SSLHandshakeException: PKIX building failed

vortex388 · June 3, 2025, 6:26pm

I cannot update the plugins or the version of Jenkins due to some sort of handshaking error. We’ve already updated to JDK-21, followed the Windows direction to add the entire certificate chain for https://archives.jenkins.io and https://updates.jenkins.io, and attempted to change to http in the URL but nothing seems to remedy the issue.

Jenkins setup:

Jenkins: 2.492.3
OS: Windows Server 2019 - 10.0
Java: 21.0.7 - Oracle Corporation (Java HotSpot(TM) 64-Bit Server VM)
---
active-directory:2.39
analysis-model-api:13.2.0
ant:513.vde9e7b_a_0da_0f
antisamy-markup-formatter:173.v680e3a_b_69ff3
apache-httpcomponents-client-4-api:4.5.14-269.vfa_2321039a_83
apache-httpcomponents-client-5-api:5.4.3-140.v2516ccde99e7
asm-api:9.8-135.vb_2239d08ee90
authentication-tokens:1.131.v7199556c3004
bootstrap5-api:5.3.3-2
bouncycastle-api:2.30.1.80-256.vf98926042a_9b_
branch-api:2.1214.v3f652804588d
build-timeout:1.37
build-token-root:151.va_e52fe3215fc
caffeine-api:3.2.0-166.v72a_6d74b_870f
checks-api:367.v18b_7f530e54a_
cloudbees-folder:6.999.v42253c105443
command-launcher:118.v72741845c17a_
commons-lang3-api:3.17.0-87.v5cf526e63b_8b_
commons-text-api:1.13.0-153.v91dcd89e2a_22
config-file-provider:982.vb_a_e458a_37021
configuration-as-code:1947.v7d33fe23569c
copyartifact:765.v0357cc6e6eb_3
credentials:1413.va_51c53703df1
credentials-binding:687.v619cb_15e923f
dark-theme:524.vd675b_22b_30cb_
data-tables-api:2.2.2-1
display-url-api:2.209.v582ed814ff2f
docker-commons:451.vd12c371eeeb_3
durable-task:587.v84b_877235b_45
echarts-api:5.6.0-2
eddsa-api:0.3.0.1-19.vc432d923e5ee
email-ext:1876.v28d8d38315b_d
envinject-api:1.235.va_14c74f8f487
external-monitor-job:223.vb_fddcf42c9b_3
file-operations:353.vf3b_9b_a_f1f7f7
flatpickr-api:4.6.13-18.vcf5f6a_5b_8468
font-awesome-api:6.7.2-1
fortify:23.1.40
gradle:2.14.1
gson-api:2.12.1-113.v347686d6729f
htmlpublisher:425
instance-identity:203.v15e81a_1b_7a_38
ionicons-api:82.v0597178874e1
jackson2-api:2.18.3-402.v74c4eb_f122b_2
jakarta-activation-api:2.1.3-2
jakarta-mail-api:2.1.3-2
javax-activation-api:1.2.0-8
javax-mail-api:1.6.2-11
jaxb:2.3.9-133.vb_ec76a_73f706
jdk-tool:83.v417146707a_3d
jjwt-api:0.11.5-120.v0268cf544b_89
jnr-posix-api:3.1.20-138.vdb_9db_a_39182f
joda-time-api:2.14.0-127.v7d9da_295a_d51
jquery3-api:3.7.1-3
jsch:0.2.16-95.v3eecb_55fa_b_78
json-api:20250107-125.v28b_a_ffa_eb_f01
json-path-api:2.9.0-148.v22a_7ffe323ce
jsoup:1.19.1-38.v216a_f3721b_3c
junit:1319.v000471ca_e5e2
ldap:780.vcb_33c9a_e4332
lighthouse-report:1.3.0
lockable-resources:1349.v8b_ccb_c5487f7
login-theme:262.vb_4ce39d5279f
mailer:489.vd4b_25144138f
mapdb-api:1.0.9-44.va_1e1310c9118
matrix-auth:3.2.6
matrix-project:847.v88a_f90ff9f20
mina-sshd-api-common:2.15.0-161.vb_200831a_c15b_
mina-sshd-api-core:2.15.0-161.vb_200831a_c15b_
nodejs:1.6.4
okhttp-api:4.11.0-189.v976fa_d3379d6
outbound-webhook:0.3.0
pam-auth:1.12
pipeline-build-step:557.v95d96f77b_2b_8
pipeline-graph-analysis:235.vb_a_a_36b_f248c2
pipeline-groovy-lib:752.vdddedf804e72
pipeline-input-step:517.vf8e782ee645c
pipeline-milestone-step:127.vb_52887ca_3b_6d
pipeline-model-api:2.2247.va_423189a_7dff
pipeline-model-definition:2.2247.va_423189a_7dff
pipeline-model-extensions:2.2247.va_423189a_7dff
pipeline-rest-api:2.37
pipeline-stage-step:322.vecffa_99f371c
pipeline-stage-tags-metadata:2.2247.va_423189a_7dff
pipeline-stage-view:2.37
plain-credentials:195.vb_906e9073dee
plugin-util-api:6.1.0
powershell:2.3
prism-api:1.30.0-1
publish-over:0.22
publish-over-cifs:0.16
purge-job-history:74.vf21030329dda_
resource-disposer:0.25
saferestart:102.v4dc1b_9636a_ee
schedule-build:649.vd4058b_a_a_cf54
scm-api:704.v3ce5c542825a_
script-security:1373.vb_b_4a_a_c26fa_00
simple-theme-plugin:211.v5424a_5510e47
snakeyaml-api:2.3-125.v4d77857a_b_402
ssh-credentials:355.v9b_e5b_cde5003
ssh-slaves:3.1031.v72c6b_883b_869
sshd:3.353.v2b_d33c46e970
structs:343.vdcf37b_a_c81d5
subversion:1287.vd2d507146906
theme-manager:278.v2e3c063e42cc
thinBackup:2.1.2
timestamper:1.28
token-macro:444.v52de7e9c573d
trilead-api:2.192.vc50a_d147e369
variant:70.va_d9f17f859e0
workflow-aggregator:608.v67378e9d3db_1
workflow-api:1366.vf1fb_e1a_f6b_22
workflow-basic-steps:1079.vce64b_a_929c5a_
workflow-cps:4080.va_15b_44a_91525
workflow-durable-task-step:1405.v1fcd4a_d00096
workflow-job:1508.v9cb_c3a_a_89dfd
workflow-multibranch:803.v08103b_87c280
workflow-scm-step:437.v05a_f66b_e5ef8
workflow-step-api:700.v6e45cb_a_5a_a_21
workflow-support:963.va_600813d04a_a_
ws-cleanup:0.48

MarkEWaite · June 3, 2025, 10:18pm

That should not be necessary. Java installations on Windows, Linux, and macOS already include the necessary certificates. If you are required to install additional certificates, it may indicate that network devices between you and updates.jenkins.io are interfering with the data transfer.

vortex388 · June 6, 2025, 6:05pm

We were able to get it resolved. It was indeed a Java CA issue. Our servers access the internet via a reverse proxy and the certificate chain gets swapped out with our internal CA certs and the certs were not in the java cert store. There must have been a certificate update on the enterprise side recently, so the certificate chain was no longer trusted. We downloaded each of the three new CA’s in PEM format and then inserted them into the JKD cert store.

Topic		Replies	Views
SSLHandshakeException error after Java upgrade from 11 to 17 Ask a question question	7	3205	February 26, 2024
Jenkins 2.414.3 behind proxy, plugin check SSL error Using Jenkins question	2	3538	November 15, 2023
Jenkins EKS SSLHandshakeException issue Using Jenkins	0	676	March 8, 2022
Not able to update jenkins plugins Using Jenkins question	1	700	July 3, 2024
Jenkins is throwing SSL handshake error while calling another job Ask a question question , docker	0	4402	October 23, 2022

SSLHandshakeException: PKIX building failed

Related topics