3
votes

Following the docs to use Java Web Start and I'm up to the point where I'm running this command on the slave to connect to the master:

java -jar agent.jar -jnlpUrl https://my-server.com:8888/computer/myslave/slave-agent.jnlp -secret sdfsdfsdfsdf -workDir "c:\Jenkins"

I have a valid public cert. From the slave I can access https://my-server.com:8888 and chrome says the cert is valid so why is jenkins complaining? Seems dumb to use -noCertificateCheck when I paid good money for the damn thing

Mar 28, 2018 9:34:49 PM org.jenkinsci.remoting.engine.WorkDirManager initializeWorkDir INFO: Using c:\Jenkins\remoting as a remoting work directory Both error and output logs will be printed to c:\Jenkins\remoting Exception in thread "main" java.io.IOException: Failed to validate a server certificate. If you are using a self-signed certificate, you can use the -noCertificateCheck option to bypass this check. at hudson.remoting.Launcher.parseJnlpArguments(Launcher.java:548) at hudson.remoting.Launcher.run(Launcher.java:322) at hudson.remoting.Launcher.main(Launcher.java:283) Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid c ertification path to requested target at sun.security.ssl.Alerts.getSSLException(Unknown Source) at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source) at sun.security.ssl.Handshaker.fatalSE(Unknown Source) at sun.security.ssl.Handshaker.fatalSE(Unknown Source) at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source) at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) at sun.security.ssl.Handshaker.processLoop(Unknown Source) at sun.security.ssl.Handshaker.process_record(Unknown Source) at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source) at hudson.remoting.Launcher.parseJnlpArguments(Launcher.java:490) ... 2 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(Unknown Source) at sun.security.validator.PKIXValidator.engineValidate(Unknown Source) at sun.security.validator.Validator.validate(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source) ... 14 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source) at java.security.cert.CertPathBuilder.build(Unknown Source) ... 20 more

EDIT: So I can't connect at all. If I use -noCertificateCheck I get Incorrect acknowledgement sequence Im assuming because Im using HTTPS without validating the cert

3

3 Answers

2
votes

In your question you use port 8888 (https://my-server.com:8888). The jnlp scripts that I have seen the port is not present or is 443.

When I once saw an error like yours, I imported the certificate into the Java keystore. For more details here.

keytool -import -alias $ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts -file $PATH_TO_PEM_FILE

This import should be needed only for not public certificates, like self-signed, but you can try. There could be certificate chain as explained here.

1
votes

my issue was i needed to import the entire cert chain into the java keystore

browsers like chrome will follow aia extensions and download the chain for you but the java keystore wants to make your life hard.

0
votes

I tried to

  1. update Java on salve machine to get the Java latest trust store.
  2. update Java trust store manually with public SSL (steps).

But nothing worked above.

Finally, I was able to connect to the master server from the slave by bypassing the -noCertificateCheck at end of the below command:

java -jar agent.jar -jnlpUrl https://example.com/computer/windows_slave/jenkins-agent.jnlp -secret [secret] -noCertificateCheck