How to configure a shared agent against a TLS end-point with a self-sign certificate

Issue

  • OC and/or the CM is configured as a TLS endpoint using a self-sign certificate
  • The shared agent cannot be connected against OC
  • The shared agent is never provisioned to the CM
  • The following stacktrace is visible on either OC/CM logs.
Apr 25, 2017 5:45:54 PM INFO com.cloudbees.opscenter.client.cloud.CloudImpl provision
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Apr 25, 2017 5:45:54 PM INFO com.cloudbees.opscenter.client.cloud.CloudImpl provision
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
Apr 25, 2017 5:45:54 PM INFO com.cloudbees.opscenter.client.cloud.CloudImpl provision
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
Apr 25, 2017 5:45:54 PM INFO com.cloudbees.opscenter.client.cloud.CloudImpl provision
at sun.security.validator.Validator.validate(Unknown Source)
Apr 25, 2017 5:45:54 PM INFO com.cloudbees.opscenter.client.cloud.CloudImpl provision
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
Apr 25, 2017 5:45:54 PM INFO com.cloudbees.opscenter.client.cloud.CloudImpl provision
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
Apr 25, 2017 5:45:54 PM INFO com.cloudbees.opscenter.client.cloud.CloudImpl provision
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
Apr 25, 2017 5:45:54 PM INFO com.cloudbees.opscenter.client.cloud.CloudImpl provision
... 14 more

Environment

  • CloudBees Jenkins Platform (Legacy)
  • OC and/or CM using a TLS end-point with a self-sign certificate.

Resolution

Unfortunately, the property -noCertificateCheck does not work on shared agents. Internally, we are tracking this as CJP-6796 -noCertificateCheck does not work for shared agents/clouds.

In any case, the best approach is not to trust all the certificates with -noCertificateCheck, but to create a trustStore for the shared agent. The way to create a trustStore is documented on the KB How to install a new SSL certificate.

The first thing you need to do is to get the certificate from CJOC and CJE - in case those are different. You can do this by using:

keytool -printcert -rfc -sslServer <CJOC_HOSTNAME>:<CJOC_PORT>

Example:

pegaso:~ fbelzunc$ keytool -printcert -rfc -sslServer cjoc.example.com:9090
BEGIN CERTIFICATE
MIIDNjCCAh4CCQCOd+0yDiOfpzANBgkqhkiG9w0BAQUFADBdMQswCQYDVQQGEwJFUzETMBEGA1UE
CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRYwFAYDVQQD
FA0qLmV4YW1wbGUuY29tMB4XDTE3MDQyNjA2NDcwOFoXDTE4MDQyNjA2NDcwOFowXTELMAkGA1UE
BhMCRVMxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5
IEx0ZDEWMBQGA1UEAxQNKi5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBALhdyeOfOE0XBr/el5kl9tyq78J/TFeX5M1N77qboS6JKOIKXBuzYMeJm2rkuaSq9oAuuvbf
EwHtWK4D+nGR8MXjhJoOvBzaQmHhi6zhhCFpmP6Yzwzk8JOase/3PPiRBtJnGsFFsSs3ywsmAB+/
CL2vh9ekVXpSHS/cM0nnkPyVQyPJNVrLCixDoByM/BJXhsb9tZP7UVzInwidjkwIlgRiGgO9naAI
A3jkRDfeceRfzj/Wx7gxgk7EWM3U9DpR8EpW/3enrxnzvSZZyFnCJ7OMasSyYXV0DnUUuoG7vSDH
LGsNzyWIbDbwXN5eIfKKXIFzCJjeDJgsJ0v1y8mlzPUCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEA
pJUB604M5qcmziG09Hz/Uv0Gc218gx+2tOUT5KRuI3882AyZ6dg23Mg6Ugz3DT0NiWSXhiHGTVLn
g3UlASjP4LJiSdwBGpdwFKATzQHzRDph5iPO1Tld//UC/6wdPwygYTV5fsWe65gopobY3GwTWN9V
Pe0XrYB/2xSYEAjFT70yTQFAotmzSXrZQ/E0NYfAWSuUWI+oUOzDmCQ8MCNEDIARenoLMAUH+O/h
0ZGVXND5pvMqwaLe0qp8Oyk8YoFiI+ZCxKFKUJ8hbR14o60HBg5iAxK5mfRLcZL0FqdgZEhnln+h
olN89/gx9K0/V4O/Ic9LBsg+0YvuKE3X5ItOhw==
END CERTIFICATE

Then, you need to follow the following points if the KB article

  1. Create a custom keystore from the JVM keystore
  2. Import your certificate

and finally, add the certificate to the Agent startup parameters.

-Djavax.net.ssl.trustStore=/Users/fbelzunc/cloudbees/support/support-shinobi-tools/cases/48091/017-cloudbees-support_CM-example_2017-04-21_15.46.54/jenkins-home/.keystore/cacerts -Djavax.net.ssl.trustStorePassword=changeit
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.