From 2.419 to 2.426, it cannot find valid certification path to requested target when connecting with sonar server

Using Jenkins Ask a question
,
1

I know java should trust the keystore, here is the solution I used before, but it doesn’t work now.

Previous Solution[NOT WORK NOW]

##### docker
# if your jenkins in container whose name is "jenkins", do this:
docker exec jenkins sh -c "echo | openssl s_client -connect sonar.m.local:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /var/tmp/sonarqube.crt"

# delete it if existed
docker exec jenkins sh -c "keytool -delete -alias sonarqube -cacerts -storepass changeit"

# import it with "-noprompt"
docker exec jenkins sh -c "keytool -import -alias sonarqube -file /var/tmp/sonarqube.crt -cacerts -storepass changeit -noprompt"

Error Info

hudson.remoting.ProxyException: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146)
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:127)
	at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
Caused: hudson.remoting.ProxyException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
	at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
	at java.base/sun.security.validator.Validator.validate(Validator.java:264)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1341)
Caused: hudson.remoting.ProxyException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:378)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:316)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175)
	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458)
	at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201)
	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1510)
	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1425)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
	at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.kt:379)
	at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:337)
	at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:209)
	at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.kt:226)
	at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:106)
	at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.kt:74)
	at okhttp3.internal.connection.RealCall.initExchange$okhttp(RealCall.kt:255)
	at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:32)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
	at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:95)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
	at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
	at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:76)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
	at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:201)
	at okhttp3.internal.connection.RealCall.execute(RealCall.kt:154)
	at hudson.plugins.sonar.client.HttpClient.httpCall(HttpClient.java:70)
Also:   org.jenkinsci.plugins.workflow.actions.ErrorAction$ErrorId: 5dcceaf2-3273-4b76-81d0-2b0707ff8c04
Caused: hudson.remoting.ProxyException: java.lang.IllegalStateException: Fail to request https://sonar.m.local/api/server/version
	at hudson.plugins.sonar.client.HttpClient.httpCall(HttpClient.java:72)
	at hudson.plugins.sonar.client.HttpClient.getHttp(HttpClient.java:42)
	at hudson.plugins.sonar.client.WsClient.getServerVersion(WsClient.java:82)
	at hudson.plugins.sonar.utils.SonarUtils.getVersion(SonarUtils.java:248)
	at hudson.plugins.sonar.utils.SonarUtils.getTokenProperty(SonarUtils.java:236)
	at hudson.plugins.sonar.SonarBuildWrapper.createVars(SonarBuildWrapper.java:164)
	at hudson.plugins.sonar.SonarBuildWrapper.setUp(SonarBuildWrapper.java:128)
	at org.jenkinsci.plugins.workflow.steps.CoreWrapperStep$Execution2.doStart(CoreWrapperStep.java:121)
	at org.jenkinsci.plugins.workflow.steps.GeneralNonBlockingStepExecution.lambda$run$0(GeneralNonBlockingStepExecution.java:77)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
	at java.base/java.lang.Thread.run(Thread.java:833)
Finished: FAILURE
2

Here is the previous error log, which is different from now

ERROR: SonarQube server [https://sonar.m.local] can not be reached
...
...
ERROR: Error during SonarScanner execution
org.sonarsource.scanner.api.internal.ScannerException: Unable to execute SonarScanner analysis
...
...
Caused by: java.lang.IllegalStateException: Fail to get bootstrap index from server
...
...
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
...
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
...
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
...
3

Hi, there

After I rollback jenkins to 2.419, run the solution I used before, everything works fine.

So, it is a bug generated by versions after 2.419

Hopefully it can be fixed soon

4

Any progress? Looking forward to your response.

5

Hello @pplmx ,

You should maybe open an issue on the Jira bug tracker for this.
https://issues.jenkins.io/secure/CreateIssue!default.jspa

6

Opened, Jenkins JIRA

1 Like
7

Try this(Works for me now):

append this argument

  • -trustcacerts
##### docker
# if your jenkins in container whose name is "jenkins", do this:
docker exec jenkins sh -c "echo | openssl s_client -connect sonar.m.local:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /var/tmp/sonarqube.crt"

# delete it if existed
docker exec jenkins sh -c "keytool -delete -alias sonarqube -cacerts -storepass changeit"

# import it with "-noprompt"
docker exec jenkins sh -c "keytool -import -alias sonarqube -file /var/tmp/sonarqube.crt -cacerts -storepass changeit -noprompt -trustcacerts"

BTW

I also upgraded to 2.430

8

Thanks for the feedback, @pplmx . :+1: