Issue
-
When accessing Manage Jenkins page, I get notified that
All attempts to retrieve security information have failed. In case it keeps happening, Security Warning Monitor will be disabled. Please visit the Documentation Site to see how to proceed.:
In addition, the jenkins log files repeatedly reports the errors:
SEVERE c.c.j.p.a.m.SecurityWarningDataProvider$SecurityWarningsRestClient#get: SECURITY-WARNING_ERROR: (All attempts to retrieve security information have failed. In case it keeps happening, Security Warning Monitor will be disabled) java.util.concurrent.ExecutionException thrown: java.io.IOException: Remotely Closed
Environment
-
CloudBees CI (CloudBees Core) on modern cloud platforms - Managed controller
-
CloudBees CI (CloudBees Core) on modern cloud platforms - Operations Center
-
CloudBees CI (CloudBees Core) on traditional platforms - Client controller
-
CloudBees CI (CloudBees Core) on traditional platforms - Operations Center
Related Issue(s)
-
BEE-2912: Remove async-http-client from Assurance Plugin
-
BEE-29387: Proxy authentication fails from the Beekeeper SecurityWarningDataProvider
Resolution
Validate that the CloudBees CI Instance can reach out to https://beekeeper-server.cloudbees.com/api/security-warnings. For example run curl -IL https://beekeeper-server.cloudbees.com/api/security-warnings from the host running CloudBees CI and make sure it responds with status 200:
$ curl -IL https://beekeeper-server.cloudbees.com/api/security-warnings HTTP/2 200 [...]
If inside a corporate network or using a forward HTTP Proxy, ensure that the host beekeeper-server.cloudbees.com and/or URL https://beekeeper-server.cloudbees.com/api/security-warnings are allowlisted. As per the list of Required URLs to allow.
Known Limitations
Prior to version 2.319.3.3, the client library used to reach out to the Beekeeper Server to retrieve Security Warnings details does not support SNI. This is captured as BEE-2912: Remove async-http-client from Assurance Plugin. Although the end server does not require it, it is a common practice to enforce SNI in a corporate network. To check on this, run openssl s_client -noservername -connect licenses.cloudbees.com:443 and make sure it can connect:
$ openssl s_client -noservername -connect licenses.cloudbees.com:443 CONNECTED(00000006) [...]
If that does not work, a component in the network is most likely enforcing SNI and dropping packets without SNI. The workaround is to work with the team managing the Infrastructure to relax the SNI enforcement for beekeeper-server.cloudbees.com.
CloudBees CI supports SNI as of version 2.319.3.3. BEE-2912: Remove async-http-client from Assurance Plugin has been fixed.
Workaround
WARNING i.j.p.o.a.i.JenkinsProxyAuthenticator#authenticate: The proxy authentication scheme is not supported: <scheme different from Basic>
If https://beekeeper-server.cloudbees.com/api/security-warnings can be reached via curl and the the original warning can still be found in the jenkins log, a workaround is to install the incremental version of okhttp-api plugin built for Improve the proxy authenticator #81.