Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-48568

LDAP lookup fails intermittently with self-signed cert

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      I've added my cert to the Java keystore. I've configured my LDAP properly. I've confirmed that these settings DO work. However, they work intermittently.

      I'm running the groovy script as specified in this link:

      https://wiki.jenkins.io/display/JENKINS/LDAP+Plugin#LDAPPlugin-Troubleshooting

      Sometimes running this script works, and I get the proper results back from my script. Other times, I get the following error:

      LdapCallback;null; nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: <hostname>.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]]; nested exception is org.acegisecurity.ldap.LdapDataAccessException: LdapCallback;null; nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: hq.versive.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]]

      Changing the configs under "Configure Global Security" seems to help occasionally. If I change a setting in the config and save it, I can run this query successfully. However, if I reload the script page (or wait a few minutes) the Groovy script goes back to giving the same error.

      I've also downloaded the SSLPoke tool from Atlassian to debug: 

      https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html

      This tool works just fine from my Jenkins server command line, 100% of the time. I've confirmed that if I remove the cert from my keystore I can replicate the same error I'm seeing in my Jenkins logs. But when the cert is in the keystore, the SSLPoke tool works fine.

        Attachments

          Activity

          Hide
          jmartenstein78 Justin Martenstein added a comment -

          Here's a case where I run the groovy script and it passes the first two times, but fails on the last:

          (I redacted LDAP info)

          Checking the name '<group name>'... It is a GROUP: hudson.security.LDAPSecurityRealm$GroupDetailsImpl@83cbc2

          Checking the name '<user name>'... It is a USER: org.acegisecurity.userdetails.ldap.LdapUserDetailsImpl@29284818 Has groups/authorities: [<groups>]

          Checking the name 'foo'... It is NOT a group, reason: LdapCallback;null; nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: hq.versive.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]] It is NOT a user, reason: LdapCallback;null; nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: hq.versive.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]]; nested exception is org.acegisecurity.ldap.LdapDataAccessException: LdapCallback;null; nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: hq.versive.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]]

          Show
          jmartenstein78 Justin Martenstein added a comment - Here's a case where I run the groovy script and it passes the first two times, but fails on the last: (I redacted LDAP info) Checking the name '<group name>'... It is a GROUP: hudson.security.LDAPSecurityRealm$GroupDetailsImpl@83cbc2 Checking the name '<user name>'... It is a USER: org.acegisecurity.userdetails.ldap.LdapUserDetailsImpl@29284818 Has groups/authorities: [<groups>] Checking the name 'foo'... It is NOT a group, reason: LdapCallback;null; nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: hq.versive.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target] ] It is NOT a user, reason: LdapCallback;null; nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: hq.versive.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target] ]; nested exception is org.acegisecurity.ldap.LdapDataAccessException: LdapCallback;null; nested exception is javax.naming.PartialResultException [Root exception is javax.naming.CommunicationException: hq.versive.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target] ]
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          In order to set proper expectation, I have unassigned Kohsuke from this tickets.
          Currently there is no Default assignee in the LDAP plugin, any contributions will be appreciated.

          Show
          oleg_nenashev Oleg Nenashev added a comment - In order to set proper expectation, I have unassigned Kohsuke from this tickets. Currently there is no Default assignee in the LDAP plugin, any contributions will be appreciated.

            People

            • Assignee:
              Unassigned
              Reporter:
              jmartenstein78 Justin Martenstein
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: