jenkins pluginManager 'Check Now' 'unable to find valid certification' error

Question

I just installed a new jenkins 2.77 instance on my Windows machine, running Java 1.8.0 #60.

I was expecting there to be some default plugins but it seems like none were installed when the instance was created.

When I go to check the available plugins tab, it reads:

Update information obtained: N/A ago

When I click on the 'Check now' button, I get an error with the following stack trace:

Stack trace:

sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
    at java.security.cert.CertPathBuilder.build(Unknown Source)
Caused: sun.security.validator.ValidatorException: PKIX path building failed
    at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
    at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
    at sun.security.validator.Validator.validate(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
Caused: javax.net.ssl.SSLHandshakeException
    at sun.security.ssl.Alerts.getSSLException(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
    at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
    at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
    at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
    at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
    at sun.security.ssl.Handshaker.processLoop(Unknown Source)
    at sun.security.ssl.Handshaker.process_record(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
    at hudson.model.DownloadService.loadJSON(DownloadService.java:167)
    at hudson.model.UpdateSite.updateDirectlyNow(UpdateSite.java:190)
    at hudson.PluginManager.doCheckUpdatesServer(PluginManager.java:1629)
    at java.lang.invoke.MethodHandle.invokeWithArguments(Unknown Source)
    at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:343)
    at org.kohsuke.stapler.interceptor.RequirePOST$Processor.invoke(RequirePOST.java:52)
    at org.kohsuke.stapler.PreInvokeInterceptedFunction.invoke(PreInvokeInterceptedFunction.java:26)
    at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:184)
    at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:117)
    at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:129)
    at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
    at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715)
    at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845)
    at org.kohsuke.stapler.MetaClass$2.doDispatch(MetaClass.java:186)
    at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
    at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715)
    at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845)
    at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649)
    at org.kohsuke.stapler.Stapler.service(Stapler.java:238)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
    at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:841)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1650)
    at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:135)
    at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:138)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
    at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:80)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
    at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:92)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
    at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90)
    at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
    at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
    at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
    at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
    at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637)
    at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
    at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524)
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
    at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:190)
    at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)
    at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188)
    at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1253)
    at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168)
    at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)
    at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)
    at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166)
    at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1155)
    at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
    at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
    at org.eclipse.jetty.server.Server.handle(Server.java:564)
    at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:317)
    at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251)
    at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279)
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:110)
    at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124)
    at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)

Based on this post, I gather that I need to do some sort of key or ssh configuration but I'm not clear on all of the variables to use as they apply to this specific error.

How can I fix this issue?

Update 2017-09-11:

• I uninstalled Java and then installed the latest Java, 1.8.0 #44.
• I uninstalled Jenkins and deleted the folder in Program Files.
• I installed Jenkins 2.77

This time in the setup wizard I noticed a page informing me that Jenkins was offline.

I'm not sure what it means because I can connect to the internet. I gather that for whatever reason Jenkins cannot.

I am very sure now that when I originally installed Jenkins I saw this page and chose to skip plugin installation. It's likely that the "Jenkins is offline" message is related to the "unable to find valid certification path to requested target".

There seems to be a similar issue in this post.

Answer 1

Jenkins 2.77 changed the default URL of the Update Centre (UC) to use https:// rather than http://.

The Jenkins UC uses an SSL certificate from Let's Encrypt, but the root certificates that Let's Encrypt certificates depend on weren't added to Java 8 until update 101.

Upgrade your Java installation from 8u60 to at least 8u101, and it should work as expected.

Answer 2

This issue i had recently and the solution for Jenkins running on the Windows machine is to change the Java path in jenkins.xml configuration file - located at default path C:\Program Files (x86)\Jenkins\

First find the location of Java on the Windows machine. In administrator command prompt run this

for %i in (java.exe) do @echo.   %~$PATH:i

On the Windows 2012 R2 server in question it returned: C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

Then stop jenkins service in services.msc

Then edit the jenkins.xml by commenting the default java path and entering the new one:

<!--executable>%BASE%\jre\bin\java</executable>-->
<executable>C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe</executable>

Finally start the jenkins service

Answer 3

I run into this intermittently on Jenkins installs. I've found two simple approaches that avoid fiddling around with security certificates all day.

skip-security-check plugin

First, you can install the skip-security-check plugin which I believe is packaged with Jenkins, so you don't need to reach out to download it.

Just use http

The second and simplest is to just go to the Jenkins Download Manager page in the admin console and update the URL so that the preamble is http instead of https.

I wrote a quick article on the topic, but the tl'dr is that you can simply change the url back to http://

Fix SunCertPathBuilderException in Jenkins

Answer 4

In my case, the solution for this was to simply disable my avast antivirus, but apparently, it's something related to a firewall blocking some access.

Answer 5

The correct solution is to NOT disable the certificate checks as a lot people have suggested but rather to add the website certificate to the Java keystore instead.

I'll list my own guide below which should work for Linux. I suspect the same imports will work in Windows as the keytool is bundled with Java but you're on your own when it comes to any openssl commands.

Download all required certificates in the chain (this is a command I found on SO, I can't find the link but it's not my own creation):

openssl s_client -showcerts -verify 5 -connect updates.jenkins-ci.org:443 < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/){a++}; out="cert"a".crt"; print >out}' && for cert in *.crt; do newname=$(openssl x509 -noout -subject -in $cert | sed -n 's/^.*CN=\(.*\)$/\1/; s/[ ,.*]/_/g; s/__/_/g; s/^_//g;p').pem; mv $cert $newname; done

You should now have 2 files:

Let's_Encrypt_Authority_X3.pem
pkg_origin_jenkins_io.pem

Concatenate the 2 files:

cat "Let's_Encrypt_Authority_X3.pem" pkg_origin_jenkins_io.pem > full_chain.pem

This next step is useful as the Java keytool is picky and the openssl package will fix any spacing issues. I have seen the keytool import fail even though openssl claimed it was valid so don't skip this step:

openssl x509 -in full_chain.pem -out full_chain_sanitized.pem

Now comes the fun part. I assume your Jenkins instance is running with some of the following arguments:

-Djavax.net.ssl.keyStore=/applications/configuration/pki/keystore.jks 
-Djavax.net.ssl.keyStorePassword=GOOD_PASSWORD 
-Djavax.net.ssl.trustStore=/applications/configuration/pki/truststore.jks 
-Djavax.net.ssl.trustStorePassword=GOOD_PASSWORD

Also note that you might not be using the custom keystores. In that case, you could try to include the certificate in the default cacerts file instead. Check the next section for details. If you are using any truststores, you will have configured a password so enter it when prompted.

Now we can import the Jenkins plugin site certificate. Make sure to use your own keytool path as it will differ from my own.

/applications/java/latest/bin/keytool -trustcacerts  -import -v -alias pkg_jenkins_io_full_chain -file full_chain_sanitized.pem -keystore /applications/configuration/pki/keystore.jks

/applications/java/latest/bin/keytool -trustcacerts  -import -v -alias pkg_jenkins_io_full_chain -file full_chain_sanitized.pem -keystore /applications/configuration/pki/truststore.jks

Restart your Jenkins server and the plugin site should work. If it doesn't (or if you weren't using custom keystores to begin with), you could try adding the certificate to the Java cacerts file but this is usually frowned upon as it will get replaced during any updates. A better option might be to instead create a backup, include the certificate in the copy and run Jenkins with using the copy as a truststore.

Remember that the default password for the cacerts store is 'changeit'

cp /apps/java/latest/jre/lib/security/cacerts /apps/java/latest/jre/lib/security/cacerts_copy

# Add the certificate to the keystore
/applications/java/latest/bin/keytool -trustcacerts -import -v -alias pkg_jenkins_io_full_chain -file full_chain_sanitized.pem -keystore /apps/java/latest/jre/lib/security/cacerts_copy

# Add -Djavax.net.ssl.trustStore= property to the Jenkins startup parameters, depending on your own OS.
# Just make sure to append it as such:
-Djavax.net.ssl.trustStore=/apps/java/latest/jre/lib/security/cacerts_copy

The https://stackoverflow.com/a/47316409/7569335 answer is good but it does not account for the custom keystore files scenario that I faced. Check it out as well as it has good info.