certificate error on lts 2.235.2 (centos/red hat)

[Amit Dar]

While trying to download the 2.235.2 version of jenkins, I received the following error:

 

Error 503 certificate has expired

certificate has expired

Guru Mediation:

Details: cache-hhn4070-HHN 1595144217 4048092794

---

Varnish cache server

 

This happened on several devices, which means it is a server problem.

 

Am I doing something wrong?

[Tim Jacomb]

Yes it appears to have expired

 curl -kv https://pkg.origin.jenkins.io/

* Server certificate:
*  subject: CN=pkg.jenkins.io
*  start date: Apr 19 13:34:08 2020 GMT
*  expire date: Jul 18 13:34:08 2020 GMT
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify result: certificate has expired (10)

Likely needs someone with pkg.jenkins.io access to restart nginx

Thanks

Tim

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/8bcec729-7af1-4519-83ce-df5989174e25o%40googlegroups.com.

[Tim Jacomb]

The cert issue is fixed, thanks Olivier for doing it

Cheers

Tim

[Oleg Nenashev]

Thanks all for the quick fix!

You received this message because you are subscribed to the Google Groups "Jenkins Infrastructure" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkins-infr...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/jenkins-infra/CAH-3BifGHoB%2BZ3a3TmmrrRqP3YbmyP-q_rQOmj0BPmCu5JHFEg%40mail.gmail.com.

[Tony Noble]

Looks like the previous certificate expiry issues are still in place on the above host:

tmp>wget https://get.jenkins.io/war-stable/2.303.3/jenkins.war                        
--2021-12-08 17:02:03--  https://get.jenkins.io/war-stable/2.303.3/jenkins.war
Resolving get.jenkins.io (get.jenkins.io)... 52.167.253.43
Connecting to get.jenkins.io (get.jenkins.io)|52.167.253.43|:443... connected.
ERROR: cannot verify get.jenkins.io's certificate, issued by ‘/C=US/O=Let's Encrypt/CN=R3’:
  Issued certificate has expired.
To connect to get.jenkins.io insecurely, use `--no-check-certificate'.
/tmp>

Is there anyone with access to take a look?

[Gavin Mogan]

Maybe someone restarted the service already. As far as I can tell is valid - https://www.sslshopper.com/ssl-checker.html#hostname=get.jenkins.io

--

You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAEWqh9HEpsGSvpDCStdcCrmWBD0tjfyO%3Da27SpdrQojk%3DRY%3DeA%40mail.gmail.com.

[Tony Noble]

Thanks - it looks like we might have something caching old certificates then.  Apologies for the false alarm...

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAG%3D_DusX9ZzHyvpAb%3D0MFNYjXov3cE9gseDHgY%2Bv1fXAn9JnnA%40mail.gmail.com.

[Mark Waite]

On Wednesday, December 8, 2021 at 10:16:28 AM UTC-7 Tony Noble wrote:

Thanks - it looks like we might have something caching old certificates then.  Apologies for the false alarm...

We've seen reports that older Java versions and older operating system versions may not support Server Name Indication (SNI) from TLS.

We've also seen reports that older Java versions and older operating system versions may not support the ISRG X1 root certificate from Let's Encrypt (see their blog post). 

The solution in both cases was to update the Java version and the operating system packages (like ca-certificates) to recent versions.

You may want to check that your operating system patches are current and that your Java version is current.

Mark Waite