When using ec-groovy to interact with CloudBees CD (CloudBees Flow), you may receive the following error:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
This is a known issue that may occur when using ec-groovy. The following steps should be followed to resolve this problem:
-
Obtain the CloudBees CD (CloudBees Flow) server’s certificate using the following command:
COMMANDER_HOME=/opt/electriccloud/electriccommander && LD_LIBRARY_PATH=$COMMANDER_HOME/lib && OPENSSL_CONF="$COMMANDER_HOME/conf/agentssl.cnf" && echo -e "quit\n" | $COMMANDER_HOME/bin/openssl s_client -connect replace-electricflow-server-name-here:8443
-
Copy the server certificate contents after "Server certificate" into a file, say ef-server.crt
-
Verify the certificate contents:
COMMANDER_HOME=/opt/electriccloud/electriccommander && LD_LIBRARY_PATH=$COMMANDER_HOME/lib && OPENSSL_CONF="$COMMANDER_HOME/conf/agentssl.cnf" && echo -e "quit\n" | $COMMANDER_HOME/bin/openssl x509 -in ef-server.crt -text
-
Import the certificate into the Java keystore:
COMMANDER_HOME=/opt/electriccloud/electriccommander && $COMMANDER_HOME/jre/bin/keytool -import -trustcacerts -keystore $COMMANDER_HOME/jre/lib/security/cacerts -storepass changeit -noprompt -alias myEFcert -file ef-server.crt
-
ec-groovy should now run successfully from the command-line.
This article is part of our Knowledge Base and is provided for guidance-based purposes only. The solutions or workarounds described here are not officially supported by CloudBees and may not be applicable in all environments. Use at your own discretion, and test changes in a safe environment before applying them to production systems.