Lets encrypt certificate verification failed with Jenkins

Hi, we’re using Jenkins pod with slave pods (as cloud w/kubernetes pluging) .
our Git repo is Atlassian BitBucket signed with Let’s encrypt SSL .
As of last week , due to change by Let’s encrypt , our Jenkins cannot access BB repos and throws error,
server certificate verification failed. CAfile: none CRLfile: none .
According to Lets Encrypt web site, one needs to update CA trust files in running OS.
Since we’re using Jenkins POD . we cannot update container OS . tried to upgrade jenkins pod to Latest version (using Helm) but It didnt help .
So now our R&D are stuck .
Urgent Help needed . Thanks

1 Like

Hi @avshimo, welcome to the LE community forum :slight_smile:

If it can't be addressed on the client side, then all that is left is the server side.
[pending any change by the Jenkins folks]
Do you have access to make changes to the certificate chain served (server side)?

Hi @rg305,
unfortunately Jenkins pod uses only jenkins user with no root priv

@avshimo

Where/How was the LE cert obtained and used?

I am now able to run jenkins pod with root priv .
how can I update certificates (to include Lets encrypt) ?

Please bear with me.
Are you on the client or the server?

My setup:

k8s Cluster (Vanilla) running Jenkins master pod (GitHub - jenkinsci/helm-charts: Jenkins community Helm charts).
Jenkins kubernetes plugin 1.30.1

Is that for the server side or the client side?
[I don't speak Jenkins]

Where would you like to try making changes?

ok. from SSL POV, I am client side . BitBucket is the server.
need to make change in client side

For client side...
There is only really O/S related updates.
Which O/S are those on?
Which version of OpenSSL do they use (if they use it)?
Which version of ca-certificates are in use?

it seems that I was able to manually add certificate and it solved the issue .
root@jenkins-0:/etc/ssl/certs# curl --verbose https://myorg.com/

  • Trying 10.10.10.170:443...
  • Connected to myorg.com (10.10.10.170) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
  • CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
  • ALPN, server did not agree to a protocol
  • Server certificate:
  • subject: CN=myorf.com
  • start date: Aug 10 06:47:29 2021 GMT
  • expire date: Nov 8 06:47:27 2021 GMT
  • subjectAltName: host "myorg.com" matched cert's "myorg.com"
  • issuer: C=US; O=Let's Encrypt; CN=R3
  • SSL certificate verify ok.

Thanks.
BTW, how do I check certificate file version ?

1 Like

? ? ? ?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.