SSL Conflict Issue on Jenkins for Gitlab Repo

Community
1

Hello Team,

I’m facing the SSL Conflict Issue on Jenkins Pipeline Job while adding the Gitlab Repo. PFA attached the screenshot.

I’m able to use git commands lke git clone on Jenkins Server from console, but through pipline job it’s shows me SSL Error.

Jenkins is already configured to trust the self signed certificate i.e. The Gitlab Cert is already imported into both trustred toot directory and Java Keystore directory of Jenkins Server

/etc/pki/ca-trust/source/anchors/

sudo keytool -importcert -trustcacerts -keystore /usr/lib/jvm/java-11-openjdk/lib/security/cacerts -storepass changeit -noprompt -alias gitlab-cert -file /etc/pki/ca-trust/source/anchors/<cert.pem>

Add on, If I fire echo | openssl s_client -connect gitlab.yourdomain.com:443 -showcerts on jenkins server console it shows me correct the gitlab cert But issue is still remain.

Looking forwared for your repsonce

Thanks

Rahul

WhatsApp Image 2025-02-06 at 18.00.29_0bfaf078
WhatsApp Image 2025-02-06 at 18.00.29_0bfaf0784096×1806 483 KB

2

@poddingue Any Thoughts? Thanks.

3

You’re encountering a common Jenkins issue when SSL certificates aren’t trusted inside the Jenkins runtime, even though they work fine in your shell. Here’s a focused step-by-step approach to fix it:

:white_check_mark: 1. Identify the Java runtime used by Jenkins

Jenkins runs under its own Java installation, which might differ from your local one.

  • Navigate to:
    Manage Jenkins → System Information
  • Look for the value of java.home
  • Example: /usr/lib/jvm/java-17-openjdk

You must import the SSL certificate into this Java runtime’s trust store.

:white_check_mark: 2. Import your certificate into the correct Java keystore

Suppose your certificate file is gitlab.yourdomain.com.crt. Run:

sudo keytool -importcert -trustcacerts -alias gitlab-cert \
  -file gitlab.yourdomain.com.crt \
  -keystore /usr/lib/jvm/java-17-openjdk/lib/security/cacerts \
  -storepass changeit

Replace the -keystore path with the actual java.home path from Jenkins, plus /lib/security/cacerts.

:white_check_mark: 3. Restart Jenkins

After importing the cert, restart Jenkins to pick up the updated trust store:

sudo systemctl restart jenkins

:white_check_mark: 4. If your pipeline runs on agents (that’s the way to go) or Docker containers

You must repeat step 2 on every agent that runs jobs:

  • For physical/VM agents: check their Java install and keystore
  • For Docker agents: bake the cert into the Docker image or mount it at runtime and import it during startup

Tip: In Docker-based builds, you can add trusted certs under /usr/local/share/ca-certificates/ and run update-ca-certificates.

:counterclockwise_arrows_button: 5. For debugging only: temporarily disable SSL verification

You can bypass SSL verification using:

environment {
  GIT_SSL_NO_VERIFY = 'true'
}

Or:

withEnv(["GIT_SSL_NO_VERIFY=true"]) {
  git url: 'https://your-git-server', credentialsId: 'creds-id'
}

:warning: This is not secure, and should only be used for diagnosis, not in production.

:white_check_mark: 6. Validate in Jenkins logs

If the error persists, check:

  • Jenkins logs: Manage Jenkins → System Log
  • Console output of the failed build
  • Agent logs (if applicable)

:white_check_mark: Summary

Step Action
:magnifying_glass_tilted_left: 1 Identify java.home from Jenkins system info
:locked_with_key: 2 Import cert into that Java keystore (cacerts)
:repeat_button: 3 Restart Jenkins
:people_holding_hands: 4 Repeat on agents or update Docker image
:warning: 5 Use GIT_SSL_NO_VERIFY=true only for testing