Closed spland30 closed 8 years ago
oleg-nenashev
commented
8 years ago Do you use https://wiki.jenkins-ci.org/display/JENKINS/UpdateSites+Manager+plugin ? This plugin supports disabling certificate checks for particular repos. Another option is to generate a proper certificate with supported anchors.
oleg-nenashev
commented
8 years ago For the reference, there is an RFE for built-in untrusted certificate generation it in #23
spland30
commented
8 years ago Yes, I have this plugin installed and it fails with the same message with or without the check box enabled.
spland30
commented
8 years ago This is the command I use to generate the certificate. As described above tomcat works winstone doesn't.
openssl genrsa -out $JUSEPPE_HOME/certs/juseppe-udc.key 2048 && openssl req -nodes -x509 -new -key $JUSEPPE_HOME/certs/juseppe-udc.key -out $JUSEPPE_HOME/certs/juseppe-udc.crt -days 1056
oleg-nenashev
commented
8 years ago Just to make sure... Do you have a correct Jenkins URL specified in global settings when you run in Winstone? And do you really use Winstone? Newest version bundle Jetty by default
spland30
commented
8 years ago I'm using the winstone version that is bundled with Jenkins 2.5
spland30
commented
8 years ago The default URL and Custom update sites are set to the same URL http://spl-myserver-udc01/update-center.json. This is our internal only Update Center.
spland30
commented
8 years ago We are running on Ubuntu 14.04 if that makes any difference...
spland30
commented
8 years ago One other note. We are not using docker for juseppe. We have downloaded and compiled juseppe from the git repo.
spland30
commented
8 years ago Sorry, one more piece of info. I run the update center on one image and the jenkins master on another image. The jenkins master fails with error listed above when running jenkins behind winstone/jetty.
spland30
commented
8 years ago After wasting about a day poking around on this stuff. I finally got the stupid thing to work. The certificate for the default URL (defined by --webroot=/var/cache/jenkins/war) resides in /var/cache/jenkins/war/WEB-INF/update-center-rootCAs/jenkins-update-center-root-ca. I believe this is the certificate for the jenkins central repository. I replaced this certificate with the certificate for our update center. And now it works. I'm not sure if this is top-secret information, but It would be really nice someone documented this somewhere so nobody else wastes a day and half trying to figure out what the issue is.
oleg-nenashev
commented
8 years ago Sorry for not responding immediately - was at meetings. Could you please create a follow-up improvement issue?
Actually I doubt that patching of cached files is a right approach. Any cache cleanup/WAR update may wipe the changes
lanwen
commented
8 years ago Here some info about place for certs https://github.com/ikedam/backend-update-center2/wiki/How-to-create-your-own-Jenkins-Update-Center#put-your-certificate
But Update site manager plugin should solve same issues on the fly. Dunno why it not worked for you.
spland30
commented
8 years ago Excellent! Thank you for the responses and the link. This is a much better link than what I was using.
Hermain
commented
3 years ago Did not work for me. Placing my company certs in either place didn't help
Downloaded and installed latest Juseppe Update center. Default URL = http://spl-myserver-udc01/update-center.json
This works fine when I deploy using tomcat. It fails miserably when I try to run using the builtin Winstone....
Click on Check Now button and it fails with the following error. It fails with certificate enabled and certificate disabled. Of course... that is not the default URL. This is really bad that there is no documentation on how to resolve this.
Signature verification failed in update site 'default'
SEVERE: ERROR: Signature verification failed in update site 'default' (show details)