Disable TLS with the Publish to S3 Plugin and a S3 Compatable Alternative Endpoint

tuaris · September 5, 2024, 10:08pm

Jenkins setup:

FreeBSD 14.0
Jenkins Version: 2.471
Local S3 Alternative: Garage (https://garagehq.deuxfleurs.fr/)

I’ve setup the plugin to use an alternate endpoint according to the instructions under S3 publisher

My endpoints.json contains the following

		  "garage" : {
            "hostname" : "s3.garage.test.local",
            "signatureVersions" : [ "s3", "s3v4" ],
			"protocols" : [ "http" ]
          },

However, it still attempts to connect using HTTPS:

Running as SYSTEM
Building in workspace /usr/local/jenkins/workspace/TestDeploy
[TestDeploy] $ /bin/sh -xe /tmp/jenkins15101491802539913648.sh
+ echo test
Publish artifacts to S3 Bucket Build is still running
Publish artifacts to S3 Bucket Using S3 profile: Garage
Publish artifacts to S3 Bucket bucket=builds, file=test.txt region=garage, will be uploaded from slave=false managed=false , server encryption false
ERROR: Failed to upload files
com.amazonaws.SdkClientException: Unable to execute HTTP request: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleRetryableException(AmazonHttpClient.java:1219)
	at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1165)
	at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:814)
	at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:781)
	at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:755)
	at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:715)
	at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:697)
	at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:561)
	at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:541)
	at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:5558)
	at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:5505)
	at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.services.s3.AmazonS3Client.access$300(AmazonS3Client.java:423)
	at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.services.s3.AmazonS3Client$PutObjectStrategy.invokeServiceCall(AmazonS3Client.java:6639)
	at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.services.s3.AmazonS3Client.uploadObject(AmazonS3Client.java:1892)
	at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.services.s3.AmazonS3Client.putObject(AmazonS3Client.java:1852)
	at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.services.s3.transfer.internal.UploadCallable.uploadInOneChunk(UploadCallable.java:169)
	at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.services.s3.transfer.internal.UploadCallable.call(UploadCallable.java:149)
	at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.services.s3.transfer.internal.UploadMonitor.call(UploadMonitor.java:115)
	at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.services.s3.transfer.internal.UploadMonitor.call(UploadMonitor.java:45)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
	at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:378)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:316)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1351)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1226)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1169)
	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458)
	at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201)
	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1510)
	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1425)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
	at PluginClassLoader for apache-httpcomponents-client-4-api//org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
	at PluginClassLoader for apache-httpcomponents-client-4-api//org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
	at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.http.conn.ssl.SdkTLSSocketFactory.connectSocket(SdkTLSSocketFactory.java:143)
	at PluginClassLoader for apache-httpcomponents-client-4-api//org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
	at PluginClassLoader for apache-httpcomponents-client-4-api//org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:568)
	at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.http.conn.ClientConnectionManagerFactory$Handler.invoke(ClientConnectionManagerFactory.java:76)
	at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.http.conn.$Proxy91.connect(Unknown Source)
	at PluginClassLoader for apache-httpcomponents-client-4-api//org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
	at PluginClassLoader for apache-httpcomponents-client-4-api//org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
	at PluginClassLoader for apache-httpcomponents-client-4-api//org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
	at PluginClassLoader for apache-httpcomponents-client-4-api//org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
	at PluginClassLoader for apache-httpcomponents-client-4-api//org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
	at PluginClassLoader for apache-httpcomponents-client-4-api//org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
	at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.http.apache.client.impl.SdkHttpClient.execute(SdkHttpClient.java:72)
	at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1346)
	at PluginClassLoader for aws-java-sdk-minimal//com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1157)
	... 21 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
	at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
	at java.base/sun.security.validator.Validator.validate(Validator.java:264)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1335)
	... 52 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148)
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129)
	at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
	... 57 more
Build step 'Publish artifacts to S3 Bucket' changed build result to UNSTABLE
Finished: UNSTABLE

What is the correct way to disable HTTPS and use only HTTP?

poddingue · September 10, 2024, 9:50am

Hello and welcome to this community, @tuaris.

In your Jenkins job configuration, make sure that the S3 bucket URL is explicitly set to use HTTP.

This should be doable in the S3 plugin settings within the job configuration.
You can also try to set an environment variable to force the AWS SDK to use HTTP. Add the following to your Jenkins job configuration:
export AWS_ENDPOINT_URL="http://s3.garage.test.local"

That being said, I’m not so sure it’s such a good idea to keep HTTP.

Topic		Replies	Views
Newbie, seems I can't get certs right for SSL/TSL Ask a question docker	0	252	May 24, 2024
Jenkins 2.414.3 behind proxy, plugin check SSL error Using Jenkins question	2	2248	November 15, 2023
Unable to install Jenkins Plugin after upgrading the jenkins version to 2.455 Using Jenkins question	1	317	May 6, 2024
Jenkins refuses to serve jks keystore, claiming it's invalid Ask a question	5	2098	June 7, 2024
Unable to get SSL working on Jenkins running on Linux Using Jenkins	2	2022	October 16, 2023

Disable TLS with the Publish to S3 Plugin and a S3 Compatable Alternative Endpoint

Related topics