SSL certificate for repo.jenkins-ci.org expires 2 Feb 2025

[MarkEWaite]

Service(s)

Artifactory

Summary

The SSL certificate for https://repo.jenkins-ci.org expires 2 Feb 2025. We need to renew it before the expiration date so that we do not disrupt Jenkins development.

Reproduction steps

1. Check the certificate expiration date of https://repo.jenkins-ci.org from a web browser or other tool, confirm that it is 2 Feb 2025

[dduportal]

Update:

• Last year renewal was tracked in SSL certificate for repo.jenkins-ci.org expires Dec 20, 2023 (9 days) #3843
• As discussed in the weekly team meetings:
  • We can generate certificate for the domain repo.jenkins-ci.org as we have full control of the DNS. But we cannot use HTTP domain validation as the whole webserver is managed by JFrog.
  • Using Let's Encrypt and certbot would provide us a 90 days certificate. It's fine as a fallback, but not sustainable as we cannot automate the installation in JFrog's platform.
  • We used to have @kohsuke generating a 1 year certificate for us using his Godaddy account (check SSL certificate for repo.jenkins-ci.org expires Dec 20, 2023 (9 days) #3843). We want to avoid burdening him as check which solutions we could have to generate these certificates on the team's own (e.g. with at least 2 person able to do it to avoid bus factor)
    • Using 1 year certificates means paying for it: we need to find the payment process and sponsoring

=> Consensus during meeting is that @MarkEWaite and I will try to generate a 1 year certificate and one of us will pay for it and be reimbursed by the available Jenkins project credit from non profit organization and/or CDF.

[dduportal]

New update: @MarkEWaite and I been able to generate a GoDaddy 1 year certificate, and it has been sent to JFrog support.

They should proceed to install it as soon as possible.

I'll report here later:

• JFrog Certificate status
• Details and documentation on the GoDaddy account we created and used.

[dduportal]

Godaddy account informations:

• We now have a Jenkins Infra team account at https://www.godaddy.com

  • Account username is jenkins-infra-team
  • Password is encrypted in SOPS: https://github.com/jenkins-infra/charts-secrets/commit/1c218aa441cb338cca4e5a601b804c0930883e4c (private link)
  • 2FA is enabled, the shared TOTP is encrypted in SOPS: - Password is encrypted in SOPS: https://github.com/jenkins-infra/charts-secrets/commit/1c218aa441cb338cca4e5a601b804c0930883e4c (private link)
    • 2FA requires the CLI oathtool and to be allowed to GPG-decrypt the shared TOTP. See documentation at https://github.com/jenkins-infra/runbooks/tree/main/shared-totp

• This account does not have credit card persisted: we can have different people buying one time using their PayPal or Credit Card in the future

=> @kohsuke is un-burdened and the bus factor is removed from him and from Mark or I.

[dduportal]

Got an answer from JFrog support. Good and bad news:

• Good news is that they published a feature to upload new certificates by ourselves:

  We actually allow for the management and renewal of SSL certificates through the MyJFrog portal now. Are you able to try renewing the certificate through MyJFrog? You can also manage your domains in the same portal.

• Bad (temporarily) news is that I can only access the portal in Read-Only. I see the certificate and domain setup documented in https://jfrog.com/help/r/myjfrog-portal/renew-an-ssl-certificate-in-myjfrog but I cannot write it. Sent them the elements and we'll wait.

[dduportal]

Update:

• I now have admin access to the Jfrog portal. 2FA is enabled on my account.
• Proceeding to renew the certificate immediately, and I'll report on details afterwars

[dduportal]

Update:

• @MarkEWaite and I had to rekey the certificate emitted by Godaddy as both of us removed the CSR and key originally authored by Godaddy (both of us assumed it was in the final ZIP file but it wasn't and we forgot to check).

  • Following instructions in https://www.godaddy.com/help/generate-a-csr-certificate-signing-request-5343, we generated a new key + CSR
  • Then we re-keyed the certificate: https://www.godaddy.com/help/rekey-my-certificate-4976
  • Note: the CSR key need to openssl rsa -in repo.jenkins-ci.org.key -out repo.jenkins-ci.org-new.key -traditional

• With the new certificate, key and CRT, we were able to renew the certificate in JFrog's UI:

  • Note: JFrog requires the key to be in RSA format: openssl rsa -in repo.jenkins-ci.org.key -out repo.jenkins-ci.org-new.key -traditional with OpenSSL v3.
  • Otherwise, we updated the 3 elements in their UI, and it tooks ~2 min to apply.

[dduportal]

Update:

• Certificate + CSR added to our encrypted vault: https://github.com/jenkins-infra/charts-secrets/commit/c41a3de86b2c68cc763d8e0fd7a47d6eef31f407
• Same for the CSR+key (on a distinct section): https://github.com/jenkins-infra/charts-secrets/commit/4f7e3030492b786ac40049cb850d8bd980345d82

Certificate is up to date in production:

$ echo -n Q | openssl s_client -servername "repo.jenkins-ci.org" -connect "repo.jenkins-ci.org:443" \
| openssl x509 -noout -dates
Connecting to 44.209.124.32
depth=0 CN=repo.jenkins-ci.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN=repo.jenkins-ci.org
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN=repo.jenkins-ci.org
verify return:1
DONE
notBefore=Jan 28 16:46:08 2025 GMT
notAfter=Jan 24 15:05:18 2026 GMT

• Updated the Calendar issue for next year

[dduportal]

Reopening as we see TLS errors:

 This server's certificate chain is incomplete. Grade capped to B. 

from https://www.ssllabs.com/ssltest/analyze.html?d=repo.jenkins%2dci.org&s=44.209.124.32 means we are missing an element in the certificate chain

[dduportal]

Fixed with:

• cat gd_bundle-g2-g1.crt adfd22c94fc6c3ab.crt >> repo.jenkins-ci.org.crt from the ZIP file provided by Godaddy (yes they do not provide the chained cert, and yes JFrog UI does not provide any warning or tests)

• Verified with echo q | openssl s_client -showcerts -connect repo.jenkins-ci.org:443 which has the root CRT, the intermediate and the repo.jenkins-ci.org CRT