Jenkins install LTS 2.77 TLS error

Just tried an install of 2.77 LTS into a Centos 7 VM.

When it started up, failed due to PXIX TLS error. Huh? On the plugin update.

sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
Caused: sun.security.validator.ValidatorException: PKIX path building failed
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
...
Caused: javax.net.ssl.SSLHandshakeException
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
...
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)

The Manage Jenkins > Manage Plugins > Advanced tab shows the update URL. Try it.

$ curl -v https://updates.jenkins.io/update-center.json
 * About to connect() to updates.jenkins.io port 443 (#0)
 * Trying 52.202.51.185...
 * Connected to updates.jenkins.io (52.202.51.185) port 443 (#0)
 * Initializing NSS with certpath: sql:/etc/pki/nssdb
 * CAfile: /etc/pki/tls/certs/ca-bundle.crt
 CApath: none
 * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 * Server certificate:
 * subject: CN=updates.jenkins.io
 * start date: Aug 05 00:55:00 2017 GMT
 * expire date: Nov 03 00:55:00 2017 GMT
 * common name: updates.jenkins.io
 * issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
 > GET /update-center.json HTTP/1.1
 > User-Agent: curl/7.29.0
 > Host: updates.jenkins.io
 > Accept: */*
 >
 < HTTP/1.1 301 Moved Permanently
 < Date: Fri, 15 Sep 2017 13:39:15 GMT
 < Server: Apache/2.4.7 (Ubuntu)
 < Location: https://updates.jenkins.io/current/update-center.json
 < Content-Length: 261
 < Content-Type: text/html; charset=iso-8859-1
 <
 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
 <html><head>
 <title>301 Moved Permanently</title>
 </head><body>
 <h1>Moved Permanently</h1>
 <p>The document has moved <a href="https://updates.jenkins.io/current/update-center.json">here</a>.</p>
 </body></html>
 * Connection #0 to host updates.jenkins.io left intact

After some looking, I was running Java8 v74. The Cert was issued by Let’s Encrypt.

The article Does Java support Let’s Encrypt certificates? indicated, no, older JDK8s did not have the root CA cert for Let’s Encrypt.

Fix it.

$ alternatives --config java
There are 4 programs which provide 'java'.
Selection Command
-----------------------------------------------
* 1 java-1.8.0-openjdk.x86_64 (/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-3.b12.el7_3.x86_64/jre/bin/java)
 2 java-1.7.0-openjdk.x86_64 (/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.141-2.6.10.1.el7_3.x86_64/jre/bin/java)
 3 /usr/lib/jvm/jre-1.6.0-openjdk.x86_64/bin/java
 + 4 /usr/java/jdk1.8.0_74/jre/bin/java
Enter to keep the current selection[+], or type selection number: ^C

root@VM101037-CTS70 /usr/java
$ alternatives --install /usr/bin/java java /usr/java/jdk1.8.0_144/bin/java 5

root@VM101037-CTS70 /usr/java
$ alternatives --config java

There are 5 programs which provide 'java'.

Selection Command
-----------------------------------------------
* 1 java-1.8.0-openjdk.x86_64 (/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-3.b12.el7_3.x86_64/jre/bin/java)
 2 java-1.7.0-openjdk.x86_64 (/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.141-2.6.10.1.el7_3.x86_64/jre/bin/java)
 3 /usr/lib/jvm/jre-1.6.0-openjdk.x86_64/bin/java
 + 4 /usr/java/jdk1.8.0_74/jre/bin/java
 5 /usr/java/jdk1.8.0_144/bin/java

Enter to keep the current selection[+], or type selection number: 5

root@VM101037-CTS70 /usr/java
$ systemctl restart jenkins

Bam!

Leave a Reply