Jenkins update center certificate rotation

On the 29th of March 2021, we’ll rotate the Jenkins update center certificate. The existing certificate expires in April 2021. When the new certificate is installed on March 29, 2021, Jenkins versions older than 2.178 (April 2018), won’t be able to communicate with the default and experimental update centers. Instances using alternative update centers (self-hosted or vendor-provided) will not be affected by this change. Regarding plugins update, the update-center usually supports up to one-year-old Jenkins core versions with 2.204 being the oldest version supported.

If you don’t update regularly, please review the Jenkins security advisories and use this change as your motivation to update to a more recent Jenkins version.

Who

Jenkins users running Jenkins versions older than 2.178 will not see any further updates after the update center certificate change March 29, 2021.

Jenkins developers will not see plugin updates when they use mvn hpi:run to test their plugin if the Jenkins version is older than 2.178. Plugin developers can update their minimum Jenkins version to a newer Jenkins version. Refer to the guidelines in "Choosing a Jenkins version" when selecting the new minimum Jenkins version. Plugin developers may also be able to test with a newer Jenkins version using arguments like mvn -Djenkins.version=2.249.1 hpi:run.

Jenkins users running versions 2.178 or newer are not affected by this change.

What

Jenkins uses the update center to identify updates to core and to plugins. The service signs its metadata with a certificate that is cross-signed by a root certificate. Jenkins is bundled with the root certificate so it can confirm the authenticity of update center data. When updates are available, an alert is shown to Jenkins users that reminds them to update.

Why

The root certificate bundled in Jenkins was created in April 2011 and will expire in April 2021. We prepared for this rotation in April 2018 when we bundled the new root certificate with Jenkins core releases. It’s now time to use the new root certificate with a new update center certificate. The new root certificate will expire in April 2028.

You can follow the work for this certificate rotation in this ticket INFRA-2902

So again, keep your instance updated and everything should be fine.

See you in 2028,

Various Links:

About the Author
Olivier Vernin

Olivier is the Jenkins infrastructure officer and Senior Operations Engineer at CloudBees. As a regular contributor to the Jenkins infrastructure projects, he works on a wide range of tasks from services reliability to applications maintenance.