Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-29304

Where to put the Nexus server certificates for https downloads?

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Labels:
      None
    • Environment:
      jenkins: LTS 1.596.3
      repository-connector-plugin: 1.1.1
      Nexus: 2.11.1-01
    • Similar Issues:

      Description

      I have set up a simple job that just should download artifacts from NEXUS to the local workspace. The NEXUS server, Jenkins Master and Slave are all instances in the local network. The artifact shall be downloaded via https from the NEXUS. The plugin shows the errormessage below: "unable to find valid certification path to requested target"
      In my understandig this message means that the certificate of the NEXUS must be trusted by the java, where the repository-connector-plugin is executed. But I added the certificate to the cacerts on the jenkins Master and Slave and still get that message...

      Gestartet durch Benutzer XXX
      [EnvInject] - Loading node environment variables.
      Baue auf Slave CI-SLAVE-06 (jre7 windows7 test BigMecX#1 jre6 win python27 jdk7 VS2010 compile 64bit) in Arbeitsbereich D:\workspace\test
      INFO: define repo: [Repository id=snapshots, type=default, url=https://nexus.test-server.local/content/repositories/snapshots/, isRepositoryManager=true]
      INFO: set authentication for ci-nexus
      Resolving metadata com.test-projects:my_artifact:0.13.1-SNAPSHOT/maven-metadata.xml from /tmp/repositoryconnector-repo (enhanced)
      Resolved metadata com.test-projects:my_artifact:0.13.1-SNAPSHOT/maven-metadata.xml from /tmp/repositoryconnector-repo (enhanced)
      Resolving metadata com.test-projects:my_artifact:0.13.1-SNAPSHOT/maven-metadata.xml from snapshots (https://nexus.test-server.local/content/repositories/snapshots/, releases+snapshots, managed)
      Downloading: https://nexus.test-server.local/content/repositories/snapshots/com/test-projects/my_artifact/0.13.1-SNAPSHOT/maven-metadata.xml
      
      class org.apache.maven.wagon.TransferFailedException: Error transferring file: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      Resolved metadata com.test-projects:my_artifact:0.13.1-SNAPSHOT/maven-metadata.xml from snapshots (https://nexus.test-server.local/content/repositories/snapshots/, releases+snapshots, managed)
      Resolving artifact com.test-projects:my_artifact:pom:0.13.1-SNAPSHOT
      Resolving metadata com.test-projects:my_artifact:0.13.1-SNAPSHOT/maven-metadata.xml from /tmp/repositoryconnector-repo (enhanced)
      Resolved metadata com.test-projects:my_artifact:0.13.1-SNAPSHOT/maven-metadata.xml from /tmp/repositoryconnector-repo (enhanced)
      Resolving metadata com.test-projects:my_artifact:0.13.1-SNAPSHOT/maven-metadata.xml from snapshots (https://nexus.test-server.local/content/repositories/snapshots/, releases+snapshots, managed)
      Resolved metadata com.test-projects:my_artifact:0.13.1-SNAPSHOT/maven-metadata.xml from snapshots (https://nexus.test-server.local/content/repositories/snapshots/, releases+snapshots, managed)
      Downloading: https://nexus.test-server.local/content/repositories/snapshots/com/test-projects/my_artifact/0.13.1-SNAPSHOT/my_artifact-0.13.1-SNAPSHOT.pom
      
      class org.apache.maven.wagon.TransferFailedException: Error transferring file: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      Resolved artifact com.test-projects:my_artifact:pom:0.13.1-SNAPSHOT from null
      failed collecting dependency info for [Artifact com.test-projects:my_artifact:jar::0.13.1-SNAPSHOT]
      org.sonatype.aether.collection.DependencyCollectionException: Failed to collect dependencies for com.test-projects:my_artifact:jar:0.13.1-SNAPSHOT (provided)
      	at org.sonatype.aether.impl.internal.DefaultDependencyCollector.collectDependencies(DefaultDependencyCollector.java:197)
      	at org.sonatype.aether.impl.internal.DefaultRepositorySystem.collectDependencies(DefaultRepositorySystem.java:308)
      	at org.jvnet.hudson.plugins.repositoryconnector.aether.Aether.resolve(Aether.java:196)
      	at org.jvnet.hudson.plugins.repositoryconnector.ArtifactResolver.download(ArtifactResolver.java:129)
      	at org.jvnet.hudson.plugins.repositoryconnector.ArtifactResolver.perform(ArtifactResolver.java:101)
      	at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20)
      	at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:770)
      	at hudson.model.Build$BuildExecution.build(Build.java:203)
      	at hudson.model.Build$BuildExecution.doRun(Build.java:160)
      	at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:533)
      	at hudson.model.Run.execute(Run.java:1758)
      	at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
      	at hudson.model.ResourceController.execute(ResourceController.java:89)
      	at hudson.model.Executor.run(Executor.java:240)
      Caused by: org.sonatype.aether.resolution.ArtifactDescriptorException: Failed to read artifact descriptor for com.test-projects:my_artifact:jar:0.13.1-SNAPSHOT
      	at org.apache.maven.repository.internal.DefaultArtifactDescriptorReader.loadPom(DefaultArtifactDescriptorReader.java:282)
      	at org.apache.maven.repository.internal.DefaultArtifactDescriptorReader.readArtifactDescriptor(DefaultArtifactDescriptorReader.java:172)
      	at org.sonatype.aether.impl.internal.DefaultDependencyCollector.collectDependencies(DefaultDependencyCollector.java:191)
      	... 13 more
      Caused by: org.sonatype.aether.resolution.ArtifactResolutionException: Could not transfer artifact com.test-projects:my_artifact:pom:0.13.1-SNAPSHOT from/to snapshots (https://nexus.test-server.local/content/repositories/snapshots/): Error transferring file: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      	at org.sonatype.aether.impl.internal.DefaultArtifactResolver.resolve(DefaultArtifactResolver.java:537)
      	at org.sonatype.aether.impl.internal.DefaultArtifactResolver.resolveArtifacts(DefaultArtifactResolver.java:216)
      	at org.sonatype.aether.impl.internal.DefaultArtifactResolver.resolveArtifact(DefaultArtifactResolver.java:193)
      	at org.apache.maven.repository.internal.DefaultArtifactDescriptorReader.loadPom(DefaultArtifactDescriptorReader.java:267)
      	... 15 more
      Caused by: org.sonatype.aether.transfer.ArtifactTransferException: Could not transfer artifact com.test-projects:my_artifact:pom:0.13.1-SNAPSHOT from/to snapshots (https://nexus.test-server.local/content/repositories/snapshots/): Error transferring file: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      	at org.sonatype.aether.connector.wagon.WagonRepositoryConnector$4.wrap(WagonRepositoryConnector.java:975)
      	at org.sonatype.aether.connector.wagon.WagonRepositoryConnector$4.wrap(WagonRepositoryConnector.java:966)
      	at org.sonatype.aether.connector.wagon.WagonRepositoryConnector$GetTask.flush(WagonRepositoryConnector.java:707)
      	at org.sonatype.aether.connector.wagon.WagonRepositoryConnector$GetTask.flush(WagonRepositoryConnector.java:701)
      	at org.sonatype.aether.connector.wagon.WagonRepositoryConnector.get(WagonRepositoryConnector.java:452)
      	at org.sonatype.aether.impl.internal.DefaultArtifactResolver.resolve(DefaultArtifactResolver.java:456)
      	... 18 more
      Caused by: org.apache.maven.wagon.TransferFailedException: Error transferring file: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      	at org.apache.maven.wagon.providers.http.LightweightHttpWagon.fillInputData(LightweightHttpWagon.java:143)
      	at org.apache.maven.wagon.StreamWagon.getInputStream(StreamWagon.java:116)
      	at org.apache.maven.wagon.StreamWagon.getIfNewer(StreamWagon.java:88)
      	at org.apache.maven.wagon.StreamWagon.get(StreamWagon.java:61)
      	at org.sonatype.aether.connector.wagon.WagonRepositoryConnector$GetTask.run(WagonRepositoryConnector.java:615)
      	at org.sonatype.aether.util.concurrency.RunnableErrorForwarder$1.run(RunnableErrorForwarder.java:60)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
      	at java.lang.Thread.run(Thread.java:745)
      Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
      	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
      	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
      	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
      	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1439)
      	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
      	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:878)
      	at sun.security.ssl.Handshaker.process_record(Handshaker.java:814)
      	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
      	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
      	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
      	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
      	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
      	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
      	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1300)
      	at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:468)
      	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338)
      	at org.apache.maven.wagon.providers.http.LightweightHttpWagon.fillInputData(LightweightHttpWagon.java:115)
      	... 8 more
      Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
      	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
      	at sun.security.validator.Validator.validate(Validator.java:260)
      	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
      	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
      	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
      	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1421)
      	... 21 more
      Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
      	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
      	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
      	... 27 more
      Build step 'Artefakt Runterladen' marked build as failure
      Finished: FAILURE
      

        Attachments

          Activity

          Hide
          phil_ Philipp Strobel added a comment -

          The certificate of the NEXUS server must be imported to a keystore on the jenkins master.
          The keystore can be located in ~/.keystore and must be specified in /etc/sysconfig/jenkins
          eg:

          ## Type:        string
          ## Default:     ""
          ## ServiceRestart: jenkins
          #
          # Path to the keystore in JKS format (as created by the JDK 'keytool').
          # Default is disabled.
          #
          JENKINS_HTTPS_KEYSTORE="~/.keystore"
          
          ## Type:        string
          ## Default:     ""
          ## ServiceRestart: jenkins
          #
          # Password to access the keystore defined in JENKINS_HTTPS_KEYSTORE.
          # Default is disabled.
          #
          JENKINS_HTTPS_KEYSTORE_PASSWORD="changeit"
          

          It is also possible to import the certificate to the cacerts file of the specific java implementation and create a symbolic link ~/.keystore => $JAVA_HOME/lib/security/cacerts

          Show
          phil_ Philipp Strobel added a comment - The certificate of the NEXUS server must be imported to a keystore on the jenkins master. The keystore can be located in ~/.keystore and must be specified in /etc/sysconfig/jenkins eg: ## Type: string ## Default: "" ## ServiceRestart: jenkins # # Path to the keystore in JKS format (as created by the JDK 'keytool' ). # Default is disabled. # JENKINS_HTTPS_KEYSTORE= "~/.keystore" ## Type: string ## Default: "" ## ServiceRestart: jenkins # # Password to access the keystore defined in JENKINS_HTTPS_KEYSTORE. # Default is disabled. # JENKINS_HTTPS_KEYSTORE_PASSWORD= "changeit" It is also possible to import the certificate to the cacerts file of the specific java implementation and create a symbolic link ~/.keystore => $JAVA_HOME/lib/security/cacerts

            People

            • Assignee:
              Unassigned
              Reporter:
              phil_ Philipp Strobel
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: