PKIX path building failed error message

Issue

  • I am receving the following error message:
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  • Shared slaves do not work on my environment which uses HTTPS.
  • Any error message with ValidatorException: PKIX
  • Jenkins with HTTPS causes PKIX error message.
  • Elasticsearch task that is running in a docker fails with the following error:
"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

Environment

  • Jenkins
  • CloudBees Jenkins Enterprise
  • CloudBees Jenkins Operations Center
  • Analytics (Elasticsearch)

Resolution

The error message:

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Is a common error message reported by the Java Virtual Machine. This is caused when the Java environment does not have information about the HTTPS server to verify that it is a valid website. Sometimes the certificate is provided by an internal Root CA or is a Self-Signed Certificate. This sometimes can confuse the JVM as it is not one of the ones on the Java “trusted” list who can provide these certificates.

Because we know that the certififcate is “valid” we can import this certificate directly into the JVM. In doing so, we tell the JVM that this is is a “trusted” certificate and to “ignore” any issues with it.

Note In this example I will be using firefox. Similar steps are available for all other browsers.

To begin we first need to navigate via the browser to the URL where the certificate is located. Clicking on the green lock will show us information about the certificate. After clicking on the green lock click on More Information:

Once you click on the green lock, then a new box will appear with more information about the certificate. Click “View Certificate”:

Click the “Details” tab which will provide detailed information about the certificate:

Click on the “Export…” to export this certificate to local disk. Note Please make sure to maintain the PEM format:

After the certificate is saved to disk then please open up a terminal and it is time to import the certificate into the JVM. To do that please execute the following command:

keytool -import -alias $ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts -file $PATH_TO_PEM_FILE

Please replace the following:

  • $ALIAS - This can be any value. It is a value to distinguish this certificate from others. Example would be “svn-repo”, or “artifact server”.

  • $JAVA_HOME - This should be the location of where your current java home is. If you only have the Java Runtime Environment (JRE) installed, then you can replace $JAVA_HOME/jre with the $JRE_HOME. Note: Windows users should verify that they are importing the certificate into the JRE Jenkins runs in. When set up as a Windows service, Jenkins uses the version of Java defined in $JENKINS_HOME\jenkins.xml. This can be a different version of Java than the one which gets invoked by running java or keytool from the command line.

  • $PATH_TO_PEM_FILE - This should be the location of the PEM file we downloaded from above.

Once the command is executed, then the final part is to make sure that the JVM uses the correct cacert file. To do this please add the following arguments to your Jenkins Java startup process:

-Djavax.net.ssl.keyStore=$JAVA_HOME/jre/lib/security/cacert
-Djavax.net.ssl.keyStorePassword=changeit

The initial keystore argument makes sure that the Java process uses the correct cacerts file. The keystorePassword option is optional as some users like to set a password for their cacerts file.

After restarting Jenkins it should recognize that the certificate has been added to the “trusted” list and it will continue to operate.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.