Jenkins "unable to find valid certification path to requested target" error while importing Git repository

Question

I'm trying to build a Git repo from Jenkins using the Jenkins Git Plugin on my laptop. The Git repo resides on company trusted server which has self-signed certificates. While specifying the URL I'm always getting an error:

Failed to connect to repository : sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target

I understand this error surfaces due to self-signed certificates but the server belongs to my company and is signed by authority.

I also tried to import the same repo from another laptop using self-signed and keep getting the same error.

Any help will be appreciated

Answer 1

That error is a common error message reported by the Java Virtual Machine. This is caused when the Java environment does not have information about the HTTPS server to verify that it is a valid website. Sometimes the certificate is provided by an internal Root CA or is a Self-Signed Certificate. This sometimes can confuse the JVM as it is not one of the ones on the Java “trusted” list who can provide these certificates.

Because we know that the certificate is “valid” we can import this certificate directly into the JVM. In doing so, we tell the JVM that this is is a “trusted” certificate and to “ignore” any issues with it.

You will need to add the certificate to your Java Certificate Authority file. For an Debian/Ubuntu Linux machine, that's usually located here:

$JAVA_HOME/jre/lib/security/cacerts

However, you don't want to add it to the JRE cacert keystore because it will be overwritten/rewritten by the JRE, so it's best to duplicate this file for Jenkins.

• $JAVA_HOME - This should be the location of where your current java home is. If you only have the Java Runtime Environment (JRE) installed, then you can replace $JAVA_HOME/jre with the $JRE_HOME.

• $ALIAS - This can be any value. It is a value to distinguish this certificate from others. Example would be “git-repo”, or “artifact server”.

• $JENKINS_HOME - This is the path to your Jenkins home. Often /var/lib/jenkins.

You can import the certificate into your JVM cacerts file using the following commands. -- In your Jenkins master. Obtain the certificate, copy the JVM keystore for Jenkins, import the certificate into the keystore, add the trusted keystore to the Jenkins startup parameters and restart Jenkins.

# Import certificate
openssl s_client -showcerts -connect https://your-target-server\
< /dev/null 2> /dev/null | openssl x509 -outform PEM > ~/root_ca.pem

# Duplicate Java Keystore file and move into Jenkins...
mkdir $JENKINS_HOME/keystore/
cp $JAVA_HOME/jre/lib/security/cacerts $JENKINS_HOME/keystore/

# Add Certificate to Keystore
keytool -import -alias $ALIAS -keystore $JENKINS_HOME/keystore/cacerts -file ~/root_ca.pem

# Add -Djavax.net.ssl.trustStore=$JENKINS_HOME/keystore/cacerts to the
# Jenkins startup parameters. For Debian/Ubuntu, this is /etc/default/jenkins
echo 'JAVA_ARGS="$JAVA_ARGS -Djavax.net.ssl.trustStore=$JENKINS_HOME/keystore/cacerts"'\
>> /etc/default/jenkins

sudo service jenkins restart

Reference Help:

• PKIX path building failed error message
• How to install a new SSL Certificate in Jenkins
• How to add Java arguments to Jenkins

Answer 2

From the question, my understanding is that this Jenkins is installed on a developer box.

If security is not a core concern in this box, you may in Jenkins web UI go to Manage Jenkins > Manage Plugins > tab Available and search for "skip-certificate-check" plugin.

Don't do this on servers exposed public. As the question is pertained to local box experimentation, I am suggesting this solution to get things going.

On installing this, the issue should be fixed. Use this plugin with caution, since it is not advised from security perspective.

Answer 3

Go To ->Manage Jenkins -> Configure Global Security -> Plugin Manager and check the box for Use browser for metadata download.

It will solve the problem.

Answer 4

Jenkins is bundled with it's own JRE, so you may be using it's very old JRE hence old trust certificates. Update it as follows

1. Go to your Jenkins Home Folder and open the jenkins.xml file: %Jenkins_Home%/jenkins.xml

2. You will find <executable>%BASE%\jre\bin\java</executable>. This could be really old/obsolete, so replace it with the system installed java runtime like <executable>%JAVA_HOME%\jre\bin\java</executable> or a specific version like<executable>C:\Program Files (x86)\Java\jre1.8.0_144\bin\java</executable>.

Now you should not have the issue since it'll pick up the newer trust certificates

Example

Answer 5

Manage Jenkins -> Manage plugins -> Plugin Manager -> Advanced

change "Update Site" to use http not https. this solves my problem.

Answer 6

I've just launched the jenkins.war with JDK cacerts as an workaround

java -Djavax.net.ssl.trustStore="/scratch/install/jdk1.8.0_102/jre/lib/security/cacerts" -jar jenkins.war &

Answer 7

Java ships with a default list of trusted root certificate authorities. If it can't find a path back to one of these trusted certificate authorities, it will not trust the certificate.

It sounds like the server you are attempting to connect to uses a certificate signed by an internal certificate authority. That's typical for internal servers. You wouldn't want to pay for a certificate if it isn't external facing.

You can add your company's root certificate authority to java using the keytool command. Then you will be able to make ssl connections to any certificate signed by this root certificate.

Answer 8

The correct solution is to NOT disable the certificate checks as a lot people have suggested but rather to add the website certificate to the Java keystore instead.

I'll list my own guide below which should work for Linux. I suspect the same imports will work in Windows as the keytool is bundled with Java but you're on your own when it comes to any openssl commands.

Download all required certificates in the chain (this is a command I found on SO, I can't find the link but it's not my own creation):

openssl s_client -showcerts -verify 5 -connect updates.jenkins-ci.org:443 < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="cert"a".crt"; print >out}' && for cert in *.crt; do newname=$(openssl x509 -noout -subject -in $cert | sed -n 's/^.*CN=\(.*\)$/\1/; s/[ ,.*]/_/g; s/__/_/g; s/^_//g;p').pem; mv $cert $newname; done

You should now have 2 files:

Let's_Encrypt_Authority_X3.pem
pkg_jenkins_io.pem

Concatenate the 2 files:

cat "Let's_Encrypt_Authority_X3.pem" pkg_jenkins_io.pem > full_chain.pem

This next step is useful as the Java keytool is picky and the openssl package will fix any spacing issues. I have seen the keytool import fail even though openssl claimed it was valid so don't skip this step:

openssl x509 -in full_chain.pem -out full_chain_sanitized.pem

Now comes the fun part. I assume your Jenkins instance is running with some of the following arguments:

-Djavax.net.ssl.keyStore=/applications/configuration/pki/keystore.jks 
-Djavax.net.ssl.keyStorePassword=GOOD_PASSWORD 
-Djavax.net.ssl.trustStore=/applications/configuration/pki/truststore.jks 
-Djavax.net.ssl.trustStorePassword=GOOD_PASSWORD

Also note that you might not be using the custom keystores. In that case, you could try to include the certificate in the default cacerts file instead. Check the next section for details. If you are using any truststores, you will have configured a password so enter it when prompted.

Now we can import the Jenkins plugin site certificate. Make sure to use your own keytool path as it will differ from my own.

/applications/java/latest/bin/keytool -trustcacerts  -import -v -alias pkg_jenkins_io_full_chain -file correct.pem -keystore /applications/configuration/pki/keystore.jks

/applications/java/latest/bin/keytool -trustcacerts  -import -v -alias pkg_jenkins_io_full_chain -file correct.pem -keystore /applications/configuration/pki/truststore.jks

Restart your Jenkins server and the plugin site should work. If it doesn't (or if you weren't using custom keystores to begin with), you could try adding the certificate to the Java cacerts file but this is usually frowned upon as it will get replaced during any updates. A better option might be to instead create a backup, include the certificate in the copy and run Jenkins with using the copy as a truststore.

Remember that the default password for the cacerts store is 'changeit'

cp /apps/java/latest/jre/lib/security/cacerts /apps/java/latest/jre/lib/security/cacerts_copy

# Add the certificate to the keystore
/applications/java/latest/bin/keytool -trustcacerts -import -v -alias pkg_jenkins_io_full_chain -file correct.pem -keystore /apps/java/latest/jre/lib/security/cacerts_copy

# Add -Djavax.net.ssl.trustStore= property to the Jenkins startup parameters, depending on your own OS.
# Just make sure to append it as such:
-Djavax.net.ssl.trustStore=/apps/java/latest/jre/lib/security/cacerts_copy

The https://stackoverflow.com/a/47316409/7569335 answer is good but it does not account for the custom keystore files scenario that I faced. Check it out as well as it has good info.

Answer 9

I started getting this error: SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target completely out nowhere back in August 2020 on 2 of my Jenkins build servers running on windows server. It prevented updates of Jenkins core and all plug-ins.

Getting some clues from others here and I decided to install the latest version of JRE (v1.8.0_261 in my case) with the hope that the cacerts would be updated. Installing the latest JRE created a new folder here: C:\Program Files (x86)\Java\jre1.8.0_261

Jenkins is pointing to a folder: C:\Program Files (x86)\Jenkins\jre. First I stopped Jenkins service. Second, I backed up and then deleted that C:\Program Files (x86)\Jenkins\jre folder and copied the C:\Program Files (x86)\Java\jre1.8.0_261 to C:\Program Files (x86)\Jenkins\jre.

This may not be best practice but it solved my error.

Answer 10

while the above answer is generally correct, it may be also due to an expired certificate in the chain (server cert, intermediate, root). Just got the same error and my server certificate was expired.

Answer 11

For Jeinkins on Windows

After installing a stand-alone Java version on my PC, the mentioned error has disappeared.

To be precise, I have installed JDK 8u162 (Java SE Development Kit 8u162) from Java SE Development Kit 8 Downloads

Answer 12

Add Root CA (GlobalSign.cer) downloaded from your browser to JAVA_HOME/jre/lib/security/cacerts.

You can use "Keystore explorer" tool to add Root CA to Java cacerts. Check this link for sequence of steps to add Root CA to Java cacerts :

After successfully adding Root CA to Java cert, restart Jenkins.

Answer 13

I was able to resolve this issue by updating my JVM to a newer version. It seems that the new version of the JVM trusted the necessary CA certificate(s) to permit the download of the new jenkins war.

Answer 14

Development machine:

1. Update to latest version of JAVA.
2. Install Jenkins (make sure you point to the correct JAVA version).
3. Insure Jenkins is using the latest version by looking on the file: C:\Program Files\Jenkins\jenkins.xml:
   • Ex: C:\Program Files (x86)\Java\jre1.8.0_281\bin\java.exe
4. Download certificate:
   • Go to Jenkins -> Manage Jenkins -> Manage Plugins -> Advanced:
     • Copy URL from "Update Site" and paste on browser:
       • Click on the icon left side of the URL and click Certificate.
         • Go to details and download certificate.
5. Import certificate:
   • Open Java Control Panel:
     • Got to "Security" -> "Manage Certificates" and import certificate.
6. Restart Jenkins.
7. Test connection
   • Go Jenkins -> Manage Jenkins -> Manage Plugins -> Advanced and click "Check now" to test connection.

Answer 15

On windows i have jdk-16 installed wich wouldn't work as per the documentation states

My case then it got resolved by:

deleting the content of the .jenkins folder

properly installing and setting a jdk 1.8 version

running the java -jar jenkins.war

In order for two (or more) versions of java to be switched among you may follow this well written guide by Sven Woltmann How to change Java versions in Windows (updated 2021 for Java 17)

Answer 16

I had this exact same problem on a brand new install of Jenkins on new Mac using Homebrew. After a week of trying to resolve this with no luck, I discovered my IT department installed FortiGuard on the box. Because FortiGuard screws with the SSL responses, this looks like a certificate issue.

I discovered this by looking at the site Jenkins was having issues with (mirror.xmission.com) and then trying to open that site in Safari.

I hope this answer saves someone else a wasted week of effort.

Answer 17

My case was pretty unique but had the same exception trace, and none of the above solutions worked. Just putting it out here for someone if they go through the same.

For me, Charles proxy was running in the background which was causing this whole issue and even if I was able to skip the certification check there were other issues popping up due to it. Closing Charles application worked for me.

Answer 18

This is one of the stupid problem that no one has the right answer to. I have the same Jenkins version, same JDK version working in one system with Windows 11 whereas it never succeed in another laptop with Windows 10 version. I made sure its not problem with Jenkins. The problem is related to JDK but not sure what it is.

You can verify the problem with a simple SSL debug as mentioned in https://access.redhat.com/solutions/973783

Use the Java client file to troubleshoot

java -Djavax.net.debug=all JavaHttpsClient https://example.com:port 1

Answer 19

Error Jenkins local installation Windows. The mistake: SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

Solution: I looked in several international and national forums, and I managed to solve the problem, with the combination of some of these forums. Follow the link: https://docs.cloudbees.com/docs/cloudbees-ci-kb/latest/client-and-managed-masters/pkix-path-building-failed-error-message from the site, which killed 90% of the problem.

• Using Google Chrome, type: https://www.google.com/?gws_rd=ssl;
• Click on the padlock that appears in the navigation bar;
• Click on the information, secure connection;
• Click on the information “the certificate is valid”;
• Click on Details, and then on the export button (opt for the “.pem” extension), I downloaded both, but only this extension worked for me;
• In my environment, I saved it inside a folder that I created in the root called “certificate” with the name: www.localhost.pem.
• Now we have to import the downloaded certificate into the JVM we are using:
• From inside the folder where I saved the certificate, I ran the command: keytool -import -alias "srv-local" -keystore cacerts -file .\www.localhost.pem OBS: In my case, after running the command above, a password was requested???? On the site that I left the link above, it does not show what this password is. I found it on other forums. The password: changeit For more explanations about the command above, see the link above.
• If everything went well: the file is generated: cacerts. Replace the file found in your Java installation, inside the folders: jdk\lib\security
• Finally, I changed the xml file, which has the Jenkins startup settings, the file: Jenkins.xml
• Including in the arguments: -Djavax.net.ssl.trustStore=C:\certificate\cacerts -Djavax.net.ssl.trustStorePassword=changeit
• After changing the file, the error disappeared. I hope this story has helped.

Answer 20

For Newer Version of Jenkins Go to Jenkins-->Manage Jenkins--> Configure Global Security check the option Use browser for metadata download[by default its unchecked] and Restart Jenkins

Answer 21

wget updates.jenkins.io/download/plugins/skip-certificate-check/1.0/… to $JENKINS_HOME/plugins and restarted the server, and plugin updates started working again

Answer 22

I met this issue when doing the hook connection test between jenkins and gitlab server connected by LAN.

It was solved by checking the Ignore SSL Certificate Erros checkbox (possibly hidden under advanced (高级) option page)

Answer 23

Manage Jenkins > Manage Plugins > click on Advance Tab > scroll down to Update Site


enter image description here

update URL as : http://updates.jenkins-ci.org/update-center.json

Answer 24

go to C:\Program Files\Java\jdk1.8.0_45\jre\lib\security

cmd C:\Program Files\Java\jdk1.8.0_45\jre\lib\security

after that give java -jar jenkins.war it will solve certificate issue