Issue
On October 19, 2021, the root CA certificate that is used to verify the signature of the CloudBees Update Center will expire. The expiring certificate is bundled with all CloudBees releases of Jenkins older than version 2.235.1.2. The non-CloudBees, community releases of Jenkins are not affected. After the certificate expires, if you have not updated, you will no longer be able to download plugins through the update center. You will see the following exception when you try to load the Plugin Manager UI in Jenkins:
There were errors checking the update sites: Signature verification failed in the update center [update center name]
java.security.cert.CertificateExpiredException: NotAfter: Tue Oct 19 18:31:36 UTC 2021
at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274)
at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629)
at sun.security.provider.certpath.BasicChecker.verifyValidity(BasicChecker.java:190)
at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:144)
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
Caused: java.security.cert.CertPathValidatorException: validity check failed
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
at org.jvnet.hudson.crypto.CertificateUtil.validatePath(CertificateUtil.java:93)
at com.cloudbees.jenkins.plugins.license.nectar.CloudBeesUpdateSite.verifySignature(CloudBeesUpdateSite.java:337)
at com.cloudbees.jenkins.plugins.license.nectar.CloudBeesUpdateSite.updateData(CloudBeesUpdateSite.java:524)
at com.cloudbees.jenkins.plugins.license.nectar.CloudBeesUpdateSite.updateDirectlyNow(CloudBeesUpdateSite.java:450)
at hudson.PluginManager.checkUpdatesServer(PluginManager.java:1763)
at hudson.util.Retrier.start(Retrier.java:62)
at hudson.PluginManager.doCheckUpdatesServer(PluginManager.java:1734)
at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
... [further stack trace truncated]
Environment
- CloudBees CI (CloudBees Core)
- CloudBees CI (CloudBees Core) on modern cloud platforms - Managed Master
- CloudBees CI (CloudBees Core) on modern cloud platforms - Operations Center
- CloudBees CI (CloudBees Core) on traditional platforms - Client Master
- CloudBees CI (CloudBees Core) on traditional platforms - Operations Center
- CloudBees Jenkins Enterprise
- CloudBees Jenkins Enterprise - Managed Master
- CloudBees Jenkins Enterprise - Operations Center
- CloudBees Jenkins Platform - Client Master
- CloudBees Jenkins Platform - Operations Center
- CloudBees Jenkins Distribution
Resolution
In order to address this issue, you must update to at least the June 2020 (2.235.1.2) version of the CloudBees product that you are using. Any version from that release onwards will have the updated root CA certificate bundled with it, and you will not experience any disruption when the old certificate expires.
If you need assistance updating your Jenkins installation, please submit a request to our Support team.
0 Comments