Cannot update Jenkins on Debian due to certification problem

809 views
Skip to first unread message

Riccardo Foschia

unread,
Oct 5, 2021, 8:32:33 AM10/5/21
to Jenkins Users
Hi all,

I'm trying to update a Jenkins installation on Debian to the current
version 2.314 using

apt-get update
apt-get install jenkins

but calling apt-get update gives me the following error so apt-get
install fails also:

Fehl:8 https://pkg.jenkins.io/debian binary/ Release
server certificate verification failed. CAfile:
/etc/ssl/certs/ca-certificates.crt CRLfile: none
....
E: The repository 'https://pkg.jenkins.io/debian binary/ Release' does
no longer have a Release file.
N: Updating from such a repository can't be done securely, and is
therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user
configuration details.

The error for me looks like
https://issues.jenkins.io/browse/INFRA-1725
https://issues.jenkins.io/browse/INFRA-2685

Is there currently an issue with SSL certificate for
https://pkg.jenkins.io? Or is there another problem? What can I do?

Thanks in advance and kind regards,
Riccardo

--

META-LEVEL Software AG
Lyonerring 1
66121 Saarbrücken
Deutschland
Tel: +49 - 681 / 99687-0
Fax: +49 - 681 / 99687-99
Mail: in...@meta-level.de
Web: www.meta-level.de

Rechtsform: Aktiengesellschaft
Sitz: Saarbrücken
HR B Nr. 13 380 Amtsgericht Saarbrücken
USt-IdNr. DE 1 38 166667
Vorstände: Dipl.-Inform. Peter Badt und Dipl.-Inform. Peter Raber
Vorsitzender des Aufsichtsrats: Reinhard Kuhn

Mark Waite

unread,
Oct 5, 2021, 8:52:03 AM10/5/21
to Jenkins Users
Be sure that the ca-certificates package on your Debian distribution is current.  An older root certificate for Let's Encrypt expired Sep 30, 2021.  See https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ for more info

If you're running a Debian version that is no longer maintained (like Debian "wheezy") you may need to update your operating system or perform other more manual operations to recognize the root certificate.

Sinh Lam

unread,
Oct 5, 2021, 1:47:42 PM10/5/21
to jenkins...@googlegroups.com, Riccardo Foschia
This has something to do with one of the CA certs expiring on 09/30.  This caused a bit of a ruckus.  the solution that worked for me was removing the CA from the “active” list.  On Debian I believe there is a file /etc/ca-certificates.conf that you can modify and then run update-ca-certificates and it’ll get rid of it.

The other solutions (that didn’t work for me - I do however run ubuntu and not deb even though it’s an based on it) is to update the openssl package or the ca-certificates package.  Neither worked for me and I rather not muck with ssl libs on production systems if I don’t have to.  

mozilla/DST_Root_CA_X3.crt

That’s the cert that expired.  Just comment it out with an exclamation mark before you run the update command.

Hope this help.

Sinh
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/d06ab08a-d78f-2a82-cca4-77312f72b16a%40meta-level.de.
Reply all
Reply to author
Forward
0 new messages