Hi, we’re using Jenkins pod with slave pods (as cloud w/kubernetes pluging) .
our Git repo is Atlassian BitBucket signed with Let’s encrypt SSL .
As of last week , due to change by Let’s encrypt , our Jenkins cannot access BB repos and throws error,
server certificate verification failed. CAfile: none CRLfile: none .
According to Lets Encrypt web site, one needs to update CA trust files in running OS.
Since we’re using Jenkins POD . we cannot update container OS . tried to upgrade jenkins pod to Latest version (using Helm) but It didnt help .
So now our R&D are stuck .
Urgent Help needed . Thanks
Hi @avshimo, welcome to the LE community forum
If it can't be addressed on the client side, then all that is left is the server side.
[pending any change by the Jenkins folks]
Do you have access to make changes to the certificate chain served (server side)?
Hi @rg305,
unfortunately Jenkins pod uses only jenkins user with no root priv
Where/How was the LE cert obtained and used?
I am now able to run jenkins pod with root priv .
how can I update certificates (to include Lets encrypt) ?
Please bear with me.
Are you on the client or the server?
My setup:
k8s Cluster (Vanilla) running Jenkins master pod (GitHub - jenkinsci/helm-charts: Jenkins community Helm charts).
Jenkins kubernetes plugin 1.30.1
Is that for the server side or the client side?
[I don't speak Jenkins]
Where would you like to try making changes?
ok. from SSL POV, I am client side . BitBucket is the server.
need to make change in client side
For client side...
There is only really O/S related updates.
Which O/S are those on?
Which version of OpenSSL do they use (if they use it)?
Which version of ca-certificates
are in use?
it seems that I was able to manually add certificate and it solved the issue .
root@jenkins-0:/etc/ssl/certs# curl --verbose https://myorg.com/
- Trying 10.10.10.170:443...
- Connected to myorg.com (10.10.10.170) port 443 (#0)
- ALPN, offering h2
- ALPN, offering http/1.1
- successfully set certificate verify locations:
- CAfile: /etc/ssl/certs/ca-certificates.crt
- CApath: /etc/ssl/certs
- TLSv1.3 (OUT), TLS handshake, Client hello (1):
- TLSv1.3 (IN), TLS handshake, Server hello (2):
- TLSv1.2 (IN), TLS handshake, Certificate (11):
- TLSv1.2 (IN), TLS handshake, Server key exchange (12):
- TLSv1.2 (IN), TLS handshake, Server finished (14):
- TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
- TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
- TLSv1.2 (OUT), TLS handshake, Finished (20):
- TLSv1.2 (IN), TLS handshake, Finished (20):
- SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
- ALPN, server did not agree to a protocol
- Server certificate:
- subject: CN=myorf.com
- start date: Aug 10 06:47:29 2021 GMT
- expire date: Nov 8 06:47:27 2021 GMT
- subjectAltName: host "myorg.com" matched cert's "myorg.com"
- issuer: C=US; O=Let's Encrypt; CN=R3
- SSL certificate verify ok.
Thanks.
BTW, how do I check certificate file version ?
? ? ? ?
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.