How to use a custom Update Site without CA certificate?
227 views
Skip to first unread message
Rafael Rezende
Mar 22, 2016, 12:16:09 PM3/22/16
to Jenkins Developers
We maintain a corporate artifact repository for Jenkins plugins (developed internally) and a backend-update-center2* running to generate the update-center.json files...
Until now we were providing a certificate to generate the update site. That way, clients should comply by including the respective CA certificate in their own Jenkins filesystem.
It happens, though, that our server is in the same network as the clients, so that the CA certificate itself does not add any relevant degree of security.
Instead, it is quite annoying to be handling the certificate across servers, with many people struggling to make it work at first in their local areas just because they know nothing about these certificates.
Right now we are able to generate the updates sites without the certificate. The backend-update-center2 runs just fine without them.
But when I try to use these update sites in my Jenkins instance I get the error message: No signature block found in update site 'jenkins'
I would like Jenkins to read from my custom update site without any certificate. Is there any way to tell Jenkins to skip the signature verification?
(I believe the CA certificate to the public update sites is embedded into Jenkins, right?)
* We use this fork from the original backend-update-center2, because it supports remote repositories other than the public Jenkins repo.
Until now we were providing a certificate to generate the update site. That way, clients should comply by including the respective CA certificate in their own Jenkins filesystem.
It happens, though, that our server is in the same network as the clients, so that the CA certificate itself does not add any relevant degree of security.
Instead, it is quite annoying to be handling the certificate across servers, with many people struggling to make it work at first in their local areas just because they know nothing about these certificates.
Right now we are able to generate the updates sites without the certificate. The backend-update-center2 runs just fine without them.
But when I try to use these update sites in my Jenkins instance I get the error message: No signature block found in update site 'jenkins'
I would like Jenkins to read from my custom update site without any certificate. Is there any way to tell Jenkins to skip the signature verification?
(I believe the CA certificate to the public update sites is embedded into Jenkins, right?)
* We use this fork from the original backend-update-center2, because it supports remote repositories other than the public Jenkins repo.
Daniel Beck
Mar 22, 2016, 1:16:14 PM3/22/16
to jenkin...@googlegroups.com
On 22.03.2016, at 17:16, Rafael Rezende <rafael...@gmail.com> wrote:
> I would like Jenkins to read from my custom update site without any certificate. Is there any way to tell Jenkins to skip the signature verification?
> (I believe the CA certificate to the public update sites is embedded into Jenkins, right?)
The better alternative is to use the UpdateSites Manager Plugin to have a convenient UI to configure custom update sites, including certs.
In the future, please send questions on how to use Jenkins to the jenkinsci-users list.
Rafael Rezende
Mar 22, 2016, 1:33:38 PM3/22/16
to Jenkins Developers, m...@beckweb.net
Sorry. I thought this was a question developers might have, rather than regular Jenkins users... Thanks for the advice!
If I'm not mistaken, the UpdateSites Manager Plugin is no longer usable in later releases of Jenkins, because of some security improvement in the core.
I'll double check.
Thanks for the hint about the noSignatureCheck!
If I'm not mistaken, the UpdateSites Manager Plugin is no longer usable in later releases of Jenkins, because of some security improvement in the core.
I'll double check.
Thanks for the hint about the noSignatureCheck!
Reply all
Reply to author
Forward
0 new messages