Public key of the first certificate in chain is not in the list of trusted keys

haizeiwang2025 · February 17, 2025, 2:48am

Agent node: Windows Server 2016
We are using Jenkins 2.486, it seems that Windows agent can not connect with the jenkins host.

Agent configuration：

haizeiwang2025 · February 17, 2025, 2:48am

Error log：
javax.net.ssl.SSLHandshakeException: Public key of the first certificate in chain (subject: C=US, OU=jenkins.io, O=instances, CN=ed30a5418f67aa4dfb0e9291a8092e33) is not in the list of trusted keys
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)

haizeiwang2025 · February 17, 2025, 2:50am

Node configuration：

mawinter69 · February 17, 2025, 6:46am

The image doesn’t show the agent configuration but the configuration of the TCP for inbound agents that don’t use websockets.
The error indicates that you Jenkins controller is not properly sending the intermediate certificate that was used in the certificate signing request.
A website must send it’s own certificate and all intermediate certificates on the way to a root certificate that is known by Java. You should not add intermediate certificates to java’s truststore.

haizeiwang2025 · February 17, 2025, 7:17am

Hi mawinter69,
Thanks for your reply.
The following image shows the agent configuration:

I tried using the command ‘keytool - import’ to import the root certificate, but still encountered this error.
(Caused by: java.security.cert.CertificateException: Public key of the first certificate in chain (subject: C=US, OU=jenkins.io, O=instances, CN=ed30a5418f67aa4dfb0e9291a8092e33) is not in the list of trusted keys)
The agent is always searching for the root certificate related to jenkins.io.

mawinter69 · February 17, 2025, 8:45am

This is just the OU, this is not important when it comes to validating a certificate. When a certificate is checked you need to look at the subject alt names (when this is not set then the CN of the certificate)
The usual setup with certificates is that you have a root CA, which is in the trust list of java and the OS. Then you have an intermediate CA that has a certificate which is signed by the root CA. And when you now setup a website you will sign it’s certificate with the intermediate CA. So when a tool (your agent java process) wants to connect to a website (your Jenkins) you must ensure that it finds a path from the certificate to the root CA. This is achieved by having the website return not only it’s own certificate but also the certificate of the intermediate CA.
Browser are smart and might find that path on their own (maybe due to caching or due to e.g. windows having a list of known intermediate CAs)

Topic		Replies	Views
Jenkins Agent can't Connect to server after Update to Jenkins 2.492.1 Using Jenkins	2	136	February 24, 2025
Server rejected the 1 private key(s) for jenkins (credentialId:jenkins/method:publickey) Ask a question question , docker	0	472	July 24, 2024
Controller to agent connectivity failure on UI Using Jenkins question	5	818	July 17, 2022
While upgrading Jenkins to 2.426.2 I am getting below when connecting a node to the Jenkins server Ask a question question	7	3659	February 7, 2024
Window Agent connection issue after Jenkins update from 2.479.3 to 2.492.1 Ask a question windows	0	65	February 11, 2025

Public key of the first certificate in chain is not in the list of trusted keys

Related topics