Debian Question posted in
The oficial documentation can be found here.

upgrading jenkins/jenkins:2.263.4-lts causes ssl issue – Debian

After upgrading our jenkins image to jenkins/jenkins:2.263.4-lts our job code are not syncing with github enterprises due to ssl issue.

https://www.jenkins.io/doc/upgrade-guide/2.263/#upgrading-to-jenkins-lts-2-263-4

The Jenkins 2.263.4 Docker images labeled jenkins/jenkins:2.263.4-lts, jenkins/jenkins:2.263.4, and jenkins/jenkins:lts use the AdoptOpenJDK 8u282 release instead of using the OpenJDK 8u242 release from previous images. Those images also use Debian 10 ("Buster") instead of the Debian 9 ("Stretch") release that was used in previous images

I can see a base image OS version changed for this update and java too.
so if i downgrade the image it is working fine. some issue is with the certificate. Any idea why this issue is occuring?

sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:451)
Caused: sun.security.validator.ValidatorException: PKIX path building failed
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:456)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:323)
    at sun.security.validator.Validator.validate(Validator.java:271)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:315)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:223)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
    at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
Caused: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at sun.security.ssl.TransportContext.fatal(TransportContext.java:324)
    at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
    at sun.security.ssl.TransportContext.fatal(TransportContext.java:262)
    at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
    at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
    at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
    at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
    at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
    at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
    at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
    at sun.security.ssl.SSLTransport.decode(SSLTransport.java:149)
    at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1143)
    at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1054)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:394)
    at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:336)
    at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:300)
    at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:185)
    at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224)
    at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:108)
    at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.java:88)
    at okhttp3.internal.connection.Transmitter.newExchange(Transmitter.java:169)
    at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
    at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
    at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
    at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
    at org.kohsuke.github.extras.okhttp3.ObsoleteUrlFactory$UnexpectedException.lambda$static$0(ObsoleteUrlFactory.java:1363)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
    at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:229)
    at okhttp3.RealCall.execute(RealCall.java:81)
    at org.kohsuke.github.extras.okhttp3.ObsoleteUrlFactory$OkHttpURLConnection.getResponse(ObsoleteUrlFactory.java:669)
    at org.kohsuke.github.extras.okhttp3.ObsoleteUrlFactory$OkHttpURLConnection.getResponseCode(ObsoleteUrlFactory.java:700)
    at org.kohsuke.github.extras.okhttp3.ObsoleteUrlFactory$DelegatingHttpsURLConnection.getResponseCode(ObsoleteUrlFactory.java:1062)
    at org.kohsuke.github.GitHubHttpUrlConnectionClient.getResponseInfo(GitHubHttpUrlConnectionClient.java:64)
    at org.kohsuke.github.GitHubClient.sendRequest(GitHubClient.java:394)
Caused: org.kohsuke.github.HttpException: Server returned HTTP response code: -1, message: 'null' for URL: https://xxxxxx/api/v3/rate_limit
    at org.kohsuke.github.GitHubClient.interpretApiError(GitHubClient.java:494)
    at org.kohsuke.github.GitHubClient.sendRequest(GitHubClient.java:414)
    at org.kohsuke.github.GitHubClient.getRateLimit(GitHubClient.java:232)
    at org.kohsuke.github.GitHubClient.rateLimit(GitHubClient.java:283)
    at org.kohsuke.github.GitHubRateLimitChecker.checkRateLimit(GitHubRateLimitChecker.java:122)
    at org.kohsuke.github.GitHubClient.sendRequest(GitHubClient.java:392)
    at org.kohsuke.github.GitHubClient.fetch(GitHubClient.java:129)
    at org.kohsuke.github.GitHubClient.checkApiUrlValidity(GitHubClient.java:325)
    at org.kohsuke.github.GitHub.checkApiUrlValidity(GitHub.java:1195)
    at org.jenkinsci.plugins.github_branch_source.Connector$GitHubConnection.verifyConnection(Connector.java:678)
Caused: java.io.IOException: It seems https://xxxxxxxx/api/v3 is unreachable
    at org.jenkinsci.plugins.github_branch_source.Connector$GitHubConnection.verifyConnection(Connector.java:681)
    at org.jenkinsci.plugins.github_branch_source.Connector$GitHubConnection.connect(Connector.java:635)
    at org.jenkinsci.plugins.github_branch_source.Connector$GitHubConnection.access$200(Connector.java:589)
    at org.jenkinsci.plugins.github_branch_source.Connector.connect(Connector.java:361)
    at org.jenkinsci.plugins.github_branch_source.GitHubSCMSource.retrieve(GitHubSCMSource.java:1582)
    at jenkins.scm.api.SCMSource.fetch(SCMSource.java:582)
    at org.jenkinsci.plugins.workflow.multibranch.SCMBinder.create(SCMBinder.java:98)
    at org.jenkinsci.plugins.workflow.job.WorkflowRun.run(WorkflowRun.java:309)
    at hudson.model.ResourceController.execute(ResourceController.java:97)
    at hudson.model.Executor.run(Executor.java:429)
Finished: FAILURE

I saw one link here.

https://github.com/jitsi/jitsi-meet/issues/8243

My dockerfile is

FROM jenkins/jenkins:2.263.4-lts

ENV GIT_MKVER_VERSION=1.2.0
ENV GIT_CHGLOG_VERSION=0.10.0
# Install packages
USER root
RUN apt-get update && apt-get install python-pip createrepo jq file zip -y && apt-get clean 
    && pip install awscli yamllint cerberus ruamel.yaml 
    && curl -SL https://github.com/idc101/git-mkver/releases/download/v${GIT_MKVER_VERSION}/git-mkver-linux-amd64-${GIT_MKVER_VERSION}.tar.gz > git-mkver.tar.gz 
    && tar xzvf git-mkver.tar.gz -C /usr/bin/ 
    && chmod +x /usr/bin/git-mkver 
    && rm -rf git-mkver.tar.gz 
    && curl -SL https://github.com/git-chglog/git-chglog/releases/download/${GIT_CHGLOG_VERSION}/git-chglog_linux_amd64 > /usr/bin/git-chglog 
    && chmod +x /usr/bin/git-chglog

# Install xxxx CA certificates
COPY *.crt /usr/local/share/ca-certificates/

RUN chmod 644 /usr/local/share/ca-certificates/xxxx_corp_*.crt && 
    update-ca-certificates

USER jenkins
Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    Issue addressed by jenkins:

    https://github.com/jenkins-infra/jenkins.io/pull/4168

    work around:

    https://github.com/jitsi/jitsi-meet/issues/8243#issuecomment-744181944

    FROM jenkins/jenkins:2.263.4-lts

ENV GIT_MKVER_VERSION=1.2.0
ENV GIT_CHGLOG_VERSION=0.10.0
# Install packages
USER root
RUN apt-get update && apt-get install python-pip createrepo jq file zip -y && apt-get clean 
    && pip install awscli yamllint cerberus ruamel.yaml 
    && curl -SL https://github.com/idc101/git-mkver/releases/download/v${GIT_MKVER_VERSION}/git-mkver-linux-amd64-${GIT_MKVER_VERSION}.tar.gz > git-mkver.tar.gz 
    && tar xzvf git-mkver.tar.gz -C /usr/bin/ 
    && chmod +x /usr/bin/git-mkver 
    && rm -rf git-mkver.tar.gz 
    && curl -SL https://github.com/git-chglog/git-chglog/releases/download/${GIT_CHGLOG_VERSION}/git-chglog_linux_amd64 > /usr/bin/git-chglog 
    && chmod +x /usr/bin/git-chglog

# Install xxxx CA certificates
COPY *.crt /usr/local/share/ca-certificates/

RUN for file in /usr/local/share/ca-certificates/*.crt; do /opt/java/openjdk/bin/keytool -import -v -trustcacerts -noprompt -alias $(basename $file .crt) -file $file -keystore /opt/java/openjdk/jre/lib/security/cacerts -keypass changeit -storepass changeit; done


RUN chmod 644 /usr/local/share/ca-certificates/xxxx_corp_*.crt && 
    update-ca-certificates

USER jenkins

  2. 0

    Using answer as comments for the time being as I need formatting

    Try adopting below mentioned RUN statement to your dockerfile

    RUN apt install -y ca-certificates && rm -rf /var/cache/apk/* && 
  find /usr/share/ca-certificates/mozilla/ -name "*.crt" -exec keytool -import -trustcacerts 
  -keystore /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/cacerts -storepass changeit -noprompt 
  -file {} -alias {} ; && 
  keytool -list -keystore /usr/lib/jvm/java-1.8-openjdk/jre/lib/security/cacerts --storepass changeit

    The paths in your Dockerfile will need to change accordingly

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search