Symptoms
-
I have added a certificate to a truststore but I am still getting
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException
Diagnostic/Treatment
-
Pre-condition: How to install a new SSL certificate guide.
Check Jenkins JVM can reach out to a Server via SSL
From the Script Console ($JENKINS_URL/script):
def url = "$serverUrl" def connection = new URL(url).openConnection() as HttpURLConnection connection.with { println "ResponseCode: ${responseCode}" println "Body: ${inputStream.text}" }
A more extended script is here: checkSSLConnection.
Validate the truststore outside Jenkins
To test the connection with a plain "java command" run jrunscript -Djavax.net.ssl.trustStore=<JENKINS_TRUSTSTORE_FILE> -Djavax.net.ssl.trustStorePassword=<JENKINS_TRUSTSTORE_PASS> -e "println(new java.net.URL(\"<URL>\").openConnection().getResponseCode())"
Note:
-
Do not forget to include all quotes (").
-
If everything is fine the expected response is
200
In case you get a different result that expect response (200).
A - Firstly, verify your certificate is included in the <JENKINS_TRUSTSTORE_FILE> by:
keytool -list -v -keystore cacerts -alias <YOUR_ALIAS_HERE>
B -In case the javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching <SERVER_HOSTNAME> found. Check that the "CN" (Common Name) attribute of the "Owner" entry matches with the <SERVER_HOSTNAME> used by CJE or CJOC (also check the "SubjectAlternativeName" section for Multi hostname certificates)
keytool -printcert -file path/to/<YOUR_CA_FILE>.pem
Example:
> jrunscript -Djavax.net.ssl.trustStore=./cacerts-with-jenkins.example.com.jks -Djavax.net.ssl.trustStorePassword=changeit -e "println(new java.net.URL(\"https://jenkins.example.com\").openConnection().getResponseCode())" java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching "https://jenkins.example.com found at jdk.nashorn.internal.runtime.ScriptRuntime.apply(ScriptRuntime.java:397) at jdk.nashorn.api.scripting.NashornScriptEngine.evalImpl(NashornScriptEngine.java:446) at jdk.nashorn.api.scripting.NashornScriptEngine.evalImpl(NashornScriptEngine.java:403) at jdk.nashorn.api.scripting.NashornScriptEngine.evalImpl(NashornScriptEngine.java:399) at jdk.nashorn.api.scripting.NashornScriptEngine.eval(NashornScriptEngine.java:155) at javax.script.AbstractScriptEngine.eval(AbstractScriptEngine.java:264) at com.sun.tools.script.shell.Main.evaluateString(Main.java:298) at com.sun.tools.script.shell.Main.evaluateString(Main.java:319) at com.sun.tools.script.shell.Main.access$300(Main.java:37) at com.sun.tools.script.shell.Main$3.run(Main.java:217) at com.sun.tools.script.shell.Main.main(Main.java:48) Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching jenkins.example.com found at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1546) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474) at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338) at jdk.nashorn.internal.scripts.Script$1$\^string\_.:program(<string>:1) at jdk.nashorn.internal.runtime.ScriptFunctionData.invoke(ScriptFunctionData.java:637) at jdk.nashorn.internal.runtime.ScriptFunction.invoke(ScriptFunction.java:494) at jdk.nashorn.internal.runtime.ScriptRuntime.apply(ScriptRuntime.java:393) ... 10 more Caused by: java.security.cert.CertificateException: No name matching jenkins.example.com found at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:221) at sun.security.util.HostnameChecker.match(HostnameChecker.java:95) at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455) at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:200) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491) ... 27 more
Then checking the hostname, we realized that differs from example.com, it is CN=*.notExample.com
> keytool -printcert -file /path/mycerts/example.ca.pem Owner: CN=*.notExample.com, O="Not Example Technologies, Inc", L=San Francisco, ST=California, C=US Issuer: CN=GeoTrust SSL CA - G3, O=GeoTrust Inc., C=US Serial number: 27ce5d06960d3796b9e8f6bb000d2de9 Valid from: Mon Jan 26 01:00:00 CET 2015 until: Sun Feb 19 00:59:59 CET 2017 Certificate fingerprints: MD5: CB:15:CD:A9:49:2C:D3:D1:AC:21:57:D9:12:F2:08:6D SHA1: AB:F0:5B:A9:1A:E0:AE:5F:CE:32:2E:7C:66:67:49:EC:DD:6D:6A:38 SHA256: 31:33:B1:2F:37:92:4B:67:FC:CF:14:42:58:FC:BC:7D:E2:89:27:E8:7C:25:EC:67:47:EC:4D:95:29:15:7A:8D Signature algorithm name: SHA256withRSA Version: 3 Extensions: ...