3
  1. Upgraded the Jenkins.
  2. Created a slave.
  3. Installed latest JDK on Slave machine and launched the slave.
  4. when tagged a job with slave and ran it, getting above error ..
  5. did search on google and as per search added public cert of my target TFS to the java keystore which is in C:\Program Files (x86)\Java\jre1.8.0_131\lib\security\cacerts.
  6. it worked for 2 jobs, for some purpose i un tagged the job and ran on master , again i tagged it back to slave and ran it.. again the issue came back.
  7. tried to add the cert again, but its prompted cert is already in keystore .. 7 did uninstall and re install of slave and changes JAVA version .. no luck.. rest of the log below5)

Building remotely on
node1
in workspace C:\Builds\Jenkins\workspace\Foot_Driver Querying for remote changeset at '$/AEXX/' as of 'D2017-06-23T15:26:13Z'... FATAL: com.microsoft.tfs.core.exceptions.TECoreException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targe

DimaSan
  • 12,264
  • 11
  • 65
  • 75
Ajay
  • 71
  • 1
  • 6

2 Answers2

4

By adding all the certs in the chain to the cacerts, issue got resolved.

  1. Get all the list of certs in the chain by using (replace your domain with google.com)
    openssl s_client -host google.com -port 443 -prexit -showcerts
  2. copy each certs in a seprate .pem file eg - VS_cert1.pem, VS_cert2.pem
  3. import all the certs to the java cacerts
    keytool -import -alias VS1 -file "C:\Users\xxxx\Desktop\Temp\VS_cert1.pem" -keystore "C:\Program Files (x86)\Java\jre1.8.0_131\lib\security\cacerts"
    keytool -import -alias VS2 -file "C:\Users\xxxx\Desktop\Temp\VS_cert2.pem" -keystore "C:\Program Files (x86)\Java\jre1.8.0_131\lib\security\cacerts"
  4. Bounce the service.
Tim Perry
  • 84
  • 1
  • 11
Ajay
  • 71
  • 1
  • 6
1

According to the error info sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targe which clearly complains about certificate validation. This may due to when working on a client that works with an SSL enabled server running in https protocol.

Try to add -Djavax.net.ssl.trustStore location in jenkins-slave.xml and well as add jssecacerts to lib\security of java used for your Jenkins's slave to run.

More info about the error please take a look this blog--unable to find valid certification path to requested target

PatrickLu-MSFT
  • 49,478
  • 5
  • 35
  • 62
  • Before i do that . i have few questions and few observations . 1. I have not added any cert to my Master, it is working fine. so why its required on slave box. – Ajay Jun 28 '17 at 16:18
  • 2. I used SSLPoke to see if the SSL connectivity os working on both Master and slave. what i noticed is in the master (where ssl is working fine), i see in ServerHello "Extension renegotiation_info, renegotiated_connection: " where as in non working Slave, i see it as "Warning: No renegotiation indication extension in ServerHello" – Ajay Jun 28 '17 at 16:19
  • 3. When i used OpenSSL to import the cert from the target server, along with the cert i see below msg, does it impact .. :verify error:num=20:unable to get local issuer certificate verify return:0 " – Ajay Jun 28 '17 at 16:19
  • 1
    I added the chain of certs to the cacerts in JRE, here are the things i noticed., When i installed JAVA, i got 2 folders one with JRE and JDK, JDK has its own JRE under that. 1) The job started working randomly and so i added the certs to 2 locations of JAVA (JDK and JRE). 2) I am getting this SSL issue only on upgraded JDK boxed (windows), but not on first time JDK boxed. 3) No again i am having issues randomly, to resolve this SSL issue, i need to restart the jenkins slave.. not sure what is causing this.. – Ajay Jul 05 '17 at 17:27