Certificate is NOT trusted when installing Jenkins

Hi all,

We had an issue with our instance of Jenkins on our Ubuntu server which purged our configs and packages.

Because of that, we are attempting to re-install Jenkins on this server. However, we continue to get an error when running sudo apt-get update

Err:6 https://pkg.jenkins.io/debian-stable binary/ Release
  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 151.101.194.133 443]

We have followed all the steps on the Jenkins Ubuntu install page:

We have also made sure to remove Jenkins from the apt list and add back all the necessary files (once again by following the steps on the Jenkins page).

The steps we have tried:

  • curl -fsSL https://pkg.jenkins.io/debian-stable/jenkins.io.key | sudo tee \ /usr/share/keyrings/jenkins-keyring.asc > /dev/null
  • echo deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc] \ https://pkg.jenkins.io/debian-stable binary/ | sudo tee \ /etc/apt/sources.list.d/jenkins.list > /dev/null
  • sudo apt-get update ← This is the issue where we get the error mentioned above.

I have also tried:
wget -q -O - https://pkg.jenkins.io/debian-stable/jenkins.io.key | apt-key add -

We are running java version 8 on Ubuntu 20.04

Sounds like your system is old enough to not handle letsencypt certs.

Usually when there is a report that the certificate is not trusted, it is because the operating system list of certificates is out of date. Be sure that you’ve run apt-get update && apt-get upgrade on that operating system so that it downloads and installs the latest certificate authorities.

@MarkEWaite @halkeye thanks for the reply.

We have run both update and upgrade but are still getting the cert issue.

We have also made sure the ca-certificate was updated by running sudo apt install ca-certiticates

I can confirm its valid and working. You may want to confirm a certificate package was updated for your OS version. (You need to update your local certs before running the update-ca-certificates function)

openssl s_client -connect pkg.jenkins.io:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Dec 13 11:47:49 2021 GMT
notAfter=Mar 13 11:47:48 2022 GMT
 curl -v https://pkg.jenkins.io/ >/dev/null
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 151.101.194.133:443...
* TCP_NODELAY set
* Connected to pkg.jenkins.io (151.101.194.133) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [106 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [4020 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [300 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=pkg.jenkins.io
*  start date: Dec 13 11:47:49 2021 GMT
*  expire date: Mar 13 11:47:48 2022 GMT
*  subjectAltName: host "pkg.jenkins.io" matched cert's "pkg.jenkins.io"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x564685811c90)
} [5 bytes data]
> GET / HTTP/2
> Host: pkg.jenkins.io
> user-agent: curl/7.68.0
> accept: */*
>
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
} [5 bytes data]
< HTTP/2 200
< server: Apache/2.4.29 (Ubuntu)
< content-type: text/html;charset=UTF-8
< accept-ranges: bytes
< date: Fri, 14 Jan 2022 23:58:06 GMT
< via: 1.1 varnish
< age: 3
< x-served-by: cache-sea4444-SEA
< x-cache: HIT
< x-cache-hits: 1
< x-timer: S1642204687.724884,VS0,VE0
< vary: Accept-Encoding
< strict-transport-security: max-age=300
< content-length: 3329
<
{ [1164 bytes data]
100  3329  100  3329    0     0  79261      0 --:--:-- --:--:-- --:--:-- 79261
* Connection #0 to host pkg.jenkins.io left intact

@halkeye

I recreated the ca-cert
sudo update-ca-certificates -f

It looks like I received the same output when attempting to connect to jenkins.io

curl -v https://pkg.jenkins.io/ >/dev/null
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 151.101.2.133:443...
* TCP_NODELAY set
* Connected to pkg.jenkins.io (151.101.2.133) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [106 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [4020 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [300 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=pkg.jenkins.io
*  start date: Dec 13 11:47:49 2021 GMT
*  expire date: Mar 13 11:47:48 2022 GMT
*  subjectAltName: host "pkg.jenkins.io" matched cert's "pkg.jenkins.io"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x564a14e8edb0)
} [5 bytes data]
> GET / HTTP/2
> Host: pkg.jenkins.io
> user-agent: curl/7.68.0
> accept: */*
> 
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
} [5 bytes data]
< HTTP/2 200 
< server: Apache/2.4.29 (Ubuntu)
< content-type: text/html;charset=UTF-8
< accept-ranges: bytes
< date: Sat, 15 Jan 2022 00:14:51 GMT
< via: 1.1 varnish
< age: 506
< x-served-by: cache-mdw17348-MDW
< x-cache: HIT
< x-cache-hits: 1
< x-timer: S1642205692.906762,VS0,VE1
< vary: Accept-Encoding
< strict-transport-security: max-age=300
< content-length: 3329
< 
{ [1161 bytes data]
100  3329  100  3329    0     0  26212      0 --:--:-- --:--:-- --:--:-- 26212
* Connection #0 to host pkg.jenkins.io left intact

Excuse me for not knowing, but how would I update my local certs?

I don’t know offhand. update-ca-certificates takes the certs in the directory and installs them properly. One of the debian packages, maybe ca-certificates is the one that installs the latest ones for debian.

I would recommend googling for your version of linux (debian, ubuntu, arch, etc) and the version, and how to update it to support the letsencrypt root certificates.

@halkeye Alright I will try to get that figured out.

Thanks for the help, we were able to get another instance of Jenkins running on a separate VM.