Hi Team,
We are using https url for plugins site
https://updates.jenkins-ci.org/update-center.json
However, to establish connections with https URL we need to import plugins site certificate into jdk keystore. Problem is the plugins URL certificate gets expired every three months and maintaining the certificate will be issue here.
Is there any alternative way to manage this issue.
Thanks,
Bhawna
Hi @Bhawnamehta, and welcome to the Jenkins community!
It seems odd that you would have to import the certificate for https://updates.jenkins-ci.org/ into your JVM in order to access the HTTPS URL. The certificate is issued by Let’s Encrypt, a certificate authority (CA) that has been around for a few years now and whose certificates are all cross-signed by other well-known root CAs. If you’re receiving certificate errors while attempting to access that URL, that might be an indicator that your root CA bundle is out of date.
Can you please let us know what Jenkins version, what Java version and vendor, and the OS that you’re using? You may just need to update your OS and/or Java to fix that.
Hello @mtughan,
I am able to import the certificate and connectivity is working fine, the issue is certificate for URL https://updates.jenkins-ci.org/ will expire in every 3 months, Do we have any automatic solutions to get this certificate imported in java keystore or any other root certificate which can be used which may have longer expiry schedule.
Also ideally for external certificate we need not import the certificate in jdk keystore, not sure if this can also be the case for plugins URL: https://updates.jenkins-ci.org/
Thanks,
Bhawna
Why do you need to import it? Unless you are using an os that no longer gets updates, or a version of java that predates letsencrypt (in both cases we don’t really help, it’s too hard for volunteers to help with modern let alone legacy versions)
As @mtughan says, I would recommwnd updating java that supports letsencrypt certs.
If you insist on using one that doesn’t you’ll have to find your own way. We’ve never needed to develop tooling so havnt
JAVA Version:
openjdk version “1.8.0_332”
OpenJDK Runtime Environment (build 1.8.0_332-b09)
OpenJDK 64-Bit Server VM (build 25.332-b09, mixed mode)
We’ve validated our CA Bundle and we could see that the “ISRG Root X1” (Let’s Encrypt) root ca cert already presents in the bundle. But we’re still facing the problem while accessing the plugins URL. It is showing “javax.net.ssl.SSLHandshakeException: No trusted certificate found”. Can you please help us on this.
We’re using Jenkins 2.19.3 version in RHEL 7.9 (Maipo).
Regards,
Dhakshnamoorthy M
Hi @Dhakshna,
If you are using Jenkins 2.19.3, I must insist on upgrading Jenkins first. That is an extremely old version of Jenkins and we do not have the bandwidth to support anything nearly that old.
only recommendation here is to confirm via /systemInfo that you are indeed running that version of java. All indications says you are not (if letsencrypt isn’t working, and i’m not even certain 2.19.3 even supports java 8)
Maybe also delete your existing keystore so none of the letsencrypt stuff is inside of it.