Jenkins 2.414.3 behind proxy, plugin check SSL error

Hi forum,

I have a general problem with Jenkins (using 2.414.3) running behind an egress corporate proxy to the internet.
I configured the proxy in the “Advanced settings”, but I cannot connect to the update URL:

There were errors checking the update sites: SSLHandshakeException: PKIX path building failed: unable to find valid certification path to requested target

I added the complete cert chain ( CERT, lets encrypt R3 CERT, ISRG Root X1 CERT) to my jenkins keystore, but still no success…

Am I missing something here and can someone give advice?
Thanks for any help!

I added the certs now not to the jenkins keystore but the java cacerts keystore under /etc/pki/java/cacerts and now it works!

Well at least it worked until I actually wanted to upgrade a plugin. That leads to some other server where the download happens and then the same error happens again.
Is there a way to accept all certs without importing them all?

Hi @muelli and welcome to this community. :wave:

This is a common issue when running Jenkins (or any piece of software needing to get access to the Internet) behind a corporate proxy, as the proxy can interfere with the SSL handshake process.

I think one way to solve this issue would be to import the SSL certificates of all the sites Jenkins needs to connect to into the Java keystore used by Jenkins. :thinking:
However, as you’ve noticed, this can be cumbersome if Jenkins needs to connect to many different sites. :sweat:

:warning: Another (bad!) approach would be to configure the JVM running Jenkins to trust all SSL certificates.
However, this approach is generally not recommended for production environments as it makes the Jenkins instance vulnerable to man-in-the-middle attacks. :person_shrugging: