Follow

Certificate Errors With Jenkins Estimate Plugin

Overview:

Some Jenkins Servers have seen issues where the plug-in is not able to communicate with the associated PaaSLane Server due to certificate errors. The log errors can look similar to this:

Apr 17, 2014 3:15:28 PM com.cloudtp.plugin.estimate.rest.RestConnection estimateApplication
INFO: Some problem estimating C:\Jenkins\workspace\MyApp_CI\target\project.war with the PaaSLane REST interface, see stack-trace for more information
com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.jersey.client.apache.DefaultApacheHttpMethodExecutor.executeMethod(DefaultApacheHttpMethodExecutor.java:213)
at com.sun.jersey.client.apache.ApacheHttpClientHandler.handle(ApacheHttpClientHandler.java:175)
at com.sun.jersey.api.client.Client.handle(Client.java:648)
at com.sun.jersey.api.client.WebResource.handle(WebResource.java:680)
at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)
at com.sun.jersey.api.client.WebResource$Builder.post(WebResource.java:568)
at com.cloudtp.plugin.estimate.rest.RestConnection.estimateApplication(RestConnection.java:78)
at com.cloudtp.plugin.estimate.EstimateBuilder$UploadModuleTask.run(EstimateBuilder.java:256)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
at java.io.BufferedOutputStream.write(Unknown Source)
at java.io.FilterOutputStream.write(Unknown Source)
at com.sun.jersey.client.apache.DefaultApacheHttpMethodExecutor$3.writeRequest(DefaultApacheHttpMethodExecutor.java:186)
at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:499)
at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at com.sun.jersey.client.apache.DefaultApacheHttpMethodExecutor.executeMethod(DefaultApacheHttpMethodExecutor.java:210)
... 10 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(Unknown Source)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
... 29 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 35 more

Reason:

    When Jenkins is installed, the local JDK has a list of Certificate Authoritys that it knows about. Once this is released, it is up to the system owner to update the instance of java or update the list of Certificate Authorities that it knows about and trusts. Based on our work to patch libraries with the HeartBleed vulnerability (http://heartbleed.com/), PaaSLane was issued a new certificate from GoDaddy with a higher level of encryption and a new Certificate Authority.

 

Resolution:

    If you find that your installation of the Estimate Plugin is having issues connecting to the PaaSLane server, you may want to update your CACERTS by following the steps below:

Windows:

  1. Download the Root Certificate from GoDaddy Certificate Here
  2. Check or define JAVA_HOME env variable, make sure this is the home for the java used by Jenkins.
    1. C:\>set JAVA_HOME=c:\Program Files\Java\jre7 (e.g.)
  3. Add certificate to java cacerts keystore: (run this from the directory with gdroot-g2.crt inside; this also assumes default keystore password of "changeit")
    1. C:\>"%JAVA_HOME%/bin/keytool" -import -file gdroot-g2.crt -alias gdrootg2 -storepass changeit -trustcacerts -keystore "%JAVA_HOME%\lib\security\cacerts"

 

Unix/Linux:

  1. Download the Root Certificate from GoDaddy Certificate Here
  2. Check or define JAVA_HOME env variable, make sure this is the home for the java used by Jenkins.
  3. Add certificate to java cacerts keystore: (run this from the directory with gdroot-g2.crt inside; this also assumes default keystore password of "changeit")
    1. $JAVA_HOME/bin/keytool -import -file gdroot-g2.crt -alias gdrootg2 -storepass changeit -trustcacerts -keystore ${JAVA_HOME}/jre/lib/security/cacerts

 

Comments

Powered by Zendesk