Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-53634

AWS Flavor specific allowed certificates are not used

    XMLWordPrintable

    Details

    • Sprint:
      Evergreen - Milestone 1
    • Similar Issues:

      Description

      Evergreen AWS flavor provisions, but fails to provision any node with the stack trace below.

      This is because apparently the custom overridden certificates to allow calls into AWS infrastructure are not used anymore.

      [WARNING][2018-09-17 18:40:26] Exception during provisioning (from hudson.plugins.ec2.EC2Cloud provision)
      com.amazonaws.SdkClientException: Unable to execute HTTP request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
              at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleRetryableException(AmazonHttpClient.java:1116)
              at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1066)
              at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:743)
              at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:717)
              at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:699)
              at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:667)
              at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:649)
              at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:513)
              at com.amazonaws.services.ec2.AmazonEC2Client.doInvoke(AmazonEC2Client.java:16440)
              at com.amazonaws.services.ec2.AmazonEC2Client.invoke(AmazonEC2Client.java:16416)
              at com.amazonaws.services.ec2.AmazonEC2Client.executeDescribeInstances(AmazonEC2Client.java:8101)
              at com.amazonaws.services.ec2.AmazonEC2Client.describeInstances(AmazonEC2Client.java:8076)
              at com.amazonaws.services.ec2.AmazonEC2Client.describeInstances(AmazonEC2Client.java:8113)
              at hudson.plugins.ec2.EC2Cloud.countCurrentEC2Slaves(EC2Cloud.java:363)
              at hudson.plugins.ec2.EC2Cloud.getPossibleNewSlavesCount(EC2Cloud.java:502)
              at hudson.plugins.ec2.EC2Cloud.getNewOrExistingAvailableSlave(EC2Cloud.java:522)
              at hudson.plugins.ec2.EC2Cloud.provision(EC2Cloud.java:551)
              at hudson.slaves.NodeProvisioner$StandardStrategyImpl.apply(NodeProvisioner.java:715)
              at hudson.slaves.NodeProvisioner.update(NodeProvisioner.java:320)
              at hudson.slaves.NodeProvisioner.access$000(NodeProvisioner.java:61)
              at hudson.slaves.NodeProvisioner$NodeProvisionerInvoker.doRun(NodeProvisioner.java:809)
              at hudson.triggers.SafeTimerTask.run(SafeTimerTask.java:72)
              at jenkins.security.ImpersonatingScheduledExecutorService$1.run(ImpersonatingScheduledExecutorService.java:58)
              at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
              at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
              at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
              at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
              at java.lang.Thread.run(Thread.java:748)
      Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
              at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
              at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)
              at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)
              at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
              at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
              at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
              at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
              at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
              at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
              at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
              at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
              at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
              at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
              at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
              at com.amazonaws.http.conn.ssl.SdkTLSSocketFactory.connectSocket(SdkTLSSocketFactory.java:142)
              at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
              at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
              at sun.reflect.GeneratedMethodAccessor135.invoke(Unknown Source)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.lang.reflect.Method.invoke(Method.java:498)
              at com.amazonaws.http.conn.ClientConnectionManagerFactory$Handler.invoke(ClientConnectionManagerFactory.java:76)
              at com.amazonaws.http.conn.$Proxy79.connect(Unknown Source)
              at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
              at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
              at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
              at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
              at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
              at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
              at com.amazonaws.http.apache.client.impl.SdkHttpClient.execute(SdkHttpClient.java:72)
              at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1238)
              at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1058)
              ... 28 more
      Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
              at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
              at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
              at sun.security.validator.Validator.validate(Validator.java:260)
              at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
              at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
              at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
              at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
              ... 54 more
      Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
              at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
              at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
              at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
              at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
              ... 60 more
      

        Attachments

          Issue Links

            Activity

            Hide
            batmat Baptiste Mathus added a comment -

            WONTFIX because we are just going to remove certificate pinning in JENKINS-53633

            Show
            batmat Baptiste Mathus added a comment - WONTFIX because we are just going to remove certificate pinning in JENKINS-53633

              People

              • Assignee:
                rtyler R. Tyler Croy
                Reporter:
                batmat Baptiste Mathus
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: