3

I am trying to install the version 2.162 of the open source Jenkins. The Jenkins successfully came up but, when I go to Manage Jenkins-> Manage Plugins, I see following error:

I've done some search and see this problem is regarding the certificate issue

There were errors checking the update sites: SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target

In the keystore, which website certs should I add so that jenkins can donwload the plugins from?

newdevopsguy
  • 55
  • 1
  • 1
  • 8
  • Possible Duplicate: https://stackoverflow.com/questions/9619030/resolving-javax-net-ssl-sslhandshakeexception-sun-security-validator-validatore – Amulya K Murthy Dec 04 '20 at 11:53

7 Answers7

7

I was able to solve this from Jenkins UI very easy to login to Jenkins with Admin

  • Manage Jenkins
  • Manage Plugins
  • Advance (Under the Manage Plugins)

  • List item

  • Change URL from https to http and click on Submit

  • In the Last click on Check Now
Mansur Ul Hasan
  • 2,898
  • 27
  • 24
1

You have to configure JENKINS update-site CA-s certificates in your JENKINS java store. Just get those certificates (you can get it from your browser accessing update-site URL) and add it to your java store (java store path: $JAVA_HOME/jre/lib/security/cacerts)

Florian Winter
  • 4,750
  • 1
  • 44
  • 69
Valentin Carpov
  • 11
  • 1
1

To fix this you need to download all the certificates used by all the sites related to the update plugin process in Jenkins.

Typically:

  1. get.jenkins.io.cer
  2. mirror.gruenehoelle.nl.cer
  3. updates.jenkins.io.cer

There may be more. As you install a plugin. If it fails. Just repeat the process to download the certificate and add it to your keystore.

> Example: keytool -import -alias mirrorgruen -keystore
> $JAVA_HOME/jre/lib/security/cacerts -file ./mirror.gruenehoelle.nl.cer

This worked on MACOSx. Tip: Unless you've changed it. Use the default password of 'changeit' when prompted to type in your password.

Finally restart Jenkins - then attempt to install the plugins. That should turn the results green.

mani-fresh
  • 361
  • 2
  • 3
0

I think the answer here might solve your problem, sounds like the same issue:

Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?

Andy Macdonald
  • 61
  • 1
  • 3
  • Yep, I've gone through that and now know the process of creating a cert but for this particular scenario, not sure which website cert I need to add so Jenkins can install it's plugin while setting up. – newdevopsguy Feb 01 '19 at 17:29
0

You should have latest version of JDK. I faced same issue and it was because while installing I used jdk1.8.0_241 instead of Java 2.91. And here I ended up in all kind of issues. First I need to move to http from https (Solution above) and then still got same error while installing plugin. To resolve this , you can see which Java version your Jenkins is referring, in your Jenkins installation HOME folder, under file named Jenkins.xml. Search for following line - C:\Program Files\Java\jre1.8.0_291\bin\java.exe

if it is outdated, update it, JDK 1.8.291 worked like a charm for me !

This JIRA ticket helped me in getting to root cause of this - https://issues.jenkins.io/browse/JENKINS-63515

Ragner16
  • 9
  • 1
0
I was using java version "1.8.0_91" when getting the SSL handshake error. Problem got solved after following instructions followed to upgrade Java to version 11

I downloaded jdk version 11.0.14 from https://www.oracle.com/java/technologies/downloads/#java11 and installed it

Also installed fontconfig using
yum install fontconfig

Modified below in /etc/init.d/jenkins with path of Java 11. Ex - /root/jdk-11.0.14/bin/java . Gave 755 permission to all folders and files in path /root/jdk-11.0.14/bin/java

Also configured update site in Jenkins configuration as
http://updates.jenkins-ci.org/update-center.json

If your problem is still not solved with above changes and if you are using a proxy where proxy is giving its own SSL certificate instead of original certficate of the website then below steps will be needed.

Add your HTTP proxy certificate (Get it from your IT team. Or access Jenkins update site in your laptop using same proxy and export certificate from browser as base64 cer file) to trusted certificates using below commands. Put the exported certificates in cer file in linux using vim. Make sure to give 755 permission for all folders and files in below paths so that jenkins user can read them.
CA cert paths
/root/jdk-11.0.14/jre/lib/security/cacerts
/root/jdk-11.0.14/lib/security/cacerts

keytool -import -noprompt -trustcacerts -alias proxy3 -file /root/proxy1.cer -keystore /root/jdk-11.0.14/lib/security/cacerts -storepass changeit -keypass changeit
keytool -import -noprompt -trustcacerts -alias jenkins3 -file /root/jenkins1.cer -keystore /root/jdk-11.0.14/lib/security/cacerts -storepass changeit -keypass change

configured /etc/sysconfig/jenkins with 
ENKINS_HTTPS_KEYSTORE="/root/jdk-11.0.14/lib/security/cacerts"
JENKINS_HTTPS_KEYSTORE_PASSWORD="changeit"

Modified below in /etc/init.d/jenkins
candidates="
/root/jdk-11.0.14/bin/java
PARAMS="--logfile=/var/log/jenkins/jenkins.log --webroot=/var/cache/jenkins/war -Djavax.net.ssl.trustStore=/root/jdk-11.0.14/lib/security/cacerts"
Shadaksharayya H A
  • 119
  • 5
-3

Just a small hack. Update the URL in the file "hudson.model.UpdateCenter.xml" from https to http 

<?xml version='1.1' encoding='UTF-8'?>
<sites>
  <site>
    <id>default</id>
    <url>http://updates.jenkins.io/update-center.json</url>
  </site>
</sites>
Harshavardhan
  • 31
  • 5