUNG: signature check failed for http://updates.jenkins-ci.org/updates/hudson.plugins.cmake.CmakeInstaller.json
            ERROR: Signature verification failed in downloadable 'hudson.plugins.cmake.CmakeInstaller' <a href='#' class='showDetails'>(Details anzeigen)</a><pre style='display:none'>java.security.cert.CertificateExpiredException: NotAfter: Sat Jan 06 01:01:24 CET 2018<br> at

            Show
            15knots Martin Weber added a comment - Henry Borchers : The Cmake plugin cannot solve this, it relies on a file ( https://updates.jenkins-ci.org/updates/hudson.plugins.cmake.CmakeInstaller.json ) dowloaded by jenkins core. I see the following in my jenkins log Mai 05, 2018 2:18:04 PM hudson.model.DownloadService$Downloadable updateNow WARNUNG: signature check failed for http://updates.jenkins-ci.org/updates/hudson.plugins.cmake.CmakeInstaller.json ERROR: Signature verification failed in downloadable 'hudson.plugins.cmake.CmakeInstaller' <a href='#' class='showDetails'>(Details anzeigen)</a><pre style='display:none'>java.security.cert.CertificateExpiredException: NotAfter: Sat Jan 06 01:01:24 CET 2018<br> at
            Hide
            henryborchers Henry Borchers added a comment -

            Martin Weber, I can see that this issue is depending on something else. Is there another issue on this board that addresses this json file that you can point me to?

            Show
            henryborchers Henry Borchers added a comment - Martin Weber , I can see that this issue is depending on something else. Is there another issue on this board that addresses this json file that you can point me to?
            Hide
            danielbeck Daniel Beck added a comment -

            Henry Borchers This is the infra issue for the problem.

            Show
            danielbeck Daniel Beck added a comment - Henry Borchers This is the infra issue for the problem.
            Hide
            henryborchers Henry Borchers added a comment -

            Daniel Beck, my apologies. I wasn't sure what Martin Weber meant by his comment here. My misunderstanding.

            Show
            henryborchers Henry Borchers added a comment - Daniel Beck , my apologies. I wasn't sure what Martin Weber meant by his comment here. My misunderstanding.
            Hide
            15knots Martin Weber added a comment -

            Daniel Beck As I interpret the log of the crawler job, it properly crawls the cmake.org site. IIUC, that job is the integration test for the crawler project, but not the job that publishes the files on https://updates.jenkins.io/updates/

            Show
            15knots Martin Weber added a comment - Daniel Beck As I interpret the log of the crawler job , it properly crawls the cmake.org site. IIUC, that job is the integration test for the crawler project, but not the job that publishes the files on https://updates.jenkins.io/updates/
            Hide
            danielbeck Daniel Beck added a comment -

            I know. Ancient JDK. I just can't get Tyler to tell me whether that's deliberate, or just neglect.

            Show
            danielbeck Daniel Beck added a comment - I know. Ancient JDK. I just can't get Tyler to tell me whether that's deliberate, or just neglect.
            Hide
            henryborchers Henry Borchers added a comment -

            What makes the CMake crawler different than the others?

            Show
            henryborchers Henry Borchers added a comment - What makes the CMake crawler different than the others?
            Hide
            danielbeck Daniel Beck added a comment -

            The Letsencrypt cert on their site.

            Show
            danielbeck Daniel Beck added a comment - The Letsencrypt cert on their site.
            Hide
            henryborchers Henry Borchers added a comment -

            So it's out of date on their site?

            Show
            henryborchers Henry Borchers added a comment - So it's out of date on their site?
            Hide
            danielbeck Daniel Beck added a comment - - edited

            No, the JRE doing the crawling is outdated. See previous comments.

            Show
            danielbeck Daniel Beck added a comment - - edited No, the JRE doing the crawling is outdated. See previous comments.
            Hide
            henryborchers Henry Borchers added a comment -

            Sorry. This is not my area of expertise. Let me see if I got this straight. It's something on the CMake site that requires a dependency on the crawler that doesn't work because that dependency requires a newer version of the JRE than what is installed. Did I get that right? 

             

            Once again. I'm sorry if you covered this or completely botched understand it. I just want to the CMake tool to work again and want to know if there is anything I can do to help fix it.

            Show
            henryborchers Henry Borchers added a comment - Sorry. This is not my area of expertise. Let me see if I got this straight. It's something on the CMake site that requires a dependency on the crawler that doesn't work because that dependency requires a newer version of the JRE than what is installed. Did I get that right?    Once again. I'm sorry if you covered this or completely botched understand it. I just want to the CMake tool to work again and want to know if there is anything I can do to help fix it.
            Hide
            danielbeck Daniel Beck added a comment -

            I know how to fix it, I just don't know whether the current situation is deliberate or not, and our infra lead doesn't respond on IRC when asked.

            Show
            danielbeck Daniel Beck added a comment - I know how to fix it, I just don't know whether the current situation is deliberate or not, and our infra lead doesn't respond on IRC when asked.
            Hide
            henryborchers Henry Borchers added a comment -

            "doesn't respond on IRC when asked"

            Now that is something I understand all too well.

            Show
            henryborchers Henry Borchers added a comment - "doesn't respond on IRC when asked" Now that  is something I understand all too well.

              People

              Assignee:
              danielbeck Daniel Beck
              Reporter:
              danielbeck Daniel Beck
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: