[JAVA] A story about PKIX path building failed when trying to deploy to tomcat with Jenkins

A story about trying to deploy with Jenkins

I used Jenkins for the first time to create a ci / cd environment.

I set up jenkins with docker, registered the git repository, built it, and proceeded to the deployment stage. Use maven's tomcat7-maven-plugin as the deployment method However, there was an unexpected error.

com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Investigate errors

I got an error, so I asked google teacher as usual.

Roughly speaking, I found out that I was getting an error because the SSL certificate of the site I was trying to communicate with was not trusted. It seems that the oleore certificate or the certificate has expired.

However, the server I was trying to deploy wasn't my certificate, and it hadn't expired yet. Furthermore, even if I accessed it with a browser, I was able to communicate firmly via https. However, this "accessible with a browser" later complicated the problem.

More detailed error investigation

I searched a lot, but I couldn't find any useful information. It just says that none of the sites trust the certificate, so add it to the trust list with keytool. .. .. .. However, I don't need that because it's not my certificate! I thought about various other factors.

My SSL certificate was issued by let's encrypt. Isn't java not trusting let's encrypt itself? I thought, and searched.

There was a person who was investigating here. I see, did you still trust let's encrypt itself?

However, as I read this article, the following description

Let ’s Encrypt certificate seems to be supported from Java 8 Update 101. There was.

Is there an error because the java version used by Jenkins is less than Java 8 Update 101! If you list the java version, it will be solved!

I thought. .. .. .. ..

Jenkins survey

As I wrote above, I thought it was due to the java version, so I went to check the version used by jenkins. I found out that the java version is written in the system information of Jenkins, so I went.

java.version 1.8.0_171

・ ・ ・ ・ ・ ・ ・ ・ ・

I'm sure the java version of jenkins is different from the java version when it is actually executed, so I ran java -version in the job.

java -version openjdk version "1.8.0_171" OpenJDK Runtime Environment (build 1.8.0_171-8u171-b11-1~deb9u1-b11) OpenJDK 64-Bit Server VM (build 25.171-b11, mixed mode)

・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・

why? Wasn't it due to the java version? I don't know anymore

Try it in a local environment

I decided to deploy locally for the first time here. I tried the command that was being executed by jenkins as it is locally.

com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

seriously.

I tried deploying with http instead of https

Requests that normally come to http are redirected to https

I don't know what the cause is, so I tried deploying it by making it accessible via http instead of https to isolate the problem.

You can deploy it properly.

Summary so far

Deploying with maven tomcat7-maven-plugin doesn't work. The ssl certificate seems to be a problem, but there is no problem even if you access the site from a browser. let's encript gives an error depending on the version of java, but it is not the version currently used. Jenkins itself isn't a problem, as you'll get similar errors locally. Since you can do it with http, the command is correct and it is unlikely that there is a problem on the client side

To be honest, I have no idea where the problem is. I started to think that it would be faster to register the certificate using keytool around here.

As you will see later, registering with keytool does not solve the error. So, as a result, it was the correct answer.

He said he was investigating while giving up halfway. .. ..

There is a site that you can search on google with a suitable word. I found this comment in security-provider-certpath-suncertpathbuilderexception-unable-to-find-valid-certification-path-to-requested-target / 28283).

Your problem has nothing to do with java! Your site is returning an incomplete chain of certificates! So we need to change it to return the full certificate chain (fullchain.pem)!

what. .. ..

Certainly I had cert1.pem loaded. As it was written on the site, load fullchain.pem. .. ..

The error disappeared instantly and I was able to deploy without any problems! !! !! !!

Summary

I just changed the SSL certificate file to be read from cert1.pem to fullchain.pem. Access from the browser is fine, and if you get an error when accessing from java, please check it.

At the end

The file that read the SSL certificate was written on some site, and I thought it was okay because it worked with the SSL certificate without any problems. Because of that belief, I put off checking if SSL was okay.

I still think that if you have fullchain1.pem, you don't need cert1.pem, right? It wouldn't have happened with only fullchain1.pem. .. .. If anyone knows why cert1.pem is needed, please let me know

Recommended Posts

A story about PKIX path building failed when trying to deploy to tomcat with Jenkins
A story about trying to get along with Mockito
A story about trying to operate JAVA File
PKIX path building failed: Add SSL certificate to java
Automatically deploy to WildFly with Jenkins when SVN commits
A story about trying hard to decompile JAR files
A story about reducing memory consumption to 1/100 with find_in_batches
A story that failed when connecting to CloudSQL by running Sprint-boot with kubernetes (GKE)
I was angry with proc_open (): fork failed when trying to composer update inside a Docker container
Hanashi stumbled a little on path trying to study Java with VScode
A memo to do for the time being when building CentOS 6 series with VirtualBox
A story that stumbled when deploying a web application created with Spring Boot to EC2
A story that did not work when trying to handle events in Notification Center
A warning is displayed when trying to use a huge integer with the special variables $ 1, $ 2, $ 3 ...
[PHP] A story about outputting PDF with TCPDF + FPDI
A memorandum when trying Spring Data JPA with STS
A memorandum when trying to create a GUI using JavaFX
A story about developing ROS called rosjava with java
A note that I had trouble when trying to use nginx with Remote-Containers of vscode
A story stuck with an error when building Vagrant + Virtulbox CentOS7.8 and creating a shared folder
When trying to insert a specific gem (levenshtein) with Docker, an error occurred without ruby-dev