any ideas? thanks
El jueves, 14 de marzo de 2019, 18:15:46 (UTC+1), dev null escribió: > > Hello all, i have a jenkins master on premise and i want execute jobs in > gcp kubernetes cluster with a jenkins-slave image. > I have a problem with SSL, the pod error log says: > > > NAME READY STATUS RESTARTS AGE > jenkins-pod-1r6g1 1/2 Error 0 3m > > > Mar 13, 2019 3:33:42 PM hudson.remoting.jnlp.Main createEngine > INFO: Setting up agent: jenkins-pod-zwp9s > Mar 13, 2019 3:33:42 PM hudson.remoting.jnlp.Main$CuiListener <init> > INFO: Jenkins agent is running in headless mode. > Mar 13, 2019 3:33:43 PM hudson.remoting.Engine startEngine > INFO: Using Remoting version: 3.28 > Mar 13, 2019 3:33:43 PM hudson.remoting.Engine startEngine > WARNING: No Working Directory. Using the legacy JAR Cache location: > /home/jenkins/.jenkins/cache/jars > Mar 13, 2019 3:33:43 PM hudson.remoting.jnlp.Main$CuiListener status > INFO: Locating server among [https://myhost.com:8443/] > Mar 13, 2019 3:33:44 PM hudson.remoting.jnlp.Main$CuiListener error > SEVERE: Failed to connect to > https://myhost.com:8443/tcpSlaveAgentListener/: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > java.io.IOException: Failed to connect to > https://myhost.com:8443/tcpSlaveAgentListener/: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > at > org.jenkinsci.remoting.engine.JnlpAgentEndpointResolver.resolve(JnlpAgentEndpointResolver.java:197) > at hudson.remoting.Engine.innerRun(Engine.java:523) > at hudson.remoting.Engine.run(Engine.java:474) > Caused by: javax.net.ssl.SSLHandshakeException: > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316) > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310) > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639) > at > sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223) > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) > at sun.security.ssl.Handshaker.process_record(Handshaker.java:965) > at > sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064) > at > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367) > at > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395) > at > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379) > at > sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) > at > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) > at > sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:162) > at > org.jenkinsci.remoting.engine.JnlpAgentEndpointResolver.resolve(JnlpAgentEndpointResolver.java:194) > ... 2 more > Caused by: sun.security.validator.ValidatorException: PKIX path building > failed: sun.security.provider.certpath.SunCertPathBuilderException: unable > to find valid certification path to requested target > at > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) > at > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) > at sun.security.validator.Validator.validate(Validator.java:262) > at > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) > at > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) > at > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621) > ... 13 more > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target > at > sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) > at > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) > at > java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) > at > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) > ... 19 more > > I have read a lot of documentation and i have tried everything without > success: > > * Parameters -Dcom.sun.net.ssl.checkRevocation=false and > -noCertificateCheck in "Arguments to pass to the command" kubernetes pugin > box > * I have built my own image importing my certificate and my intermediate > certificate in /docker-java-home/jre/lib/security/cacerts. If i use keytool > for list certificates i see my imported certificates. > In fact, if i test jenkins-cli.jar manually in the pod works fine: > > # java -jar jenkins-cli.jar -s https://myhost.com:8443 -auth user:pass > add-job-to-view > Adds jobs to view. > build > Builds a job, and optionally waits until its completion. > cancel-quiet-down > [...] > > I followed > https://support.cloudbees.com/hc/en-us/articles/218097237-How-to-troubleshoot-JNLP-slaves-connection-issues-with-Jenkins- > > (How to troubleshoot JNLP slaves connection issues with Jenkins?) > All tests works fine > > Also, i enabled "Use browser for metadata download" box in global security > > I attach my kubernetes plugin configuration, the test connection works fine > > Can someone help me please? thank you so much > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/b2906762-f5c7-4456-8ba8-f7b3136c8d78%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
