Jenkins Update Center root CA certificate expiration - October, 2021

Issue

On October 19, 2021, the root CA certificate that is used to verify the signature of the CloudBees Update Center will expire. The expiring certificate is bundled with all CloudBees releases of Jenkins older than version 2.235.1.2. The non-CloudBees, community releases of Jenkins are not affected. After the certificate expires, if you have not updated, you will no longer be able to download plugins through the update center. You will see the following exception when you try to load the Plugin Manager UI in Jenkins:

There were errors checking the update sites: Signature verification failed in the update center [update center name]

java.security.cert.CertificateExpiredException: NotAfter: Tue Oct 19 18:31:36 UTC 2021
 at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274)
 at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629)
 at sun.security.provider.certpath.BasicChecker.verifyValidity(BasicChecker.java:190)
 at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:144)
 at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
Caused: java.security.cert.CertPathValidatorException: validity check failed
 at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
 at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233)
 at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141)
 at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80)
 at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
 at org.jvnet.hudson.crypto.CertificateUtil.validatePath(CertificateUtil.java:93)
 at com.cloudbees.jenkins.plugins.license.nectar.CloudBeesUpdateSite.verifySignature(CloudBeesUpdateSite.java:337)
 at com.cloudbees.jenkins.plugins.license.nectar.CloudBeesUpdateSite.updateData(CloudBeesUpdateSite.java:524)
 at com.cloudbees.jenkins.plugins.license.nectar.CloudBeesUpdateSite.updateDirectlyNow(CloudBeesUpdateSite.java:450)
 at hudson.PluginManager.checkUpdatesServer(PluginManager.java:1763)
 at hudson.util.Retrier.start(Retrier.java:62)
 at hudson.PluginManager.doCheckUpdatesServer(PluginManager.java:1734)
 at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
 ... [further stack trace truncated]

Environment

Resolution

In order to address this issue, you must update to at least the June 2020 (2.235.1.2) version of the CloudBees product that you are using. Any version from that release onwards will have the updated root CA certificate bundled with it, and you will not experience any disruption when the old certificate expires.

If you need assistance updating your Jenkins installation, please submit a request to our Support team.

Have more questions?

0 Comments

Please sign in to leave a comment.