Issue
When trying to connect Digital.ai Release to an external service like Jenkins, you get an SSL related error like:
javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
Cause
This is because your external application is running on HTTPS using an SSL cert that is not signed by a known CA that Release trusts. By default, Release uses the JRE truststore. So, you need to export the application's certificate, and add it to Releases's truststore.
Steps to Follow
- Get public cert of Jenkins:
openssl s_client -showcerts -connect my-jenkins.com:8080 > jenkins.cer
- Create a truststore for Release:
You have two options here. One is to create a new truststore that is empty. This would mean that Release would only trust the cert (from step 1) that you are going to import, and nothing else (not even publicly trusted sites with CA-signed certs). The other option would be to copy Java's default truststore and add an additional cert to the truststore.
- Option 1 - Empty truststore:
keytool -importcert -file jenkins.cer -keystore XLReleaseTrustStore.jks -alias jenkins
- Option 2 - Copy Java truststore:
cp $JAVA_HOME/lib/security/cacerts $XL_RELEASE_HOME/conf/XLReleaseTrustStore.jks
keytool -importcert -file jenkins.cer -keystore XLReleaseTrustStore.jks -alias jenkins
- Then, tell Release to use the truststore by editing conf/xlr-wrapper-linux.conf and adding:
wrapper.java.additional.X=-Djavax.net.ssl.trustStore=conf/XLReleaseTrustStore.jks wrapper.java.additional.X+1=-Djavax.net.ssl.trustStorePassword=password
- Restart Release. It should no longer throw that error.
Comments
Please sign in to leave a comment.