CODEWITHSUNDEEP
jenkinshttpsproxyjenkins-plugins
Alex Conner
Alex Conner

Reputation: 260

Jenkins refuses to update Plugins over HTTPS when behind proxy, gives 403

Our jenkins environment is behind a proxy that requires all traffic be via HTTPS and also on a whitelisted domain. We finally got our tickets to whitelist https://updates.jenkins.io/ and https://updates.jenkins-ci.org/. These URLs validate successfully when we set up our proxy configuration in Jenkins and test. We can view update information, and get update notifications.

Yet, when we try to update a plugin, in this example Active Directory Plugin, it refuses to use the https URLs for the Jenkins Update links. You can see Jenkins find internet connectivity and update center connectivity, but fails and for some reason decides to use a non https mirror for the updates:

enter image description here

We have tried using the UpdateSites Manager Plugin to specify update sites: enter image description here

Why isn't Jenkins trying to use the URLs we specify?

Upvotes: 3

Views: 11119

Answers (2)

Daniel Holmes
Daniel Holmes

Reputation: 402

Your problem is worse than that. The original download request will be for the updates.jenkins.io update site, but usually the actual plugin downloads will redirect around to a mirror/cdn type location hosted elsewhere on a different domain. If you do curl command on a hpi file download link, you will see a series of 302 redirects until you reach the actual file.

See this article for explanation of this issue https://www.north-47.com/knowledge-base/update-jenkins-plugins-behind-a-corporate-proxy/

Upvotes: 1

chenrui
chenrui

Reputation: 9866

The root cause is with the plugin download url, not the metadata link ( https://updates.jenkins.io/ and https://updates.jenkins-ci.org/). Although you need to do HTTPS communications with those domains.

  "active-directory": {
  "buildDate": "Jun 22, 2017",
  "compatibleSinceVersion": "2.0",
  "dependencies": [
    {
      "name": "mailer",
      "optional": false,
      "version": "1.5"
    }
  ],
  "developers": [
    {
      "developerId": "kohsuke",
      "name": "Kohsuke Kawaguchi"
    },
    {
      "developerId": "fbelzunc",
      "name": "Felix Belzunce Arcos"
    }
  ],
  "excerpt": "Enables authentication through Active Directory",
  "gav": "org.jenkins-ci.plugins:active-directory:2.6",
  "labels": [
    "user"
  ],
  "name": "active-directory",
  "previousTimestamp": "2017-06-20T10:22:20.00Z",
  "previousVersion": "2.5",
  "releaseTimestamp": "2017-06-22T12:54:26.00Z",
  "requiredCore": "1.554.1",
  "scm": "https://github.com/jenkinsci/active-directory-plugin",
  "sha1": "yihOF0cMc3V3ScLklIcq+6zNXlA=",
  "title": "Jenkins Active Directory plugin",
  "url": "http://updates.jenkins-ci.org/download/plugins/active-directory/2.6/active-directory.hpi",
  "version": "2.6",
  "wiki": "https://plugins.jenkins.io/active-directory"
},

As you can see the download link is with http://

"url": "http://updates.jenkins-ci.org/download/plugins/active-directory/2.6/active-directory.hpi",

So if you do the connectivity test, you will have error (while in my case, it is success). My Jenkins Connectivity Test

The possible solution is to setup some proxy server to avoid the direct HTTP communication.

How it works:

  1. The proxy server is outside your firewall, you do HTTPS with authentication to that proxy server
  2. The proxy server will still use HTTP to download those plugins

Let me know if this helps!

Upvotes: 1

Related Questions