Just tried an install of 2.77 LTS into a Centos 7 VM.
When it started up, failed due to PXIX TLS error. Huh? On the plugin update.
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) Caused: sun.security.validator.ValidatorException: PKIX path building failed at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) ... Caused: javax.net.ssl.SSLHandshakeException at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) ... at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745)
The Manage Jenkins > Manage Plugins > Advanced tab shows the update URL. Try it.
$ curl -v https://updates.jenkins.io/update-center.json * About to connect() to updates.jenkins.io port 443 (#0) * Trying 52.202.51.185... * Connected to updates.jenkins.io (52.202.51.185) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * Server certificate: * subject: CN=updates.jenkins.io * start date: Aug 05 00:55:00 2017 GMT * expire date: Nov 03 00:55:00 2017 GMT * common name: updates.jenkins.io * issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US > GET /update-center.json HTTP/1.1 > User-Agent: curl/7.29.0 > Host: updates.jenkins.io > Accept: */* > < HTTP/1.1 301 Moved Permanently < Date: Fri, 15 Sep 2017 13:39:15 GMT < Server: Apache/2.4.7 (Ubuntu) < Location: https://updates.jenkins.io/current/update-center.json < Content-Length: 261 < Content-Type: text/html; charset=iso-8859-1 < <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>301 Moved Permanently</title> </head><body> <h1>Moved Permanently</h1> <p>The document has moved <a href="https://updates.jenkins.io/current/update-center.json">here</a>.</p> </body></html> * Connection #0 to host updates.jenkins.io left intact
After some looking, I was running Java8 v74. The Cert was issued by Let’s Encrypt.
The article Does Java support Let’s Encrypt certificates? indicated, no, older JDK8s did not have the root CA cert for Let’s Encrypt.
Fix it.
$ alternatives --config java There are 4 programs which provide 'java'. Selection Command ----------------------------------------------- * 1 java-1.8.0-openjdk.x86_64 (/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-3.b12.el7_3.x86_64/jre/bin/java) 2 java-1.7.0-openjdk.x86_64 (/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.141-2.6.10.1.el7_3.x86_64/jre/bin/java) 3 /usr/lib/jvm/jre-1.6.0-openjdk.x86_64/bin/java + 4 /usr/java/jdk1.8.0_74/jre/bin/java Enter to keep the current selection[+], or type selection number: ^C root@VM101037-CTS70 /usr/java $ alternatives --install /usr/bin/java java /usr/java/jdk1.8.0_144/bin/java 5 root@VM101037-CTS70 /usr/java $ alternatives --config java There are 5 programs which provide 'java'. Selection Command ----------------------------------------------- * 1 java-1.8.0-openjdk.x86_64 (/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-3.b12.el7_3.x86_64/jre/bin/java) 2 java-1.7.0-openjdk.x86_64 (/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.141-2.6.10.1.el7_3.x86_64/jre/bin/java) 3 /usr/lib/jvm/jre-1.6.0-openjdk.x86_64/bin/java + 4 /usr/java/jdk1.8.0_74/jre/bin/java 5 /usr/java/jdk1.8.0_144/bin/java Enter to keep the current selection[+], or type selection number: 5 root@VM101037-CTS70 /usr/java $ systemctl restart jenkins
Bam!