[Jenkins-infra] Fwd: Ldap Maintenance: 2018/04/28 - 1PM UTC

[Olblak]

Hi,
This was already posted on the infra mailing list but to make it short, the ldap server will be on maintenance this Saturday at 1PM UTC.
More information below or irc #jenkins-infra

----- Original message -----
From: Olblak <m...@olblak.com>
To: jenkin...@lists.jenkins-ci.org
Subject: Ldap Maintenance: 2018/04/28 - 1PM UTC
Date: Thu, 19 Apr 2018 14:29:50 +0200

Hello,

I'll move the Ldap server on Azure on Saturday 28th of April at 1PM UTC.
During the migration, new accounts creation will be disabled
and you may face authentication issues on following services:
* Confluence - wiki.jenkins.io
* Jira - issues.jenkins.io
* Accountapp - accounts.jenkins.io
* Artifactory - repo.jenkins.io
* Jenkins - ci.jenkins.io

You can follow the state of the migration either on Jira (INFRA-1584) or irc (#jenkins-infra).

I'll send a message here when the migration is over.

Cheers
_______________________________________________
Jenkins-infra mailing list
Jenkin...@lists.jenkins-ci.org
http://lists.jenkins-ci.org/mailman/listinfo/jenkins-infra

[Olblak]

The migration is now over and the old server is stopped so all services are now using the new ldap.
Everything is now working as expected but if you notice something wrong, do not hesitate to open a jira ticket.


--
Olblak

> --
> You received this message because you are subscribed to the Google
> Groups "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to jenkinsci-de...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/1524754196.3981479.1351730736.49B870F4%40webmail.messagingengine.com.
> For more options, visit https://groups.google.com/d/optout.

[Nikolas Falco]

I can not login to JIRA issue tracker. I got this "Sorry, a communication error occurred while trying to contact the remote authentication server." on https://issues.jenkins-ci.org/login.jsp?os_destination=%2Fdefault.jsp

Same (quite the same) exception with on https://accounts.jenkins.io/login (with stacktrace ^^)

HTTP ERROR 500

Problem accessing /doLogin. Reason:

    Server Error

Caused by:

javax.servlet.ServletException: javax.servlet.ServletException: javax.naming.CommunicationException: simple bind failed: ldap.jenkins.io:636 [Root exception is javax.net.ssl.SSLKeyException: Invalid signature on ECDH server key exchange message]
	at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
	at org.eclipse.jetty.server.Server.handle(Server.java:561)
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:334)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251)
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279)
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:104)
	at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:247)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:140)
	at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131)
	at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:243)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:679)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:597)
	at java.lang.Thread.run(Thread.java:748)
Caused by: javax.servlet.ServletException: javax.naming.CommunicationException: simple bind failed: ldap.jenkins.io:636 [Root exception is javax.net.ssl.SSLKeyException: Invalid signature on ECDH server key exchange message]
	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:765)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649)
	at org.kohsuke.stapler.Stapler.service(Stapler.java:238)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:833)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1650)
	at org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:206)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:190)
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1253)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)
	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1155)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
	at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:219)
	at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:126)
	... 14 more
Caused by: javax.naming.CommunicationException: simple bind failed: ldap.jenkins.io:636 [Root exception is javax.net.ssl.SSLKeyException: Invalid signature on ECDH server key exchange message]
	at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2791)
	at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
	at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
	at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
	at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
	at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
	at javax.naming.InitialContext.init(InitialContext.java:244)
	at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
	at org.jenkinsci.account.Application.connect(Application.java:496)
	at org.jenkinsci.account.Application.doDoLogin(Application.java:512)
	at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
	at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:343)
	at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:184)
	at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:117)
	at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:129)
	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715)
	... 38 more
Caused by: javax.net.ssl.SSLKeyException: Invalid signature on ECDH server key exchange message
	at sun.security.ssl.HandshakeMessage$ECDH_ServerKeyExchange.<init>(HandshakeMessage.java:1117)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:284)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
	at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:757)
	at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
	at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
	at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
	at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:426)
	at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:399)
	at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359)
	at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
	... 57 more

[Kazuhide Takahashi]

We could maintain wiki until LDAP maintenance was done, but at the end we could not do it on 26th Apr. 2018.

When logging in to "https://wiki.jenkins.io/" with my account, the following message is displayed, I can not even refer to most pages, not to mention page editing.

By the way, I am a maintainer of jenkins-xcode-plugin.

2018年4月26日木曜日 23時50分05秒 UTC+9 Olivier Vernin:

[Kazuhide Takahashi]

Problems that can not edit the page of "https://wiki.jenkins.io" several days ago have not been resolved yet.

I released the plugin on "maven.jenkins-ci.org", but I am in trouble because I can not reflect that information on wiki page.

Is this the impact of LDAP maintenance several days ago? Or is there another cause?

2018年5月1日火曜日 10時36分13秒 UTC+9 Kazuhide Takahashi:

[Daniel Beck]

> On 2. May 2018, at 12:04, Kazuhide Takahashi <kazuh...@linux-powered.com> wrote:
>
> I released the plugin on "maven.jenkins-ci.org", but I am in trouble because I can not reflect that information on wiki page.
> Is this the impact of LDAP maintenance several days ago? Or is there another cause?
>

The wiki is heavily cached to handle the load, so you might see an outdated page.

Metadata (For example latest version) on https://plugins.jenkins.io should be up to date (within a few hours at most), and wiki pages if you add ?anyQueryParameter.

[Kazuhide Takahashi]

I know that it takes time to reflect the results of the edits.

It took several hours for the previous edits to be reflected.

I wrote in the previous message, when editing a wiki page just prior to the release (26th Apr. 2018) it was possible to edit without problems.

But now, when I log in to "https://wiki.jenkins.io/" with my account, the message of the attached image be displayed as soon as I log in.

And I can not be able to see even pages that can be normally displayed If I log out.

2018年5月2日水曜日 19時16分23秒 UTC+9 Daniel Beck:

[Olivier Vernin]

Hello,

A small follow up with ldap issues from previous days.
Last Saturday, I migrated the Ldap server on the Kubernetes cluster and after a while, the Ldap server started handling Tls connections in a very weird way.
Connections on port 389 (not tls) were working as expected.
I couldn't find the root cause neither reproduce it in a sandbox environment so I decided to move from an alpine based image to Debian which use GnuTls instead of openssl.
The service is now running since 14h without any issues, I just tried to update a confluence page with success.
@Kazuhide can you give it a try again?
And sorry for the inconvenients

[Kazuhide Takahashi]

I tried and tried various things, but I still can not use the WiKi.

Somehow JIRA can use normally with the same account.

Since I disclose my jenkins account information in a direct message etc, will someone be able to analyze what is going on?

Additional notes

Also I could not create an issue on https://issues.jenkins-ci.org either.

According to the instructions of "Please read our JIRA guidelines before creating an issue",

I click on the link. Then I get an attached image error when trying to display the following URL.

"Https://wiki.jenkins.io/display/JENKINS/How+to+report+an+issue"

2018年5月3日木曜日 15時30分26秒 UTC+9 Olivier Vernin:

[Olivier Vernin]

Hi Kazuhide,
I opened  this ticket INFRA-1612 to keep track of this