stackoom
  简体   繁体   中英

Jenkins Windows slave thinks my cert is invalid

 原文  2018-03-28 21:43:29       java/ windows/ jenkins/ java-web-start/ jenkins-slave

Question

Following the docs to use Java Web Start and I'm up to the point where I'm running this command on the slave to connect to the master:

java -jar agent.jar -jnlpUrl https://my-server.com:8888/computer/myslave/slave-agent.jnlp -secret sdfsdfsdfsdf -workDir "c:\Jenkins"

I have a valid public cert. From the slave I can access https://my-server.com:8888 and chrome says the cert is valid so why is jenkins complaining? Seems dumb to use -noCertificateCheck when I paid good money for the damn thing

Mar 28, 2018 9:34:49 PM org.jenkinsci.remoting.engine.WorkDirManager initializeWorkDir INFO: Using c:\\Jenkins\\remoting as a remoting work directory Both error and output logs will be printed to c:\\Jenkins\\remoting Exception in thread "main" java.io.IOException: Failed to validate a server certificate. If you are using a self-signed certificate, you can use the -noCertificateCheck option to bypass this check. at hudson.remoting.Launcher.parseJnlpArguments(Launcher.java:548) at hudson.remoting.Launcher.run(Launcher.java:322) at hudson.remoting.Launcher.main(Launcher.java:283) Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid c ertification path to requested target at sun.security.ssl.Alerts.getSSLException(Unknown Source) at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source) at sun.security.ssl.Handshaker.fatalSE(Unknown Source) at sun.security.ssl.Handshaker.fatalSE(Unknown Source) at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source) at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) at sun.security.ssl.Handshaker.processLoop(Unknown Source) at sun.security.ssl.Handshaker.process_record(Unknown Source) at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) at sun.security.ssl.SSLSocketImpl.performIniti alHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source) at hudson.remoting.Launcher.parseJnlpArguments(Launcher.java:490) ... 2 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(Unknown Source) at sun.security.validator.PKIXValidator.engineValidate(Unknown Source) at sun.security.validator.Validator.validate(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Sou rce) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source) ... 14 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source) at java.security.cert.CertPathBuilder.build(Unknown Source) ... 20 more

EDIT: So I can't connect at all. If I use -noCertificateCheck I get Incorrect acknowledgement sequence Im assuming because Im using HTTPS without validating the cert

3 answers

solution1
 2  2018-03-29 16:22:36

In your question you use port 8888 ( https://my-server.com:8888 ). The jnlp scripts that I have seen the port is not present or is 443.

When I once saw an error like yours, I imported the certificate into the Java keystore. For more details here.

keytool -import -alias $ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts -file $PATH_TO_PEM_FILE

This import should be needed only for not public certificates, like self-signed, but you can try. There could be certificate chain as explained here .

solution2
 1 ACCPTED  2020-03-19 15:54:14

my issue was i needed to import the entire cert chain into the java keystore

browsers like chrome will follow aia extensions and download the chain for you but the java keystore wants to make your life hard.

solution3
 0  2021-06-18 19:31:26

I tried to

  1. update Java on salve machine to get the Java latest trust store.
  2. update Java trust store manually with public SSL (steps) .

But nothing worked above.

Finally, I was able to connect to the master server from the slave by bypassing the -noCertificateCheck at end of the below command:

java -jar agent.jar -jnlpUrl https://example.com/computer/windows_slave/jenkins-agent.jnlp -secret [secret] -noCertificateCheck

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Jenkins windows ssh slave access denied Issue connecting windows 7 slave to debian master on jenkins Jenkins cannot start process on Windows Slave Jenkins Windows Slave JNLP connect error Creating Jenkins Slave On Windows 2008 R2 Box Unable to run mvn.bat on Jenkins with master/slave on Windows Need to upload file through browser window on jenkins slave (Windows) but file is on jenkins master (linux) Using maven on a Jenkins slave Jenkins Slave “Connection Refused” Jenkins Linux Slave Locale
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM