When we want to connect Jenkins to a SCM server like git or svn with a self-signed certificate (https connexion), the following error can occur:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Actually, it is a Java error due to the fact Jenkins hits the URL before calling git.
So, even if on git, you have set in global configuration the http.sslveridy parameter to false, this error will be displayed
If needed, it’s possible to verify the kind of certificate of a web server or its validity with the command:
openssl s_client -connect name.company.com:443
According to the way Jenkins had been installed on your server, it seems there are two different way to solve this problem.
1st case – with a Jenkins pluggin
With the use of the following pluggin: Skip Certificate Check plugin
There is no configuration to do.
2nd case – with the integration of the certificate in JVM
We export the certificate of the remote server with git and we put it on the Jenkins server:
– For a website, we go with our browser on https://name.company.com for exemple
– Click on the lock next to the URL and do “View Certificate”, then “Export…”
– Choose the format : X.509 certificate (PEM)
– Then we put this file on the Jenkins server
Listing or importing certificates commands
On the Jenkins server, CA are stored in a file nammed “cacert” which are password protected. The default password depends of the Java version : changeit OR changeme
This file can be found in different locations depending on the way Java or Jenkins were installed. With the following command, you could filter your search:
Personally, the file was there:
List the certificates/CA:
keytool -list -keystore /etc/ssl/certs/java/cacerts -v
Import a certificate (for exemple with the certificate name.company.com.pem):
keytool -import -keystore /etc/ssl/certs/java/cacerts -file name.company.com.pem
Here is the expected output:
Enter keystore password: Owner: EMAILADDRESSemail@example.com, CN=name.company.com, OU=ADM, O=Company, L=Paris, ST=FR, C=FR Issuer: CN=Company-CA, DC=Company, DC=com Serial number: 49528850000000000391 Valid from: Thu Jul 09 11:32:57 CEST 2014 until: Sat Jul 08 11:32:57 CEST 2015 [...] Trust this certificate? [no]: yes Certificate was added to keystore
There is no need to restart niether Java nor Jenkins, the new certificate is supposed to be immediately recognized and the authentications issues, gone.