GetBadges notification broken

Description

getbadges.io changed their certificate yesterday. This is causing webhook to fail as Java does not trust this cert:

10:14:15 Failed to notify endpoint with url 'https://ovirt-ovirt-engine.getbadges.io/api/app/webhook/66f43bb2-6b98-4aab-8d1a-7acca6704dab' - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Jenkins was updated yesterday as well so Java is the latest version. We may need to disable this webhook in order not to confuse users with irrelevant stack traces

Sample jobs:
http://jenkins.ovirt.org/job/jenkins_master_check-patch-el7-x86_64/2798/console
http://jenkins.ovirt.org/job/jenkins_master_check-patch-fcraw-x86_64/12/console
Both of them failed for other reasons, but the stack trace at the end is misleading and confusing.

More info on the certificate:
Issued To
Common Name (CN) *.getbadges.io
Organizational Unit (OU) Domain Control Validated

Issued By
Common Name (CN) AlphaSSL CA - SHA256 - G2
Organization (O) GlobalSign nv-sa
Organizational Unit (OU) <Not Part Of Certificate>

Validity Period
Issued On Wednesday, October 11, 2017 at 2:31:02 PM
Expires On Friday, October 12, 2018 at 2:31:02 PM

Fingerprints
SHA-256 Fingerprint C4 06 EB 35 C4 CF CB FB 6E 0B CF 2D E3 39 5E E8 94 03 2F 7C 5D E6 8A B6 F7 EE C6 1E 05 89 C8 7D
SHA-1 Fingerprint DF 87 99 7E 0A E7 98 21 D4 13 9A 49 BE 86 1C 87 6B A0 BA 5B

Activity

Show:
Evgheni Dereveanchin
October 16, 2017, 8:29 AM
Edited

Just some more info on where I expect this error to come from:

  • java should use $JAVA_HOME/lib/security/cacerts file as its trust store

  • in our case, this is a symlink:
    /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/lib/security/cacerts -> ../../../../../../../etc/pki/java/cacerts

  • this file is owned by ca-certificates
    rpm -qf /etc/pki/java/cacerts
    ca-certificates-2017.2.14-71.el7.noarch

  • this file does not contain the intermediate CA, just the top one:
    keytool -v -list -keystore /etc/pki/java/cacerts | grep -e "52:A4:1D:82:9C" -e "58:94:9C:F9:EC"
    Enter keystore password: changeit
    SHA1: B1:BC:96:8B4:F4:9D:62:2A:A8:9A:81:F2:15:01:52:A4:1D:82:9C

This means that the web server does not send the full trust chain, and Jenkins cannot reconstruct it. It is a web server misconfiguration, as confirmed by SSL tests:
https://www.ssllabs.com/ssltest/analyze.html?d=ovirt-ovirt-engine.getbadges.io&latest

Sent this info to GetBadges as it should be fixed on their side.

Eyal Edri
December 25, 2017, 3:51 PM

I still see exceptions happening on jenkins jobs, if we didn't get any reply, I suggest to remove completely the integration with Jenkins.

Evgheni Dereveanchin
January 16, 2018, 11:27 AM

There was no response and GetBadges still provides an incomplete trust chain on their web servers. We should remove the broken integration, not sure how that is achieved and which of the jobs currently have it.

Eyal Edri
January 16, 2018, 11:33 AM

The definition should be in the Jenkins repo YAML code, we should remove the notification-url string from the projects and the definition from the YAML template, let me know if you need help with it.

Evgheni Dereveanchin
February 27, 2018, 4:06 PM

As there is no response from GetBadges and their certificate chain is still broken, I've submitted a patch to remove existing integrations.

Assignee

Evgheni Dereveanchin

Reporter

Evgheni Dereveanchin

Blocked By

waiting for GetBadges to fix certificates

Components

Priority

High
Configure