Issue
When trying to connect XL Release to an external service like Jenkins, you get an SSL related error like:
javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
Cause
This is because your external application is running on HTTPS using an SSL cert that is not signed by a known CA that XL Release trusts. By default, XL Release uses the JRE truststore. So, you need to export the application's certificate, and add it to XLR's truststore.
Steps to Follow
- Get public cert of Jenkins:
openssl s_client -showcerts -connect my-jenkins.com:8080 > jenkins.cer
- Create a truststore for XL Release:
You have 2 options here. One is to create a new truststore that is empty. This would mean that XL Release would only trust the cert (from step 1) that you are going to import, and nothing else (not even publicly trusted sites with CA-signed certs). The other option would be to copy Java's default truststore and add an additional cert to the truststore.
- Option 1 - Empty truststore:
keytool -importcert -file jenkins.cer -keystore XLReleaseTrustStore.jks -alias jenkins
- Option 2 - Copy Java truststore:
cp $JAVA_HOME/lib/security/cacerts $XL_RELEASE_HOME/conf/XLReleaseTrustStore.jks
keytool -importcert -file jenkins.cer -keystore XLReleaseTrustStore.jks -alias jenkins
- Then, tell XL Release to use the truststore by editing conf/xlr-wrapper-linux.conf and adding:
wrapper.java.additional.X=-Djavax.net.ssl.trustStore=conf/XLReleaseTrustStore.jks wrapper.java.additional.X+1=-Djavax.net.ssl.trustStorePassword=password
- Restart XL Release. It should no longer throw that error.
Comments
Please sign in to leave a comment.