repo.jenkins-ci.org certificate renewal

13 views
Skip to first unread message

Kohsuke Kawaguchi

unread,
Dec 12, 2023, 12:34:43 PM12/12/23
to jenkin...@googlegroups.com
Hi,

JFrog just contacted me that the certificate of repo.jenkins-ci.org will expire soon (12/19, a week from now) and that we should provide them a new certificate.

It looks to me that the current certificate was issued from my GoDaddy account 2 years ago. On GoDaddy I see that a renewal request was initiated Nov 18 -- not sure if this certificate is shared with others in the infra team and they initiated the process, or if this is some kind of automatic action by GoDaddy.

image.png

In any case, the domain ownership verification is currently still pending, and that has to be resolved first.

I just wanted to check if somebody from the infra team is already working on this? If not, I guess I shall try to work on adding the TXT record for domain ownership verification.


--
Kohsuke Kawaguchi

Kohsuke Kawaguchi

unread,
Dec 12, 2023, 12:48:02 PM12/12/23
to jenkin...@googlegroups.com
OK, looks like Jenkins DNS is now hand-managed in Azure, so I can't just provide a pull request to to add the TXT record.

Whoever has the power, here's the instruction and this I believe is the value of the record: 37vdk1n5ihnd474hlm060uiek6

Time is very limited, so thanks in advance for a speedy resolution of this.

Mark Waite

unread,
Dec 12, 2023, 12:57:57 PM12/12/23
to Jenkins Infrastructure
Thanks very much.  We detected the certificate expiration last week.  Damien has submitted a replacement certificate to JFrog through a support ticket to them.  Can you refer JFrog to the support ticket 277368 that has been opened by Damien?

Mark Waite

Kohsuke Kawaguchi

unread,
Dec 12, 2023, 1:34:30 PM12/12/23
to jenkin...@googlegroups.com
OK, perfect, it sounds like it's already in the capable hands, then. I don't understand why then JFrog kept contacting me about this, but it's certainly better than the other way around, so no complaints.

I'll leave this to Damien, and inform my contact at JFrog accordingly. Thanks!

On Tue, Dec 12, 2023 at 9:57 AM Mark Waite <mark.ea...@gmail.com> wrote:
Thanks very much.  We detected the certificate expiration last week.  Damien has submitted a replacement certificate to JFrog through a support ticket to them.  Can you refer JFrog to the support ticket 277368 that has been opened by Damien?

Mark Waite

--
You received this message because you are subscribed to the Google Groups "Jenkins Infrastructure" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkins-infr...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/jenkins-infra/989042d7-3c60-4d7b-85e5-2f473c15b6f8n%40googlegroups.com.

Damien Duportal

unread,
Dec 13, 2023, 11:56:12 AM12/13/23
to jenkin...@googlegroups.com
Thanks Kohsuke for letting us know!

If you are able to provide a Godaddy certificate, that would be awesome!

For the record, Azure resources are managed by Terraform. You can find the DNS definitions in here: https://github.com/jenkins-infra/azure-net/blob/main/dns.tf .
I'll take care of adding the DNS records for this validation.



Damien Duportal

unread,
Dec 13, 2023, 12:37:26 PM12/13/23
to jenkin...@googlegroups.com, Kohsuke Kawaguchi
@Kohsuke Kawaguchi
 
The DNS records has been applied:

- In DNS system:

$ dig +short TXT jenkins-ci.org
"d9g3op5gq2093d1q9kqc4mteqr"
"37vdk1n5ihnd474hlm060uiek6"
"v=spf1 mx ip4:199.193.196.24 ip4:140.211.15.0/24 ip4:140.211.8.0/23 ip4:173.203.60.151 ip4:140.211.166.128/25 include:sendgrid.net -all"


Can you let us know when you have a certificate?
I've sent a 90-days (Letsencrypt) certificate to JFrog yesterday in a support issue (#277368) so we ensure the 20 December deadline is met. We will proceed in installing the godaddy certificate as a second step if it is Ok for everyone (to avoid taking any risk).

Damien

Damien Duportal

unread,
Dec 15, 2023, 3:07:32 AM12/15/23
to jenkin...@googlegroups.com, Kohsuke Kawaguchi

For information, we've covered the most pressing matter: a new certificate has been installed in repo.jenkins-ci.org valdi until March 11 2024.

I let you confirm or decline if you can (and want) to generate a Godaddy certificate valid for 1 year for repo.jenkins-ci.org.
=> If yes, then we'll proceed to ask Jfrog to install it (but no emergency!)
=> If no, then we'll continue using Let's Encrypt certificate every 3 months until JFrog provides us with a feature for this


Thanks again for the careful help!

Damien

Kohsuke Kawaguchi

unread,
Dec 15, 2023, 12:40:50 PM12/15/23
to Damien Duportal, jenkin...@googlegroups.com
Thanks, and sorry for dropping off for a while, once again.

I created a new certificate from GoDaddy, picked up the email thread with JFrog, asked them to install the new certificate as a follow up. I've copied you as well.

Damien Duportal

unread,
Dec 17, 2023, 3:11:16 AM12/17/23
to Kohsuke Kawaguchi, jenkin...@googlegroups.com
Many many thanks Kohsuke for the great help and contribution here!


Reply all
Reply to author
Forward
0 new messages