Signature failure

[spland30]

Downloaded and installed latest Juseppe Update center.
Default URL = http://spl-myserver-udc01/update-center.json

This works fine when I deploy using tomcat. It fails miserably when I try to run using the builtin Winstone....

Click on Check Now button and it fails with the following error. It fails with certificate enabled and certificate disabled. Of course... that is not the default URL. This is really bad that there is no documentation on how to resolve this.

---

Signature verification failed in update site 'default'

SEVERE: ERROR: Signature verification failed in update site 'default' (show details)

java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
    at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:153)
    at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79)
   at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
    at org.jvnet.hudson.crypto.CertificateUtil.validatePath(CertificateUtil.java:93)
    at jenkins.util.JSONSignatureValidator.verifySignature(JSONSignatureValidator.java:76)
  at hudson.model.UpdateSite.verifySignature(UpdateSite.java:225)

[oleg-nenashev]

Do you use https://wiki.jenkins-ci.org/display/JENKINS/UpdateSites+Manager+plugin ? This plugin supports disabling certificate checks for particular repos. Another option is to generate a proper certificate with supported anchors.

[oleg-nenashev]

For the reference, there is an RFE for built-in untrusted certificate generation it in #23

[spland30]

Yes, I have this plugin installed and it fails with the same message with or without the check box enabled.

[spland30]

This is the command I use to generate the certificate. As described above tomcat works winstone doesn't.

openssl genrsa -out $JUSEPPE_HOME/certs/juseppe-udc.key 2048 && openssl req -nodes -x509 -new -key $JUSEPPE_HOME/certs/juseppe-udc.key -out $JUSEPPE_HOME/certs/juseppe-udc.crt -days 1056

[oleg-nenashev]

Just to make sure... Do you have a correct Jenkins URL specified in global settings when you run in Winstone? And do you really use Winstone? Newest version bundle Jetty by default

[spland30]

I'm using the winstone version that is bundled with Jenkins 2.5

[spland30]

The default URL and Custom update sites are set to the same URL http://spl-myserver-udc01/update-center.json. This is our internal only Update Center.

[spland30]

We are running on Ubuntu 14.04 if that makes any difference...

[spland30]

One other note. We are not using docker for juseppe. We have downloaded and compiled juseppe from the git repo.

[spland30]

Sorry, one more piece of info. I run the update center on one image and the jenkins master on another image. The jenkins master fails with error listed above when running jenkins behind winstone/jetty.

[spland30]

After wasting about a day poking around on this stuff. I finally got the stupid thing to work. The certificate for the default URL (defined by --webroot=/var/cache/jenkins/war) resides in /var/cache/jenkins/war/WEB-INF/update-center-rootCAs/jenkins-update-center-root-ca. I believe this is the certificate for the jenkins central repository. I replaced this certificate with the certificate for our update center. And now it works. I'm not sure if this is top-secret information, but It would be really nice someone documented this somewhere so nobody else wastes a day and half trying to figure out what the issue is.

[oleg-nenashev]

Sorry for not responding immediately - was at meetings.
Could you please create a follow-up improvement issue?

Actually I doubt that patching of cached files is a right approach. Any cache cleanup/WAR update may wipe the changes

[lanwen]

Here some info about place for certs
https://github.com/ikedam/backend-update-center2/wiki/How-to-create-your-own-Jenkins-Update-Center#put-your-certificate

But Update site manager plugin should solve same issues on the fly. Dunno why it not worked for you.

[spland30]

Excellent! Thank you for the responses and the link. This is a much better link than what I was using.

[Hermain]

Did not work for me. Placing my company certs in either place didn't help