Are you running jenkins with SSL enabled ? or are you running jenkins non-ssl and then enabling ssl at ingress level The plugin will connect internally to the cluster so typically no SSL url is used
On Sun, Apr 8, 2018 at 10:37 PM, Ryan Timoney <rtimo...@sparkcognition.com> wrote: > I've got Jenkins running on an instance on Google Compute Engine. I've got > a Kubernetes cluster set up on GKE to run agents on. I followed the steps > here: https://cloud.google.com/solutions/configuring- > jenkins-kubernetes-engin > <https://cloud.google.com/solutions/configuring-jenkins-kubernetes-engine> The > master successfully creates pods, but the SSL handshake always fails with > this error: > > Error in provisioning; agent=KubernetesSlave name: jenkins-t4lpw, > template=PodTemplate{inheritFrom='', name='jenkins', namespace='', > instanceCap=5, label='debian-8', nodeSelector='', nodeUsageMode=NORMAL, > workspaceVolume=org.csanchez.jenkins.plugins.kubernetes.volumes.workspace.EmptyDirWorkspaceVolume@22c413cb, > containers=[ContainerTemplate{name='build-agent', > image='jenkins/jnlp-slave', workingDir='/home/jenkins', command='/bin/sh -c', > args='cat', ttyEnabled=true, resourceRequestCpu='', resourceRequestMemory='', > resourceLimitCpu='', resourceLimitMemory='', > livenessProbe=org.csanchez.jenkins.plugins.kubernetes.ContainerLivenessProbe@76480942}]}. > Container jnlp exited with error 255. Logs: at > sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514) > at > sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) > at sun.security.ssl.Handshaker.process_record(Handshaker.java:961) > at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) > at > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) > at > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) > at > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) > at > sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) > at > sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) > at > sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:162) > at > org.jenkinsci.remoting.engine.JnlpAgentEndpointResolver.resolve(JnlpAgentEndpointResolver.java:189) > ... 2 more > Caused by: sun.security.validator.ValidatorException: PKIX path building > failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target > at > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) > at > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) > at sun.security.validator.Validator.validate(Validator.java:260) > at > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) > at > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) > at > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) > at > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496) > ... 13 more > Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable > to find valid certification path to requested target > at > sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) > at > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) > at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) > at > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) > ... 19 more > > > I know the SSL cert used by my master is valid, so I don't know what the > issue is. I've tried using a local IP and providing a cert signed by my own > CA, then making a new image off of gcr.io/cloud-solutions- > images/jenkins-k8s-slave:v4 that imports the CA into the jave keystore, > but I still get the same error. > > Is there any way to pass the --httpsKeyStore argument to Jenkins agents > that are run on GKE? If that isn't the problem, where should I look in my > config? > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jenkinsci-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/jenkinsci-users/6c9bc8b9-731b-4fcb-8eb1-c0e8f4973b52%40googlegroups. > com > <https://groups.google.com/d/msgid/jenkinsci-users/6c9bc8b9-731b-4fcb-8eb1-c0e8f4973b52%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CALHFn6MReba79Pm%2BD4%3D6dYAJ6nZtL-2VzzKko%3DkRz8qmDmgaHw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
