3

When I try to publish artifacts from jenkins, if the host doesn't have the certificates for artifactory installed I get the error: 

Error occurred for request GET /artifactory/api/system/version 
HTTP/1.1: sun.security.validator.ValidatorException: PKIX path building 
failed: sun.security.provider.certpath.SunCertPathBuilderException: 
unable to find valid certification path to requested target.

Is there a setting in artifactory to disable this? I want to be able to connect from any jenkins host without having the certificates added to the keystore.

LizzeBennet
  • 197
  • 1
  • 1
  • 13
  • 1
    Just to clarify, that message is coming from the client (the Jenkins Java process on the node), not from Artifactory. Is your Artifactory server using a self-signed certificate? – bto Aug 09 '18 at 21:14
  • @bto, It is a CA signed certificate. Does it make a difference if it is a self-signed certificate? I'm new to this, so don't understand this part well yet. I understand the message is coming from the host (slave node) from where I am trying to publish. What kind of setting/configuration is needed on the host side? My objective is to publish to artifactory from any slave node without having to install the certificates. BTW, these are all in a network which doesn't connect to the internet. – LizzeBennet Aug 09 '18 at 22:29
  • Well, you _could_ use plain http instead of https since it's an internal network. I would highly recommend against that. It's bad security practice, even on a closed network. What about a process that replicates the appropriate certificates to the nodes? – bto Aug 10 '18 at 02:46
  • @bto, That means in a secure setup, you need to install the cacerts on your host (with something like salt or the like for your hosts) or put it in the Dockerfile something like that, am I right? – LizzeBennet Aug 17 '18 at 06:01
  • 1
    That's correct. You could also set up a Jenkins job using the [Matrix Plugin](https://plugins.jenkins.io/matrix-project) to run cert distribution on all the nodes - just remember that the nodes would need to be rebooted to pick up the new `cacerts` file! [This answer](https://stackoverflow.com/a/47316409/4121744) has a great step-by-step for the commands needed to pull down and inject the cert into a `cacerts` file. – bto Aug 20 '18 at 14:14

0 Answers0