Mark, Thank you for your response.
Yes I'm running Linux. (sorry for missing this information) I suspected the Let's Encrypt certificates earlier, so I've already added ISRG Root X1 (the issuer of Let's Encrypt) to the cacerts file. Nevertheless I just replaced my cacerts file with the one in the most recent java 8 release, restarted jenkins but did not help. The first plugin was downloaded successfully, the second failed as before. Actually what I don't understand is how downloading the very first plugin succeeds. It's consistently the first plugin which succeeds and the others fail. If downloading the other plugins fail due to a missing/expired Let's Encrypt certificate, the first one should also fail. It should not be able to connect to updates.jenkins.io at all. Also, I have a standalone application which I use to check the HTTP redirects and certificates, and this never fail to download the plugins (the URLs are taken from Jenkins log), even though I use the very same jre instance on the very same machine. My application use HttpsUrlConnection to download the files. I don't know whether Jenkins use the same or some framework. The other thing I don't see is how the "CN=Kubernetes Ingress Controller Fake Certificate, O=Acme Co" comes into the picture. According to the logs (see my original e-mail) the SSL handshake fails on this certificate, but I don't really see which server this certificate comes from. I've also checked the mirrorlist as you suggested. All mirrors listed in the response look good, that is have a valid certificate chain according to my cacerts file. -- Tamas On Friday, November 19, 2021 at 6:34:17 PM UTC+1 Mark Waite wrote: > I think that the output of > https://updates.jenkins.io/latest/antisamy-markup-formatter.hpi?mirrorlist > will show that your location may be served by multiple Jenkins mirrors. > > You can then check each of the mirrors to identify if one of them is > responding with an incorrect SSL certificate. > > It could also be that the JDK on your Jenkins controller or the > ca-certificates package on your Jenkins controller are too old to recognize > the September 2021 updates to Let's Encrypt root certificates. I suspect > that Java 11.0.1+13-LTS on the controller likely indicates that the > ca-certificates package is also similarly out of date (assuming you're > running Linux). Update the packages on your controller so that you have > the latest security fixes for Java and for the operating system. > > Mark Waite > > > On Friday, November 19, 2021 at 10:26:26 AM UTC-7 you wrote: > >> Hello, >> >> When I try updating plugins, the very first plugin gets downloaded >> successfully, but the subsequent ones fail to download. >> >> [image: Jenkins.png] >> According to *Details* the SSL handshake fails due to a certificate >> error: >> >> -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/c4293fc2-ba65-4bfd-9fce-91813868d744n%40googlegroups.com.
