0

I’m trying to use the Jenkins-codebuilder-plugin: https://github.com/lsegal/jenkins-codebuilder-plugin

I’ve followed the readme steps but having some trouble with TLS/SSL connection between code build and the Jenkins master. I'm using a self-signed certificate.

The Jenkins master is running inside docker on an ec2 instance with an Nginx reverse proxy also running in a docker container.

I’ve mapped port 50000 and confirmed its accepting connections using the command: nc -zv <domain> 50000

I tried adding the SSL certificate to the jvm truststore and specifying the java opts:

openssl s_client -connect <domain>:443 -showcerts </dev/null 2>/dev/null|openssl x509 -outform DER > jenkinscert.der

keytool -importcert -alias jenkins-CA \
-keystore /usr/local/openjdk-11/lib/security/cacerts \
-file jenkinscert.der \
-storepass changeit \
-noprompt

-e JAVA_OPTS="-Djenkins.install.runSetupWizard=false -Djavax.net.ssl.trustStore=/usr/local/openjdk-11/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=changeit" \

sudo docker run -d --restart=always --name nginx-proxy \
    -p 80:80 \
    -p 443:443 \
    -v /var/run/docker.sock:/tmp/docker.sock:ro \
    -v /home/ec2-user/certs:/etc/nginx/certs \
    jwilder/nginx-proxy:latest

sudo docker run -d --restart=always --name jenkins-master \
    -u root \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -v /usr/bin/docker:/usr/bin/docker \
    -v /home/ec2-user/config:/usr/share/jenkins/ref/init.groovy.d/config \
    -v /home/ec2-user/certs:/root/certs \
    -v /home/ec2-user/.ssh:/root/.ssh \
    -v /home/ec2-user/.aws:/root/.aws \
    -v jenkins-data:/var/jenkins_home \
    -e JAVA_OPTS="-Djenkins.install.runSetupWizard=false -Djavax.net.ssl.trustStore=/usr/local/openjdk-11/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=changeit" \
    -e VIRTUAL_HOST=<domain> \
    -e VIRTUAL_PORT=8080 \
    -p 50000:50000 \
    rodmccutcheon/jenkins-devops:latest

I expect codebuild to connect successfully to the jenkins master using jnlp4.

The error I get in codebuild is:

[Container] 2019/07/16 04:52:36 Waiting for agent ping
[Container] 2019/07/16 04:52:38 Waiting for DOWNLOAD_SOURCE
[Container] 2019/07/16 04:52:38 Phase is DOWNLOAD_SOURCE
[Container] 2019/07/16 04:52:38 CODEBUILD_SRC_DIR=/codebuild/output/src222308476/src
[Container] 2019/07/16 04:52:38 YAML location is /codebuild/readonly/buildspec.yml
[Container] 2019/07/16 04:52:38 Processing environment variables
[Container] 2019/07/16 04:52:38 Moving to directory /codebuild/output/src222308476/src
[Container] 2019/07/16 04:52:38 Registering with agent
[Container] 2019/07/16 04:52:38 Phases found in YAML: 2
[Container] 2019/07/16 04:52:38 PRE_BUILD: 1 commands
[Container] 2019/07/16 04:52:38 BUILD: 1 commands
[Container] 2019/07/16 04:52:38 Phase complete: DOWNLOAD_SOURCE State: SUCCEEDED
[Container] 2019/07/16 04:52:38 Phase context status code: Message:
[Container] 2019/07/16 04:52:38 Entering phase INSTALL
[Container] 2019/07/16 04:52:38 Phase complete: INSTALL State: SUCCEEDED
[Container] 2019/07/16 04:52:38 Phase context status code: Message:
[Container] 2019/07/16 04:52:38 Entering phase PRE_BUILD
[Container] 2019/07/16 04:52:38 Running command which dockerd-entrypoint.sh >/dev/null && dockerd-entrypoint.sh || exit 0
[Container] 2019/07/16 04:52:40 Phase complete: PRE_BUILD State: SUCCEEDED
[Container] 2019/07/16 04:52:40 Phase context status code: Message:
[Container] 2019/07/16 04:52:40 Entering phase BUILD
[Container] 2019/07/16 04:52:40 Running command jenkins-agent -noreconnect -workDir "$CODEBUILD_SRC_DIR" -url "<domain>" "dc60f3cc7918b8d8c573cb809ba874eb8f528c3ce11227c083c81fa6dc1b48aa" "jenkins-cluster.cb-HKFE" || exit 0
Warning: JnlpProtocol3 is disabled by default, use JNLP_PROTOCOL_OPTS to alter the behavior
Jul 16, 2019 4:52:41 AM hudson.remoting.jnlp.Main createEngine
INFO: Setting up agent: jenkins-cluster.cb-HKFE
Jul 16, 2019 4:52:41 AM hudson.remoting.jnlp.Main$CuiListener <init>
INFO: Jenkins agent is running in headless mode.
Jul 16, 2019 4:52:41 AM hudson.remoting.Engine startEngine
INFO: Using Remoting version: 3.28
Jul 16, 2019 4:52:41 AM org.jenkinsci.remoting.engine.WorkDirManager initializeWorkDir
INFO: Using /codebuild/output/src222308476/src/remoting as a remoting work directory
Both error and output logs will be printed to /codebuild/output/src222308476/src/remoting
Jul 16, 2019 4:52:41 AM hudson.remoting.jnlp.Main$CuiListener status
INFO: Locating server among [<domain>]
Jul 16, 2019 4:52:42 AM hudson.remoting.jnlp.Main$CuiListener error
SEVERE: Failed to connect to <domain>/tcpSlaveAgentListener/: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
java.io.IOException: Failed to connect to <domain>/tcpSlaveAgentListener/: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.jenkinsci.remoting.engine.JnlpAgentEndpointResolver.resolve(JnlpAgentEndpointResolver.java:197)
at hudson.remoting.Engine.innerRun(Engine.java:523)
at hudson.remoting.Engine.run(Engine.java:474)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:162)
at org.jenkinsci.remoting.engine.JnlpAgentEndpointResolver.resolve(JnlpAgentEndpointResolver.java:194)
... 2 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:262)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
... 13 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
... 19 more
[Container] 2019/07/16 04:52:42 Phase complete: BUILD State: SUCCEEDED
[Container] 2019/07/16 04:52:42 Phase context status code: Message:
[Container] 2019/07/16 04:52:42 Entering phase POST_BUILD
[Container] 2019/07/16 04:52:42 Phase complete: POST_BUILD State: SUCCEEDED
[Container] 2019/07/16 04:52:42 Phase context status code: Message:

Jenkins master java version:

openjdk version "1.8.0_232"
OpenJDK Runtime Environment (build 1.8.0_232-b09)
OpenJDK 64-Bit Server VM (build 25.232-b09, mixed mode)

Jnlp slave java version:

openjdk version "1.8.0_191"
OpenJDK Runtime Environment (IcedTea 3.10.0) (Alpine 8.191.12-r0)
OpenJDK 64-Bit Server VM (build 25.191-b12, mixed mode)
Rod McCutcheon
  • 201
  • 4
  • 21
  • Do I need to add the certificate to the slave truststore not the master truststore? – Rod McCutcheon Jul 18 '19 at 04:52
  • What version of Java were you running ? I mean which exact version, like 1.8.0_241-b07 – ccc Jan 23 '20 at 23:45
  • @ccc - added the java versions to the description. Do the jenkins master and jnlp slave java versions need to match? – Rod McCutcheon Feb 05 '20 at 03:24
  • Normally the Java versions shouldn't matter. I am asking because I experienced some issues with SSL/TLS connections with Java 8 that I could only fix by upgrading to the latest version of Java 8. Might be worth a try. – ccc Feb 08 '20 at 13:01

0 Answers0