Jenkins – Git repository and self-signed certificate

When we want to connect Jenkins to a SCM server like git or svn with a self-signed certificate (https connexion), the following error can occur:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Actually, it is a Java error due to the fact Jenkins hits the URL before calling git.
So, even if on git, you have set in global configuration the http.sslveridy parameter to false, this error will be displayed

If needed, it’s possible to verify the kind of certificate of a web server or its validity with the command:

openssl s_client -connect name.company.com:443

According to the way Jenkins had been installed on your server, it seems there are two different way to solve this problem.

 

1st case – with a Jenkins pluggin

With the use of the following pluggin: Skip Certificate Check plugin

https://wiki.jenkins-ci.org/display/JENKINS/Skip+Certificate+Check+plugin
There is no configuration to do.

 

2nd case – with the integration of the certificate in JVM

Certificate export

We export the certificate of the remote server with git and we put it on the Jenkins server:
– For a website, we go with our browser on https://name.company.com for exemple
– Click on the lock next to the URL and do “View Certificate”, then “Export…”
– Choose the format : X.509 certificate (PEM)
– Then we put this file on the Jenkins server

 

Listing or importing certificates commands

On the Jenkins server, CA are stored in a file nammed “cacert” which are password protected. The default password depends of the Java version : changeit OR changeme

This file can be found in different locations depending on the way Java or Jenkins were installed. With the following command, you could filter your search:
locate cacerts

Personally, the file was there:

/etc/ssl/certs/java/cacerts

 

List the certificates/CA:

keytool -list -keystore /etc/ssl/certs/java/cacerts -v

 

Import a certificate (for exemple with the certificate name.company.com.pem):

keytool -import -keystore /etc/ssl/certs/java/cacerts -file name.company.com.pem

Here is the expected output:

Enter keystore password: 
Owner: EMAILADDRESS=admin@company.com, CN=name.company.com, OU=ADM, O=Company, L=Paris, ST=FR, C=FR
Issuer: CN=Company-CA, DC=Company, DC=com
Serial number: 49528850000000000391
Valid from: Thu Jul 09 11:32:57 CEST 2014 until: Sat Jul 08 11:32:57 CEST 2015
[...]
Trust this certificate? [no]:  yes
Certificate was added to keystore

There is no need to restart niether Java nor Jenkins, the new certificate is supposed to be immediately recognized and the authentications issues, gone.

One thought on “Jenkins – Git repository and self-signed certificate

Leave a Reply

Your email address will not be published. Required fields are marked *