Update or install of the plugins fail during installation or normal use

Jenkins setup:

Jenkins: 2.462.3
OS: Linux - 4.18.0-553.22.1.el8_10.x86_64
Java: 17.0.12 - Eclipse Adoptium (OpenJDK 64-Bit Server VM)

apache-httpcomponents-client-4-api:4.5.14-208.v438351942757
asm-api:9.7-33.v4d23ef79fcc8
bootstrap5-api:5.3.3-1
bouncycastle-api:2.30.1.78.1-248.ve27176eb_46cb_
caffeine-api:3.1.8-133.v17b_1ff2e0599
checks-api:2.2.0
commons-lang3-api:3.14.0-76.vda_5591261cfe
commons-text-api:1.12.0-119.v73ef73f2345d
credentials:1371.vfee6b_095f0a_3
credentials-binding:681.vf91669a_32e45
display-url-api:2.204.vf6fddd8a_8b_e9
echarts-api:5.5.0-1
font-awesome-api:6.5.2-1
git:5.2.2
git-client:5.0.0
gitlab-plugin:1.8.1
gson-api:2.11.0-41.v019fcf6125dc
instance-identity:185.v303dc7c645f9
ionicons-api:74.v93d5eb_813d5f
jackson2-api:2.17.0-379.v02de8ec9f64c
jakarta-activation-api:2.1.3-1
jakarta-mail-api:2.1.3-1
javax-activation-api:1.2.0-7
jaxb:2.3.9-1
jersey2-api:2.42-147.va_28a_44603b_d5
joda-time-api:2.12.7-29.v5a_b_e3a_82269a_
jquery3-api:3.7.1-2
json-api:20240303-41.v94e11e6de726
junit:1296.vb_f538b_c88630
ldap:725.v3cb_b_711b_1a_ef
mailer:472.vf7c289a_4b_420
matrix-project:832.va_66e270d2946
mina-sshd-api-common:2.13.1-117.v2f1a_b_66ff91d
mina-sshd-api-core:2.13.1-117.v2f1a_b_66ff91d
plain-credentials:183.va_de8f1dd5a_2b_
plugin-util-api:4.1.0
scm-api:690.vfc8b_54395023
script-security:1341.va_2819b_414686
snakeyaml-api:2.2-111.vc6598e30cc65
ssh-credentials:342.ve5a_f1db_5a_132
structs:338.v848422169819
variant:60.v7290fc0eb_b_cd
workflow-api:1322.v857eeeea_9902
workflow-job:1400.v7fd111b_ec82f
workflow-scm-step:427.v4ca_6512e7df1
workflow-step-api:678.v3ee58b_469476
workflow-support:920.v59f71ce16f04

For instance with the ASM API update I get the following ERROR:

sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
	at java.base/java.security.cert.CertPathBuilder.build(Unknown Source)
Caused: sun.security.validator.ValidatorException: PKIX path building failed
	at java.base/sun.security.validator.PKIXValidator.doBuild(Unknown Source)
	at java.base/sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
	at java.base/sun.security.validator.Validator.validate(Unknown Source)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
Caused: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
	at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
	at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
	at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(Unknown Source)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(Unknown Source)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(Unknown Source)
	at java.base/sun.security.ssl.SSLHandshake.consume(Unknown Source)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
	at java.base/sun.security.ssl.TransportContext.dispatch(Unknown Source)
	at java.base/sun.security.ssl.SSLTransport.decode(Unknown Source)
	at java.base/sun.security.ssl.SSLSocketImpl.decode(Unknown Source)
	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
	at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
	at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
	at java.base/sun.net.www.protocol.http.HttpURLConnection.followRedirect0(Unknown Source)
	at java.base/sun.net.www.protocol.http.HttpURLConnection.followRedirect(Unknown Source)
	at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
	at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
	at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
	at hudson.model.UpdateCenter$UpdateCenterConfiguration.download(UpdateCenter.java:1323)
Caused: java.io.IOException: Failed to load https://updates.jenkins.io/download/plugins/asm-api/9.7.1-97.v4cc844130d97/asm-api.hpi to /var/jenkins_home/plugins/asm-api.jpi.tmp
	at hudson.model.UpdateCenter$UpdateCenterConfiguration.download(UpdateCenter.java:1334)
Caused: java.io.IOException: Failed to download from https://updates.jenkins.io/download/plugins/asm-api/9.7.1-97.v4cc844130d97/asm-api.hpi (redirected to: https://ftp.belnet.be/mirror/jenkins/plugins/asm-api/9.7.1-97.v4cc844130d97/asm-api.hpi)
	at hudson.model.UpdateCenter$UpdateCenterConfiguration.download(UpdateCenter.java:1368)
	at hudson.model.UpdateCenter$DownloadJob._run(UpdateCenter.java:1925)
	at hudson.model.UpdateCenter$InstallationJob._run(UpdateCenter.java:2237)
	at hudson.model.UpdateCenter$DownloadJob.run(UpdateCenter.java:1899)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
	at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
	at hudson.remoting.AtmostOneThreadExecutor$Worker.run(AtmostOneThreadExecutor.java:121)
	at java.base/java.lang.Thread.run(Unknown Source)

Can you give me some tips?
Do you know how I can resolve this?

Best regards,
Martijn

In the mean while I have installed version: Version 2.482 and tried the update of the plugins. Now it did upgrade the ASM API.
Only now it fails on the Credentials Version 1389.vd7a_b_f5fa_50a_2 plugin.
It gives the following ERROR:

sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
	at java.base/java.security.cert.CertPathBuilder.build(Unknown Source)
Caused: sun.security.validator.ValidatorException: PKIX path building failed
	at java.base/sun.security.validator.PKIXValidator.doBuild(Unknown Source)
	at java.base/sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
	at java.base/sun.security.validator.Validator.validate(Unknown Source)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
Caused: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
	at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
	at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
	at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(Unknown Source)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(Unknown Source)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(Unknown Source)
	at java.base/sun.security.ssl.SSLHandshake.consume(Unknown Source)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
	at java.base/sun.security.ssl.TransportContext.dispatch(Unknown Source)
	at java.base/sun.security.ssl.SSLTransport.decode(Unknown Source)
	at java.base/sun.security.ssl.SSLSocketImpl.decode(Unknown Source)
	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
	at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
	at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
	at java.base/sun.net.www.protocol.http.HttpURLConnection.followRedirect0(Unknown Source)
	at java.base/sun.net.www.protocol.http.HttpURLConnection.followRedirect(Unknown Source)
	at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source)
	at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
	at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
	at hudson.model.UpdateCenter$UpdateCenterConfiguration.download(UpdateCenter.java:1348)
Caused: java.io.IOException: Failed to load https://updates.jenkins.io/download/plugins/credentials/1389.vd7a_b_f5fa_50a_2/credentials.hpi to /var/jenkins_home/plugins/credentials.jpi.tmp
	at hudson.model.UpdateCenter$UpdateCenterConfiguration.download(UpdateCenter.java:1363)
Caused: java.io.IOException: Failed to download from https://updates.jenkins.io/download/plugins/credentials/1389.vd7a_b_f5fa_50a_2/credentials.hpi → https://ftp.belnet.be/mirror/jenkins/plugins/credentials/1389.vd7a_b_f5fa_50a_2/credentials.hpi
	at hudson.model.UpdateCenter$UpdateCenterConfiguration.download(UpdateCenter.java:1390)
	at hudson.model.UpdateCenter$DownloadJob._run(UpdateCenter.java:2038)
	at hudson.model.UpdateCenter$InstallationJob._run(UpdateCenter.java:2366)
	at hudson.model.UpdateCenter$DownloadJob.run(UpdateCenter.java:2012)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
	at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
	at hudson.remoting.AtmostOneThreadExecutor$Worker.run(AtmostOneThreadExecutor.java:121)
	at java.base/java.lang.Thread.run(Unknown Source)

Any tips?
A solution?

Thanks in advance,
Best regards,

Martijn

The error you’re encountering, sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, seems to indicate that Jenkins is unable to establish a secure connection to the update site because it cannot validate the SSL certificate.

This is often due to missing or outdated CA certificates in the Java truststore.

Here are some steps that may help resolve this issue:

  1. Make sure that your Java installation has the latest CA certificates. You can update the CA certificates by downloading the latest cacerts file or by updating your Java installation.
  2. If the certificate is not recognized, you can manually add it to the Java truststore.
    • First, download the certificate from the URL causing the issue (e.g., https://updates.jenkins.io).
    • Use the keytool command to import the certificate into the Java truststore.
      keytool -import -alias jenkins-update-center -keystore $JAVA_HOME/lib/security/cacerts -file /path/to/downloaded/certificate.crt
      You will be prompted for the keystore password, which is typically changeit by default.
1 Like

Thank you for the info. I managed to proceed a step further. I have consulted ChatGPT and came to the following additional commands:

ftp.belnet.be

Login the container as root
$ sudo docker exec -it -u root <container id> /bin/bash

$ openssl s_client -showcerts -connect ftp.belnet.be:443 </dev/null 2>/dev/null | openssl x509 -outform PEM > belnet_certificate.crt

$ keytool -import -alias belnet -keystore $JAVA_HOME/lib/security/cacerts -file /root/Downloads/belnet_certificate.crt

Pw: changeit

$ exit

$ sudo docker stop jenkins
$ sudo docker start jenkins


ftp.halifax.rwth-aachen.de

Login the container as root
$ sudo docker exec -it -u root <container id> /bin/bash

$ openssl s_client -showcerts -connect ftp.halifax.rwth-aachen.de:443 </dev/null 2>/dev/null | openssl x509 -outform PEM > halifax_certificate.crt

$ keytool -import -alias halifax -keystore $JAVA_HOME/lib/security/cacerts -file /root/Downloads/halifax_certificate.crt

Pw: changeit

$ exit

$ sudo docker stop jenkins
$ sudo docker start jenkins

@poddingue I find it strange that these certificates are not already integrated in the Docker container. Should the Docker container already have these certificates implemented standard?

I hope I have not have to do this again next time the plugins need to be updated. Let me see if I can contact the maintainer of the Docker container.

@poddingue I was unable to contact anybody to propose to update this in the Docker containers. Gitter is not configured for me to be able to establish contact. Perhaps you know about means of communication to a Docker image maintainer?