Issue

• When accessing Manage Jenkins page, I get notified that All attempts to retrieve security information have failed. In case it keeps happening, Security Warning Monitor will be disabled. Please visit the Documentation Site to see how to proceed.:

  

  In addition, the jenkins log files repeatedly reports the errors:

  SEVERE	c.c.j.p.a.m.SecurityWarningDataProvider$SecurityWarningsRestClient#get:
  SECURITY-WARNING_ERROR: (All attempts to retrieve security information have failed.
  In case it keeps happening, Security Warning Monitor will be disabled)
  java.util.concurrent.ExecutionException thrown: java.io.IOException: Remotely Closed
  

Environment

• CloudBees CI (CloudBees Core) on modern cloud platforms - Managed Master
• CloudBees CI (CloudBees Core) on modern cloud platforms - Operations Center
• CloudBees CI (CloudBees Core) on traditional platforms - Client Master
• CloudBees CI (CloudBees Core) on traditional platforms - Operations Center
• CloudBees Jenkins Enterprise - Managed Master
• CloudBees Jenkins Enterprise - Operations Center
• CloudBees Jenkins Platform - Client Master
• CloudBees Jenkins Platform - Operations Center
• CloudBees Jenkins Distribution

Related Issue(s)

• BEE-2912: Remove async-http-client from Assurance Plugin

Resolution

Validate that the CloudBees CI Instance can reach out to https://beekeeper-server.cloudbees.com/api/security-warnings. For example run curl -IL https://beekeeper-server.cloudbees.com/api/security-warnings from the host running CloudBees CI and make sure it responds with status 200:

$ curl -IL https://beekeeper-server.cloudbees.com/api/security-warnings
HTTP/2 200 
[...]

If inside a corporate network or using a forward HTTP Proxy, ensure that the host beekeeper-server.cloudbees.com and/or URL https://beekeeper-server.cloudbees.com/api/security-warnings are whitelisted. As per the list of Required URLs to allow.

Known Limitations

At the moment of writing, the client library used to reach out to the Beekeeper Server to retrieve Security Warnings details does not support SNI. This is captured as BEE-2912: Remove async-http-client from Assurance Plugin. Although the end server does not require it, it is a common practice to enforce SNI in a corporate network. To check on this, run openssl s_client -noservername -connect licenses.cloudbees.com:443 and make sure it can connect:

$ openssl s_client -noservername -connect licenses.cloudbees.com:443
CONNECTED(00000006)
[...]

If that does not work, a component in the network is most likely enforcing SNI and dropping packets without SNI. The workaround is to work with the team managing the Infrastructure to relax the SNI enforcement for beekeeper-server.cloudbees.com.