New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Jenkins is unable to contact update center #3634
Comments
Still a problem after #3637 and a full system package update + reboot. |
There were OS updates, including one for the JRE, so I applied them all and rebooted. @nodejs/build-infra any idea? |
Interesting. Do you know if this message started appearing just after the update to 2.440? (I'm going to be performing a similar update on another server tomorrow!) |
It happened before the update to 2.440.1. |
It looks like it's Java related somehow. On curl -sL https://updates.jenkins.io/update-center.json works. Using the example simple Java HTTPS Client from https://access.redhat.com/solutions/973783 (note I had to recompile the client with java JavaHttpsClient https://updates.jenkins.io/update-center.json 1 or (with debug info) java -Djavax.net.debug=all JavaHttpsClient https://updates.jenkins.io/update-center.json 1 fails. On FWIW I've placed the |
root@infra-digitalocean-ubuntu14-x64-1:~# lsb_release -d
Description: Ubuntu 22.04.4 LTS
root@infra-digitalocean-ubuntu14-x64-1:~# java -version
openjdk version "17.0.10" 2024-01-16
OpenJDK Runtime Environment (build 17.0.10+7-Ubuntu-122.04.1)
OpenJDK 64-Bit Server VM (build 17.0.10+7-Ubuntu-122.04.1, mixed mode, sharing)
root@infra-digitalocean-ubuntu14-x64-1:~# vs root@infra-ibm-ubuntu1804-x64-1:~# lsb_release -d
Description: Ubuntu 20.04.6 LTS
root@infra-ibm-ubuntu1804-x64-1:~# java -version
openjdk version "17.0.10" 2024-01-16
OpenJDK Runtime Environment (build 17.0.10+7-Ubuntu-120.04.1)
OpenJDK 64-Bit Server VM (build 17.0.10+7-Ubuntu-120.04.1, mixed mode, sharing)
root@infra-ibm-ubuntu1804-x64-1:~# Given that |
Examining the debug output javax.net.ssl|DEBUG|10|main|2024-03-08 13:09:40.048 EST|TrustStoreManager.java:162|Inaccessible trust store: /usr/lib/jvm/java-17-openjdk-amd64/lib/security/jssecacerts
javax.net.ssl|DEBUG|10|main|2024-03-08 13:09:40.049 EST|TrustStoreManager.java:113|trustStore is: /usr/lib/jvm/java-17-openjdk-amd64/lib/security/cacerts
trustStore type is: pkcs12
trustStore provider is:
the last modified time is: Tue Jun 20 16:36:33 EDT 2023
javax.net.ssl|DEBUG|10|main|2024-03-08 13:09:40.049 EST|TrustStoreManager.java:334|Reload the trust store
javax.net.ssl|DEBUG|10|main|2024-03-08 13:09:40.127 EST|TrustStoreManager.java:342|Reload trust certs
javax.net.ssl|DEBUG|10|main|2024-03-08 13:09:40.130 EST|TrustStoreManager.java:347|Reloaded 173 trust certs
javax.net.ssl|DEBUG|10|main|2024-03-08 18:08:59.022 UTC|TrustStoreManager.java:162|Inaccessible trust store: /usr/lib/jvm/java-17-openjdk-amd64/lib/security/jssecacerts
javax.net.ssl|DEBUG|10|main|2024-03-08 18:08:59.023 UTC|TrustStoreManager.java:113|trustStore is: /usr/lib/jvm/java-17-openjdk-amd64/lib/security/cacerts
trustStore type is: pkcs12
trustStore provider is:
the last modified time is: Fri May 26 06:13:49 UTC 2023
javax.net.ssl|DEBUG|10|main|2024-03-08 18:08:59.023 UTC|TrustStoreManager.java:334|Reload the trust store
javax.net.ssl|DEBUG|10|main|2024-03-08 18:08:59.112 UTC|TrustStoreManager.java:342|Reload trust certs
javax.net.ssl|DEBUG|10|main|2024-03-08 18:08:59.116 UTC|TrustStoreManager.java:347|Reloaded 129 trust certs Both try for an inaccessible (file isn't there
root@infra-digitalocean-ubuntu14-x64-1:/tmp/javahttpsclient# ls -al /usr/lib/jvm/java-17-openjdk-amd64/lib/security/cacerts
lrwxrwxrwx 1 root root 27 Jan 17 06:09 /usr/lib/jvm/java-17-openjdk-amd64/lib/security/cacerts -> /etc/ssl/certs/java/cacerts
root@infra-digitalocean-ubuntu14-x64-1:/tmp/javahttpsclient# ls -al /etc/ssl/certs/java/cacerts
-rw-r--r-- 1 root root 206799 Jun 20 2023 /etc/ssl/certs/java/cacerts
root@infra-digitalocean-ubuntu14-x64-1:/tmp/javahttpsclient#
root@infra-ibm-ubuntu1804-x64-1:/tmp/javahttpsclient# ls -al /usr/lib/jvm/java-17-openjdk-amd64/lib/security/cacerts
lrwxrwxrwx 1 root root 27 Jan 17 11:09 /usr/lib/jvm/java-17-openjdk-amd64/lib/security/cacerts -> /etc/ssl/certs/java/cacerts
root@infra-ibm-ubuntu1804-x64-1:/tmp/javahttpsclient# ls -al /etc/ssl/certs/java/cacerts
-rw-r--r-- 1 root root 150808 May 26 2023 /etc/ssl/certs/java/cacerts
root@infra-ibm-ubuntu1804-x64-1:/tmp/javahttpsclient# |
Yeah it looks like it's related to ubuntu system stuff. It seems to work ok with Temurin's 17.0.10 (and 21 - I've extracted both under your directory if you want to test). |
This issue was opened on 19 Feb. If I look at the certificates in my web browser for https://updates.jenkins.io/current/update-center.json
The JavaHttpsClient debug output shows both machines getting a two certificate chain. |
The size of $ ssh test-digitalocean-ubuntu2204-x64-1 ls -al /etc/ssl/certs/java/cacerts
-rw-r--r-- 1 root root 156996 Nov 6 12:45 /etc/ssl/certs/java/cacerts
$ ssh test-digitalocean-ubuntu2204-x64-2 ls -al /etc/ssl/certs/java/cacerts
-rw-r--r-- 1 root root 156996 Nov 6 12:48 /etc/ssl/certs/java/cacerts
$ ssh ci ls -al /etc/ssl/certs/java/cacerts
-rw-r--r-- 1 root root 206799 Jun 20 2023 /etc/ssl/certs/java/cacerts
$ |
I took a backup of (from https://askubuntu.com/a/1030380) sudo dpkg --purge --force-depends ca-certificates-java
sudo apt-get install ca-certificates-java This has replaced # ls -al /etc/ssl/certs/java/cacerts
-rw-r--r-- 1 root root 160820 Mar 11 13:53 /etc/ssl/certs/java/cacerts
# which still isn't the same size as the other Ubuntu 22.04 systems (🤷) but does allow I've restarted Jenkins on |
Amazing work, thank you! |
Full stack trace available on https://ci.nodejs.org/manage/pluginManager/advanced
BTW, the update site was
https://updates.jenkins.io/experimental/update-center.json
. I changed it tohttps://updates.jenkins.io/update-center.json
Note:
ci-release
is not affected.The text was updated successfully, but these errors were encountered: