Jenkins cannot access update server via https

After doing an install of jenkins, it thinks it is offline. After a bit of googling, and following suggestions for similar errors, I found that modifying /var/snap/jenkins/99/hudson.model.UpdateCenter.xml and switching the url from https to plain old http, then Jenkins was able to find plugins and updates.

More goolging reveals this is because Java cannot find and certificate authorities to verify SSL connections.

Which finally led me to spot that line 53 of the snapcraft.yaml is deliberately removing the cacerts directory from the snap (

Are snapped Java apps supposed to be discovering these certs from somewhere else?

Using git blame, it seems that this change was introduced from this PR:

I suspect that the certificates aren’t actually available in the snap given the commit/PR description, and likely the needed certs have to come either from the core snap, or from a stage-packages. I don’t recall all of the stage-packages that the jdk plugin adds, but for one of the snaps I help maintain that uses Java, we use openjdk-8-jdk stage package for other reasons and it seems to have certificates located here:

# cd $SNAP
# ls -la usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts
lrwxrwxrwx 1 root root 47 Dec 11 04:47 usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts -> ../../../../../../../etc/ssl/certs/java/cacerts
# ls etc/ssl/certs/java/cacerts

Since this seems to be @popey’s snap, pinging him may help…

Hah! It’s only my snap because I touched it last :slight_smile:

Pull requests most welcome, of course. I am also of a mind that this snap should really be classic, given how jenkins can often be used to call out to other random binaries, and being confined will limit its usefulness. What do you think?

1 Like

Does classic effect how the snap is installed (I’m very new to how they are packaged)?

Is this two separate issues - would it be best to revisit the change in pull/10 and fix the symlink instead of just removing it. Once Jenkins seems happier, then re-visit if it should be classic or not?