SSL Certificates Troubleshooting

Article ID:115002505772
2 minute readKnowledge base

Symptoms

  • I have added a certificate to a truststore but I am still getting sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException

Diagnostic/Treatment

Check Jenkins JVM can reach out to a Server via SSL

From the Script Console ($JENKINS_URL/script):

def url = "$serverUrl"
def connection = new URL(url).openConnection() as HttpURLConnection
connection.with {
  println "ResponseCode: ${responseCode}"
  println "Body: ${inputStream.text}"
}

A more extended script is here: checkSSLConnection.

Validate the truststore outside Jenkins

To test the connection with a plain "java command" run jrunscript -Djavax.net.ssl.trustStore=<JENKINS_TRUSTSTORE_FILE> -Djavax.net.ssl.trustStorePassword=<JENKINS_TRUSTSTORE_PASS> -e "println(new java.net.URL(\"<URL>\").openConnection().getResponseCode())"

Note:

  1. Do not forget to include all quotes (").

  2. If everything is fine the expected response is 200

In case you get a different result that expect response (200).

A - Firstly, verify your certificate is included in the <JENKINS_TRUSTSTORE_FILE> by:

keytool -list -v -keystore cacerts -alias <YOUR_ALIAS_HERE>

B -In case the javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching <SERVER_HOSTNAME> found. Check that the "CN" (Common Name) attribute of the "Owner" entry matches with the <SERVER_HOSTNAME> used by CJE or CJOC (also check the "SubjectAlternativeName" section for Multi hostname certificates)

keytool -printcert -file path/to/<YOUR_CA_FILE>.pem

Example:

> jrunscript -Djavax.net.ssl.trustStore=./cacerts-with-jenkins.example.com.jks -Djavax.net.ssl.trustStorePassword=changeit  -e "println(new java.net.URL(\"https://jenkins.example.com\").openConnection().getResponseCode())"
java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching "https://jenkins.example.com found
	at jdk.nashorn.internal.runtime.ScriptRuntime.apply(ScriptRuntime.java:397)
	at jdk.nashorn.api.scripting.NashornScriptEngine.evalImpl(NashornScriptEngine.java:446)
	at jdk.nashorn.api.scripting.NashornScriptEngine.evalImpl(NashornScriptEngine.java:403)
	at jdk.nashorn.api.scripting.NashornScriptEngine.evalImpl(NashornScriptEngine.java:399)
	at jdk.nashorn.api.scripting.NashornScriptEngine.eval(NashornScriptEngine.java:155)
	at javax.script.AbstractScriptEngine.eval(AbstractScriptEngine.java:264)
	at com.sun.tools.script.shell.Main.evaluateString(Main.java:298)
	at com.sun.tools.script.shell.Main.evaluateString(Main.java:319)
	at com.sun.tools.script.shell.Main.access$300(Main.java:37)
	at com.sun.tools.script.shell.Main$3.run(Main.java:217)
	at com.sun.tools.script.shell.Main.main(Main.java:48)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching jenkins.example.com found
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1546)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474)
	at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338)
	at jdk.nashorn.internal.scripts.Script$1$\^string\_.:program(<string>:1)
	at jdk.nashorn.internal.runtime.ScriptFunctionData.invoke(ScriptFunctionData.java:637)
	at jdk.nashorn.internal.runtime.ScriptFunction.invoke(ScriptFunction.java:494)
	at jdk.nashorn.internal.runtime.ScriptRuntime.apply(ScriptRuntime.java:393)
	... 10 more
Caused by: java.security.cert.CertificateException: No name matching jenkins.example.com found
	at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:221)
	at sun.security.util.HostnameChecker.match(HostnameChecker.java:95)
	at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
	at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:200)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
	... 27 more

Then checking the hostname, we realized that differs from example.com, it is CN=*.notExample.com

> keytool -printcert -file /path/mycerts/example.ca.pem
Owner: CN=*.notExample.com, O="Not Example Technologies, Inc", L=San Francisco, ST=California, C=US
Issuer: CN=GeoTrust SSL CA - G3, O=GeoTrust Inc., C=US
Serial number: 27ce5d06960d3796b9e8f6bb000d2de9
Valid from: Mon Jan 26 01:00:00 CET 2015 until: Sun Feb 19 00:59:59 CET 2017
Certificate fingerprints:
	 MD5:  CB:15:CD:A9:49:2C:D3:D1:AC:21:57:D9:12:F2:08:6D
	 SHA1: AB:F0:5B:A9:1A:E0:AE:5F:CE:32:2E:7C:66:67:49:EC:DD:6D:6A:38
	 SHA256: 31:33:B1:2F:37:92:4B:67:FC:CF:14:42:58:FC:BC:7D:E2:89:27:E8:7C:25:EC:67:47:EC:4D:95:29:15:7A:8D
	 Signature algorithm name: SHA256withRSA
	 Version: 3

Extensions: ...