I've got Jenkins running on an instance on Google Compute Engine. I've got
a Kubernetes cluster set up on GKE to run agents on. I followed the steps
here:
https://cloud.google.com/solutions/configuring-jenkins-kubernetes-engin
<https://cloud.google.com/solutions/configuring-jenkins-kubernetes-engine> The
master successfully creates pods, but the SSL handshake always fails with
this error:
Advertising
Error in provisioning; agent=KubernetesSlave name: jenkins-t4lpw,
template=PodTemplate{inheritFrom='', name='jenkins', namespace='',
instanceCap=5, label='debian-8', nodeSelector='', nodeUsageMode=NORMAL,
workspaceVolume=org.csanchez.jenkins.plugins.kubernetes.volumes.workspace.EmptyDirWorkspaceVolume@22c413cb,
containers=[ContainerTemplate{name='build-agent', image='jenkins/jnlp-slave',
workingDir='/home/jenkins', command='/bin/sh -c', args='cat', ttyEnabled=true,
resourceRequestCpu='', resourceRequestMemory='', resourceLimitCpu='',
resourceLimitMemory='',
livenessProbe=org.csanchez.jenkins.plugins.kubernetes.ContainerLivenessProbe@76480942}]}.
Container jnlp exited with error 255. Logs: at
sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:162)
at
org.jenkinsci.remoting.engine.JnlpAgentEndpointResolver.resolve(JnlpAgentEndpointResolver.java:189)
... 2 more
Caused by: sun.security.validator.ValidatorException: PKIX path building
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:260)
at
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
... 13 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
... 19 more
I know the SSL cert used by my master is valid, so I don't know what the
issue is. I've tried using a local IP and providing a cert signed by my own
CA, then making a new image off of
gcr.io/cloud-solutions-images/jenkins-k8s-slave:v4 that imports the CA into
the jave keystore, but I still get the same error.
Is there any way to pass the --httpsKeyStore argument to Jenkins agents
that are run on GKE? If that isn't the problem, where should I look in my
config?
--
You received this message because you are subscribed to the Google Groups
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-users/6c9bc8b9-731b-4fcb-8eb1-c0e8f4973b52%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.