PKIX path building failed error message

Issue

  • I am receiving the following error message:
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  • Shared slaves do not work on my environment which uses HTTPS.
  • Any error message with ValidatorException: PKIX
  • Jenkins with HTTPS causes PKIX error message.
  • Elasticsearch task that is running in a docker fails with the following error:
"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

Environment

Resolution

The error message:

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Is a common error message reported by the Java Virtual Machine. This is caused when the Java environment does not have information about the HTTPS server to verify that it is a valid website.

Possible causes of this issue:

  • If the Java version running on your machine is not up to date, hence the cacert that is included with your old Java version does not trust the latest Certificate Authorities. Ensure you are running the latest fix pack of Java (for example, for openjdk 1.8, a fix pack level is java-1.8.0-openjdk-1.8.0.191.b12).
  • Running Jenkins with the option -Djavax.net.ssl.trustStore= and pointing to a trust store that was copied from the cacerts of an out-of-date Java fix pack level that does not trust the latest Certificate Authorities. In this case, you may have to rebuild your custom trustStore using the latest cacerts file from the latest Java fixpack version
  • The most common reason for this issue is the certificate is provided by an internal Root CA or is a Self-Signed Certificate. This sometimes can confuse the JVM as it is not one of the ones on the Java “trusted” list who can provide these certificates. The steps to resolve this are listed below:

Because we know that the certificate is “valid” we can import this certificate directly into the JVM. In doing so, we tell the JVM that this is is a “trusted” certificate and to “ignore” any issues with it.

Note In this example I will be using firefox. Similar steps are available for all other browsers.

To begin we first need to navigate via the browser to the URL where the certificate is located. Clicking on the green lock will show us information about the certificate. After clicking on the green lock click on More Information:

Once you click on the green lock, then a new box will appear with more information about the certificate. Click “View Certificate”:

Click the “Details” tab which will provide detailed information about the certificate:

Click on the “Export…” to export this certificate to local disk. Also make sure to maintain the PEM format. (Note: In Windows, the PEM format is called “Base-64 encoded X.509 (.CER)”):

After the certificate is saved to disk then please open up a terminal and it is time to import the certificate into the JVM. To do that please execute the following command:

keytool -import -alias $ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts -file $PATH_TO_PEM_FILE

Please replace the following:

  • $ALIAS - This can be any value. It is a value to distinguish this certificate from others. Example would be “svn-repo”, or “artifact server”.
  • $JAVA_HOME - This should be the location of where your current java home is. If you only have the Java Runtime Environment (JRE) installed, then you can replace $JAVA_HOME/jre with the $JRE_HOME. Note: Windows users should verify that they are importing the certificate into the JRE Jenkins runs in. When set up as a Windows service, Jenkins uses the version of Java defined in $JENKINS_HOME\jenkins.xml. This can be a different version of Java than the one which gets invoked by running java or keytool from the command line.
  • $PATH_TO_PEM_FILE - This should be the location of the PEM file we downloaded from above.

Once the command is executed, then the final part is to make sure that the JVM uses the correct cacert file. To do this please add the following arguments to your Jenkins Java startup process:

-Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/cacert
-Djavax.net.ssl.trustStorePassword=changeit

The initial trustStore argument makes sure that the Java process uses the correct cacerts file. The trustStorePassword option is optional as some users like to set a password for their cacerts file.

After restarting Jenkins it should recognize that the certificate has been added to the “trusted” list and it will continue to operate.

Other Resources

Have more questions?

8 Comments

  • 0
    Avatar
    Rohit Thakur

    I was doing right always while import the certificate in $JAVA_HOME/jre/lib/security/cacert and still the issue didnt resolve for me.I have forget to mention java opts for keysotre and password.

    -Djavax.net.ssl.keyStore=$JAVA_HOME/jre/lib/security/cacert
    -Djavax.net.ssl.keyStorePassword=changeit
    
  • 1
    Avatar
    Denys Digtiar

    Hi Rohit,

    Could you please try to change the java opts from `keyStore` to `trustStore`.

    Please check if this article helps you How to install a new SSL certificate

  • 0
    Avatar
    Danilo Ischiavolini Chaves

    Hi, 

      There any process to do this in CJE ? 

  • 0
    Avatar
    Denys Digtiar

    Hi Danilo,

    The process for CJE 1.x clusters is described in: How to import certificates to a CJE cluster

  • 0
    Avatar
    Danilo Ischiavolini Chaves

    Hi Denys, 

     I'm using CJE 2 there is any documentation? 

  • 0
    Avatar
    Allan Burdajewicz

    Hi Danilo,

    Id you are referring to CloudBees Core on Modern Cloud (Kubernetes), then the solution is to use a sidecar injector. See also Deploy Self Signed certificates in Masters and Agents.

    Regards,

  • 0
    Avatar
    Jason Statham

    I tried all possible solution but still not resolve above issue also followed below website steps 

    https://wiki.jenkins.io/display/JENKINS/Starting+and+Accessing+Jenkins

    My jenkins version is 2.178

    issue -

    FATAL: com.microsoft.tfs.core.exceptions.TECoreException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

    Need solution, because stucked here from last 1 week
  • 0
    Avatar
    Venkatesh Seerapu

    Hi @jason

     

    https://support.cloudbees.com/hc/en-us/articles/217078498/comments/360001985732

     

    Did you found any sollution for this issue, please suggest as I'm also facing same issue with Jenkins Email configuration?

Please sign in to leave a comment.