Symptoms
-
I have added a certificate to a truststore but I am still getting
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException
Diagnostic/Treatment
-
Pre-condition: How to install a new SSL certificate guide.
Check Jenkins JVM can reach out to a Server via SSL
From the Script Console ($JENKINS_URL/script):
def url = "$serverUrl"
def connection = new URL(url).openConnection() as HttpURLConnection
connection.with {
println "ResponseCode: ${responseCode}"
println "Body: ${inputStream.text}"
}
A more extended script is here: checkSSLConnection.
Validate the truststore outside Jenkins
To test the connection with a plain "java command" run jrunscript -Djavax.net.ssl.trustStore=<JENKINS_TRUSTSTORE_FILE> -Djavax.net.ssl.trustStorePassword=<JENKINS_TRUSTSTORE_PASS> -e "println(new java.net.URL(\"<URL>\").openConnection().getResponseCode())"
Note:
-
Do not forget to include all quotes (").
-
If everything is fine the expected response is
200
In case you get a different result that expect response (200).
A - Firstly, verify your certificate is included in the <JENKINS_TRUSTSTORE_FILE>
by:
keytool -list -v -keystore cacerts -alias <YOUR_ALIAS_HERE>
B -In case the javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching <SERVER_HOSTNAME> found
. Check that the "CN" (Common Name) attribute of the "Owner" entry matches with the <SERVER_HOSTNAME>
used by CJE or CJOC (also check the "SubjectAlternativeName" section for Multi hostname certificates)
keytool -printcert -file path/to/<YOUR_CA_FILE>.pem
Example:
> jrunscript -Djavax.net.ssl.trustStore=./cacerts-with-jenkins.example.com.jks -Djavax.net.ssl.trustStorePassword=changeit -e "println(new java.net.URL(\"https://jenkins.example.com\").openConnection().getResponseCode())"
java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching "https://jenkins.example.com found
at jdk.nashorn.internal.runtime.ScriptRuntime.apply(ScriptRuntime.java:397)
at jdk.nashorn.api.scripting.NashornScriptEngine.evalImpl(NashornScriptEngine.java:446)
at jdk.nashorn.api.scripting.NashornScriptEngine.evalImpl(NashornScriptEngine.java:403)
at jdk.nashorn.api.scripting.NashornScriptEngine.evalImpl(NashornScriptEngine.java:399)
at jdk.nashorn.api.scripting.NashornScriptEngine.eval(NashornScriptEngine.java:155)
at javax.script.AbstractScriptEngine.eval(AbstractScriptEngine.java:264)
at com.sun.tools.script.shell.Main.evaluateString(Main.java:298)
at com.sun.tools.script.shell.Main.evaluateString(Main.java:319)
at com.sun.tools.script.shell.Main.access$300(Main.java:37)
at com.sun.tools.script.shell.Main$3.run(Main.java:217)
at com.sun.tools.script.shell.Main.main(Main.java:48)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching jenkins.example.com found
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1546)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1474)
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338)
at jdk.nashorn.internal.scripts.Script$1$\^string\_.:program(<string>:1)
at jdk.nashorn.internal.runtime.ScriptFunctionData.invoke(ScriptFunctionData.java:637)
at jdk.nashorn.internal.runtime.ScriptFunction.invoke(ScriptFunction.java:494)
at jdk.nashorn.internal.runtime.ScriptRuntime.apply(ScriptRuntime.java:393)
... 10 more
Caused by: java.security.cert.CertificateException: No name matching jenkins.example.com found
at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:221)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:95)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:200)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
... 27 more
Then checking the hostname, we realized that differs from example.com, it is CN=*.notExample.com
> keytool -printcert -file /path/mycerts/example.ca.pem
Owner: CN=*.notExample.com, O="Not Example Technologies, Inc", L=San Francisco, ST=California, C=US
Issuer: CN=GeoTrust SSL CA - G3, O=GeoTrust Inc., C=US
Serial number: 27ce5d06960d3796b9e8f6bb000d2de9
Valid from: Mon Jan 26 01:00:00 CET 2015 until: Sun Feb 19 00:59:59 CET 2017
Certificate fingerprints:
MD5: CB:15:CD:A9:49:2C:D3:D1:AC:21:57:D9:12:F2:08:6D
SHA1: AB:F0:5B:A9:1A:E0:AE:5F:CE:32:2E:7C:66:67:49:EC:DD:6D:6A:38
SHA256: 31:33:B1:2F:37:92:4B:67:FC:CF:14:42:58:FC:BC:7D:E2:89:27:E8:7C:25:EC:67:47:EC:4D:95:29:15:7A:8D
Signature algorithm name: SHA256withRSA
Version: 3
Extensions: ...