LDAP error "unable to find valid certification path"

I am trying to get Jenkins to make a LDAPS lookup on server.
With this “ldaps://DKSGDx.txxx.xxx”
But I get keep this error
[Root exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

I have tried to import the certificate. Like described in
https://community.progress.com/s/article/LDAPS-authentication-fails-due-to-javax-net-ssl-SSLHandshakeException
and
https://community.bmc.com/s/article/AMA1210-How-can-I-import-a-SSL-certificate-into-the-Java-Truststore-to-have-Jenkins-use-it-to-connect-to-the-Mainframe

But still the same error, watt can I do now t debug the issue

Jenkins setup:
Jenkins: 2.436
OS: Windows Server 2016 - 10.0
Java: 21 - Oracle Corporation (Java HotSpot™ 64-Bit Server VM)

Matrix-sorter-plugin:1.3
Parameterized-Remote-Trigger:3.2.0
Surround-SCM-plugin:1.12
active-directory:2.34
ant:497.v94e7d9fffa_b_9
antisamy-markup-formatter:162.v0e6ec0fcfcf6
apache-httpcomponents-client-4-api:4.5.14-208.v438351942757
authentication-tokens:1.53.v1c90fd9191a_b_
bootstrap5-api:5.3.2-3
bouncycastle-api:2.30.1.77-225.v26ea_c9455fd9
branch-api:2.1135.v8de8e7899051
build-name-setter:2.4.0
build-timeout:1.31
build-user-vars-plugin:1.9
caffeine-api:3.1.8-133.v17b_1ff2e0599
categorized-view:1.13
checks-api:2.0.2
cloudbees-disk-usage-simple:187.v6378d330d1d4
cloudbees-folder:6.858.v898218f3609d
cobertura:1.17
code-coverage-api:4.99.0
codecover:1.1
command-launcher:107.v773860566e2e
commons-lang3-api:3.13.0-62.v7d18e55f51e2
commons-text-api:1.11.0-95.v22a_d30ee5d36
conditional-buildstep:1.4.3
coverage:1.6.0
credentials:1311.vcf0a_900b_37c2
credentials-binding:642.v737c34dea_6c2
data-tables-api:1.13.8-2
display-url-api:2.200.vb_9327d658781
docker-commons:439.va_3cb_0a_6a_fb_29
docker-workflow:572.v950f58993843
durable-task:523.va_a_22cf15d5e0
echarts-api:5.4.3-2
email-ext:2.102
envinject:2.908.v66a_774b_31d93
envinject-api:1.199.v3ce31253ed13
export-params:1.9
extended-read-permission:53.v6499940139e5
external-monitor-job:215.v2e88e894db_f8
extra-columns:1.26
ez-templates:1.3.5
flexible-publish:0.16.1
font-awesome-api:6.5.1-1
forensics-api:2.3.0
generic-webhook-trigger:1.88.2
git:5.2.1
git-client:4.6.0
git-server:99.va_0826a_b_cdfa_d
github:1.37.3.1
github-api:1.318-461.v7a_c09c9fa_d63
github-branch-source:1755.vcdb_d136f3b_25
gradle:2.9
instance-identity:185.v303dc7c645f9
ionicons-api:56.v1b_1c8c49374e
jackson2-api:2.15.3-372.v309620682326
jakarta-activation-api:2.0.1-3
jakarta-mail-api:2.0.1-3
javadoc:243.vb_b_503b_b_45537
javax-activation-api:1.2.0-6
javax-mail-api:1.6.2-9
jaxb:2.3.9-1
jdk-tool:73.vddf737284550
jjwt-api:0.11.5-77.v646c772fddb_0
jnr-posix-api:3.1.18-1
jquery3-api:3.7.1-1
jsch:0.2.8-65.v052c39de79b_2
json-path-api:2.8.0-5.v07cb_a_1ca_738c
junit:1240.vf9529b_881428
ldap:711.vb_d1a_491714dc
lockable-resources:1218.va_3dd45e2b_fa_7
mailer:463.vedf8358e006b_
mapdb-api:1.0.9-28.vf251ce40855d
matrix-auth:3.2.1
matrix-combinations-parameter:1.3.3
matrix-project:818.v7eb_e657db_924
maven-plugin:3.23
mina-sshd-api-common:2.11.0-86.v836f585d47fa_
mina-sshd-api-core:2.11.0-86.v836f585d47fa_
okhttp-api:4.11.0-157.v6852a_a_fa_ec11
pam-auth:1.10
parameter-separator:129.v86b_98b_cb_5274
parameterized-trigger:787.v665fcf2a_830b_
persistent-parameter:1.3
pipeline-build-step:539.v8c889169451f
pipeline-github-lib:42.v0739460cda_c4
pipeline-graph-analysis:202.va_d268e64deb_3
pipeline-groovy-lib:689.veec561a_dee13
pipeline-input-step:477.v339683a_8d55e
pipeline-milestone-step:111.v449306f708b_7
pipeline-model-api:2.2151.ve32c9d209a_3f
pipeline-model-definition:2.2151.ve32c9d209a_3f
pipeline-model-extensions:2.2151.ve32c9d209a_3f
pipeline-rest-api:2.34
pipeline-stage-step:305.ve96d0205c1c6
pipeline-stage-tags-metadata:2.2151.ve32c9d209a_3f
pipeline-stage-view:2.34
plain-credentials:143.v1b_df8b_d3b_e48
plugin-util-api:3.6.0
powershell:2.1
prism-api:1.29.0-10
purge-build-queue-plugin:88.v23b_97b_f2c7a_d
rebuild:330.v645b_7df10e2a_
resource-disposer:0.23
run-condition:1.7
saml:4.429.v9a_781a_61f1da_
scm-api:683.vb_16722fb_b_80b_
script-security:1294.v99333c047434
simple-parameterized-builds-report:1.5
snakeyaml-api:2.2-111.vc6598e30cc65
sonarqube-generic-coverage:1.0
ssh-credentials:308.ve4497b_ccd8f4
ssh-slaves:2.916.vd17b_43357ce4
sshd:3.312.v1c601b_c83b_0e
structs:325.vcb_307d2a_2782
throttle-concurrents:2.14
timestamper:1.26
token-macro:400.v35420b_922dcb_
trilead-api:2.84.v72119de229b_7
uno-choice:2.8.1
variant:60.v7290fc0eb_b_cd
versioncolumn:221.vdb_638ece0951
workflow-aggregator:596.v8c21c963d92d
workflow-api:1283.v99c10937efcb_
workflow-basic-steps:1042.ve7b_140c4a_e0c
workflow-cps:3826.v3b_5707fe44da_
workflow-durable-task-step:1289.v4d3e7b_01546b_
workflow-job:1385.vb_58b_86ea_fff1
workflow-multibranch:756.v891d88f2cd46
workflow-scm-step:415.v434365564324
workflow-step-api:639.v6eca_cd8c04a_a_
workflow-support:865.v43e78cc44e0d
ws-cleanup:0.45

Hello @MortenRick and welcome to this community. :wave:

The error message you’re seeing seems to indicate that the Java runtime environment used by Jenkins does not trust the SSL certificate presented by the LDAPS server. :thinking:
This can happen if the certificate is self-signed, or if it’s issued by a certificate authority that’s not included in the default Java truststore.

Thanks @poddingue I added the AD server certificate to the Java truststore, then it works

1 Like

Thanks a lot for your feedback. :+1:

Hi
Did you add the CA certificate or the server certificate?

I tryied but I obtained:

Oops!
A problem occurred while processing the request

Caused: org.springframework.ldap.PartialResultException: nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: DomainDnsZones.mydomain.loc:636 [Root exception is javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching DomainDnsZones.mydomain.loc found.]]

I am using an internal CA

Could you give me a suggestion?
Thanks a lot
Mario