If you encounter this error while running ec_groovy from the command line,
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed
Then perform the following steps to resolve the issue.
-
Obtain the CloudBees CD/RO server’s certificate.
-
Windows platforms:
-
Issue the following on a command line to display the server certificate contents.
openssl s_client -connect <replace-cloudbees-flow-server-name-here>:8443 -
Copy the server certificate contents after
Server certificateinto a file, sayef-server.crt. Here is an example of the content that needs to be copied.-----BEGIN CERTIFICATE----- MIIF5zCCBM+gAwIBAgIHBG9JXlv9vTANBgkqhkiG9w0BAQUFADCB3DELMAkGA1UE HLKJLhDJGFD66RhkgfkjgfHFJFR7i656FGKgf6cvfKHFKFKHGFKFHKGFHKFKFHFHK ... os5LW3PhHz8y9YFep2SV4c7+NrlZISHOZVzN -----END CERTIFICATE-----
-
-
UNIX platforms:
Issue the following on a command line; this gets the certificate and saves it to the file,
ef-server.crt(newlines added for readability).COMMANDER_HOME=/opt/cloudbees/sda && \ LD_LIBRARY_PATH=$COMMANDER_HOME/lib && \ OPENSSL_CONF="$COMMANDER_HOME/conf/agentssl.cnf" && \ echo -e "quit\n" | \ $COMMANDER_HOME/bin/openssl s_client \ -connect replace-electricflow-server-name-here:8443 | \ sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ef-server.crt
-
-
Verify the certificate contents saved in
ef-server.crt(newlines added for readability).COMMANDER_HOME=/opt/cloudbees/sda && \ LD_LIBRARY_PATH=$COMMANDER_HOME/lib && \ OPENSSL_CONF="$COMMANDER_HOME/conf/agentssl.cnf" && \ echo -e "quit\n" | \ $COMMANDER_HOME/bin/openssl x509 -in ef-server.crt -text -
Import the certificate into the Java keystore (newlines added for readability).
COMMANDER_HOME=/opt/cloudbees/sda && \ $COMMANDER_HOME/jre/bin/keytool \ -import -trustcacerts \ -keystore $COMMANDER_HOME/jre/lib/security/cacerts \ -storepass changeit \ -noprompt -alias myEFcert -file ef-server.crt
Confirm that ec-groovy successfully runs from the command line.