Jenkins docker container behind proxy refuses to download plugins cert error

Question

Problem:

When deploying Jenkins, at the time of installing plugins, every single plugin fails to download with the following Java error:

Caused: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Troubleshooting:

• Deployed in an env not behind a proxy, this worked fine.
• Tried changing the docker image type (used "jenkins" and "jenkinsci" neither worked) Info found here.
• Read though all of this post Nothing on there helped.
• It seems that jenkins is trying to pull the plugins from the URL but cant validate the certificate. I tried adding the curl option for "-k" but this did not help. I also tried downloading with curl outside of the container to see what happened. It seemed I needed to use "-kL curl --proxy our.proxy.com:1234" to actual pull the plugin url and have it work. However when adding ENV CURL_OPTIONS -Lk --proxy our.proxy.com:1234 and spinning up the container, I still see the same error.
• Read though this post as well about how URLs may need to be whitelisted, but I dont think this is our issue because A) I was able to pull from one mirror without having to have our proxy be adjusted B) the error says its a certification path problem.
• Why can I get the plugin url via curl+proxy outside of the container, but when Java tries to do it I get certificate errors? Its not clear to me from the docker log output the java command being used to pull the plugins so I am not sure what is going on.
• Is there an option to disable Cert validation from Java? I just need this to work as a POC right now so I dont care about validation checks at the moment, I can implement later. Also this is going through a proxy and I dont have access to the proxies CA trust or the certs. Just want to disable Any recommendations?

Environment:

• Ubuntu Server 18.04
• Docker version: 20.10.10
• Docker compose version: 1.29.2

Config files:

• Docker Compose File:

version: '3.7'
services:
  jenkins:
    container_name: jenkins
    build:
      context: ./jenkins
      dockerfile: ./jenkins.Dockerfile
    ports:
      - 8080:8080
      - 50000:50000
    volumes:
      - jenkins-data:/var/jenkins_home
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      DOCKER_SOCKET: /var/run/docker.sock
      ALL_PROXY: "http://our.proxy.com:1234"
      JAVA_OPTS: "-Dhttp.proxyHost=our.proxy.com -Dhttp.proxyPort=1234 -Dhttps.proxyHost=our.proxy.com -Dhttps.proxyPort=1234"

    privileged: true

volumes:
    jenkins-data:

• Docker File:

FROM jenkins/jenkins:latest
USER root
ENV CURL_OPTIONS -k --proxy our.proxy.com:1234

Answer 1

If the runtime environment can't install plugins, then you can configure the plugins to be installed through a plugins.txt file in an environment that can access the update center. Build the container image in an environment where the update center is available, then copy the image to the final destination.

One example is in https://github.com/MarkEWaite/docker-lfs/tree/lts-with-plugins where it stores the plugin binaries in the Git repository as large files and defines the precise plugin versions in the plugins.txt file. The resulting container image includes the plugins so that access to the update center is not required.