java - Jenkins "unable to find valid certification path to requested target" error while importing Git repository

Question

I'm trying to build a Git repo from Jenkins using the Jenkins Git Plugin on my laptop. The Git repo resides on company trusted server which has self-signed certificates. While specifying the URL I'm always getting an error:

Failed to connect to repository : sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target

I understand this error surfaces due to self-signed certificates but the server belongs to my company and is signed by authority.

I also tried to import the same repo from another laptop using self-signed and keep getting the same error.

Any help will be appreciated

Answer 1

That error is a common error message reported by the Java Virtual Machine. This is caused when the Java environment does not have information about the HTTPS server to verify that it is a valid website. Sometimes the certificate is provided by an internal Root CA or is a Self-Signed Certificate. This sometimes can confuse the JVM as it is not one of the ones on the Java “trusted” list who can provide these certificates.

Because we know that the certififcate is “valid” we can import this certificate directly into the JVM. In doing so, we tell the JVM that this is is a “trusted” certificate and to “ignore” any issues with it.

You will need to add the certificate to your Java Certificate Authority file. For an Debian/Ubuntu Linux machine, that's usually located here:

$JAVA_HOME/jre/lib/security/cacerts

However, you don't want to add it to the JRE cacert keystore because it will be overwritten/rewritten by the JRE, so it's best to duplicate this file for Jenkins.

• $JAVA_HOME - This should be the location of where your current java home is. If you only have the Java Runtime Environment (JRE) installed, then you can replace $JAVA_HOME/jre with the $JRE_HOME.

• $ALIAS - This can be any value. It is a value to distinguish this certificate from others. Example would be “git-repo”, or “artifact server”.

• $JENKINS_HOME - This is the path to your Jenkins home. Often /var/lib/jenkins.

You can import the certificate into your JVM cacerts file using the following commands. -- In your Jenkins master. Obtain the certificate, copy the JVM keystore for Jenkins, import the certificate into the keystore, add the trusted keystore to the Jenkins startup parameters and restart Jenkins.

# Import certificate
openssl s_client -showcerts -connect https://your-target-server
< /dev/null 2> /dev/null | openssl x509 -outform PEM > ~/root_ca.pem

# Duplicate Java Keystore file and move into Jenkins...
mkdir $JENKINS_HOME/keystore/
cp $JAVA_HOME/jre/lib/security/cacerts $JENKINS_HOME/keystore/

# Add Certificate to Keystore
keytool -import -alias $ALIAS -keystore $JENKINS_HOME/keystore/cacerts -file ~/root_ca.pem

# Add -Djavax.net.ssl.trustStore=$JENKINS_HOME/keystore/cacerts to the
# Jenkins startup parameters. For Debian/Ubuntu, this is /etc/default/jenkins
echo 'JAVA_ARGS="$JAVA_ARGS -Djavax.net.ssl.trustStore=$JENKINS_HOME/keystore/cacerts"'
>> /etc/default/jenkins

sudo service jenkins restart

Reference Help:

• PKIX path building failed error message
• How to install a new SSL Certificate in Jenkins
• How to add Java arguments to Jenkins