Hello all, i have a jenkins master on premise and i want execute jobs in gcp kubernetes cluster with a jenkins-slave image. I have a problem with SSL, the pod error log says:
NAME READY STATUS RESTARTS AGE jenkins-pod-1r6g1 1/2 Error 0 3m Mar 13, 2019 3:33:42 PM hudson.remoting.jnlp.Main createEngine INFO: Setting up agent: jenkins-pod-zwp9s Mar 13, 2019 3:33:42 PM hudson.remoting.jnlp.Main$CuiListener <init> INFO: Jenkins agent is running in headless mode. Mar 13, 2019 3:33:43 PM hudson.remoting.Engine startEngine INFO: Using Remoting version: 3.28 Mar 13, 2019 3:33:43 PM hudson.remoting.Engine startEngine WARNING: No Working Directory. Using the legacy JAR Cache location: /home/jenkins/.jenkins/cache/jars Mar 13, 2019 3:33:43 PM hudson.remoting.jnlp.Main$CuiListener status INFO: Locating server among [https://myhost.com:8443/] Mar 13, 2019 3:33:44 PM hudson.remoting.jnlp.Main$CuiListener error SEVERE: Failed to connect to https://myhost.com:8443/tcpSlaveAgentListener/: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target java.io.IOException: Failed to connect to https://myhost.com:8443/tcpSlaveAgentListener/: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at org.jenkinsci.remoting.engine.JnlpAgentEndpointResolver.resolve(JnlpAgentEndpointResolver.java:197) at hudson.remoting.Engine.innerRun(Engine.java:523) at hudson.remoting.Engine.run(Engine.java:474) Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) at sun.security.ssl.Handshaker.process_record(Handshaker.java:965) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:162) at org.jenkinsci.remoting.engine.JnlpAgentEndpointResolver.resolve(JnlpAgentEndpointResolver.java:194) ... 2 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) at sun.security.validator.Validator.validate(Validator.java:262) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621) ... 13 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) ... 19 more I have read a lot of documentation and i have tried everything without success: * Parameters -Dcom.sun.net.ssl.checkRevocation=false and -noCertificateCheck in "Arguments to pass to the command" kubernetes pugin box * I have built my own image importing my certificate and my intermediate certificate in /docker-java-home/jre/lib/security/cacerts. If i use keytool for list certificates i see my imported certificates. In fact, if i test jenkins-cli.jar manually in the pod works fine: # java -jar jenkins-cli.jar -s https://myhost.com:8443 -auth user:pass add-job-to-view Adds jobs to view. build Builds a job, and optionally waits until its completion. cancel-quiet-down [...] I followed https://support.cloudbees.com/hc/en-us/articles/218097237-How-to-troubleshoot-JNLP-slaves-connection-issues-with-Jenkins- (How to troubleshoot JNLP slaves connection issues with Jenkins?) All tests works fine Also, i enabled "Use browser for metadata download" box in global security I attach my kubernetes plugin configuration, the test connection works fine Can someone help me please? thank you so much -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/2ae6d5a1-5f65-4615-a649-d45e7a2b8645%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
