Skip to content

Instantly share code, notes, and snippets.

@alces

alces/using_jenkins_git_plugin_over_https_with_incorect_certificate.md

Last active November 9, 2015 07:31
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save alces/4281577f3f76f4ffa897 to your computer and use it in GitHub Desktop.
Save alces/4281577f3f76f4ffa897 to your computer and use it in GitHub Desktop.
Download ZIP
A short instruction on what to touch in Java and git installations in order to make Jenkins Git plugin work via HTTPS with an SSL certificate seeming somewhat incorrect
Raw
using_jenkins_git_plugin_over_https_with_incorect_certificate.md

How to Make Jenkins Git Plugin Work via HTTPS with "Incorrect" SSL Certificate

If your Jenkins server works with the git server via HTTPS and the latter uses a self-signed (or might be seeming incorect in some other sense) SSL certificate, you'll likely get an error like this:

hudson.plugins.git.GitException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

In order to get rid of it the steps bellow could be helpful (at least, they were helpful for me while setting up Jenkins build nodes on both Linux and Windows boxes):

  1. determine JAVA_HOME of JVM your build node is run by. If there're multiple Java installations on your build server (and I think, that's a common case for such sort of servers), you might have some doubts about which of them actually runs your slave.jar. In order to find a precise answer go to the node's Script Console at http://YOUR_CI_SERVER:8080/computer/YOUR_NODE_NAME/script (surely, if you use the non-standard port or context name for your Jenkins installation, the URL should be changed accordingly) and get a result of the following command:
System.getProperty("java.home")
  1. then export your git server's SSL certificate into myserver.crt file (all commonly-used browsers know how to do that - just right-click on a "lock" icon near URL), copy it to the server your node run on, and import it in your Java's keystore ($JAVA_HOME in the command bellow would be the result you've got on the step 1):
$JAVA_HOME/bin/keytool -importcert -alias myserver -file myserver.crt -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit

(on a Windows box, of course, backslashes should be used instead of the forward ones)

If you want to attest whether the desired certificate is already in a target keystore, it can be looked for by alias:

$JAVA_HOME/bin/keytool -list -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit | grep -C1 myserver

or by SHA1 fingerprint:

$JAVA_HOME/bin/keytool -list -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit | grep -C1 PA:RT:OF:MY:SH:A1
  1. find out where's the home directory of the user your node's JVM runs on behalf of. In case of any doubts about that go to the Script Console for your node and get a result of the command below:
System.getProperty("user.home")
  1. go to the directory you learned at the previous step and add the following lines to .gitconfig file:
[http]
   sslVerify = false

(if ~/.gitconfig file doesn't exists, create one containing two lines shown above)

Tested against Jenkins 1.565.3, Git plugin 2.2.1, and gitlab-ce-8.1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment