Java.security.cert.CertificateException: No subject alternative DNS name matching updates.jenkins.io found

manoj.singhraja · March 11, 2024, 1:27pm

hi Guys,

I am facing issue during launching any plugin from jenkins console and it’s showing below error.

java.security.cert.CertificateException: No subject alternative DNS name matching updates.jenkins.io found.
at java.base/sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:212)
at java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:103)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:461)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:435)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1341)
Caused: javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching updates.jenkins.io found.
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:360)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:303)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:298)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:183)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1511)

Below steps i tried to remediate it.

updated all latest OS patches (OEL 8)
updated latest JAVA version (Java 11)
Updated latest jenkins version (jenkins 4.440.1)
Re created new certificate and assigned (by local signin Authority)
Downloaded certificate traill from my portal and added into java certificate list

poddingue · March 11, 2024, 2:49pm

Hello @manoj.singhraja and welcome to this community.

Please check your network settings.
Sometimes, this issue can be caused by network settings, such as an infamous misconfigured proxy.
Make sure that your Jenkins controller can reach updates.jenkins.io directly.

manoj.singhraja · March 11, 2024, 3:37pm

Hi @poddingue

I removed all network settings after that same issue is occuring. I am not using proxy settings.

Thanks!

poddingue · March 11, 2024, 4:21pm

But can you once logged in via ssh on the server hosting your Jenkins controller reach updates.jenkins.io?

manoj.singhraja · March 12, 2024, 9:26am

Yes, it’s able to reach on it.

Trying 52.202.51.185…
Connected to updates.jenkins.io.
Escape character is ‘^]’.

zayne · March 27, 2024, 11:02am

Having the same issue, when trying to update available plugin list, or trying to install a plugin.

Host is able to reach the URI:

root@jenkins-vm:~# curl -I updates.jenkins.io
HTTP/1.1 200 OK
Date: Wed, 27 Mar 2024 10:47:23 GMT
Server: Apache
Upgrade: h2,h2c
Connection: Upgrade
Last-Modified: Wed, 27 Mar 2024 10:42:17 GMT
ETag: "21cb-614a20f7e6e41"
Accept-Ranges: bytes
Content-Length: 8651
Vary: Accept-Encoding
Content-Type: text/html

root@jenkins-vm:~#

But the error is talking about SSL SAN name, which appears to be valid:

root@jenkins-vm:~# echo "q" | openssl s_client -connect updates.jenkins.io:443 2>/dev/null | openssl x509 -text | grep -ie 'subject:\|alternative\|dns:'
        Subject: CN=pkg.jenkins-ci.org
            X509v3 Subject Alternative Name:
                DNS:pkg.jenkins-ci.org
root@jenkins-vm:~#

i.e. the certificate doesn’t contain a matching DNS name. If you go to the site with your browser, you should see the same issue…

Is there a way to bypass this check from Jenkins UI?

poddingue · March 27, 2024, 1:50pm

I frankly have no idea.
Could you please open a ticket on the helpdesk?

manoj.singhraja · March 30, 2024, 5:02pm

i just restored updates and plugins directory from backup then it got fixed. so something happened wrong by new plugins.

manoj.singhraja · March 30, 2024, 5:04pm

Thanks Bruno for providing continue inputs.

poddingue · April 1, 2024, 8:38pm

Thanks a lot for your feedback.

Topic		Replies	Views
Problems with plugin updates Using Jenkins question	2	2763	September 7, 2023
Resource Root URL not working after enabling SSL Using Jenkins	2	1466	June 27, 2023
LDAP error "unable to find valid certification path" Ask a question	4	1844	October 30, 2024
Jenkins sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Ask a question	2	4405	October 7, 2022
Jenkins EKS SSLHandshakeException issue Using Jenkins	0	613	March 8, 2022

Java.security.cert.CertificateException: No subject alternative DNS name matching updates.jenkins.io found

Related topics