Jenkins Windows 奴隶认为我的证书无效
Jenkins Windows slave thinks my cert is invalid
按照文档使用 Java Web Start,我已经到了 运行 从站上的这个命令连接到主站的地步:
java -jar agent.jar -jnlpUrl https://my-server.com:8888/computer/myslave/slave-agent.jnlp -secret sdfsdfsdfsdf -workDir "c:\Jenkins"
我有一个有效的 public 证书。从奴隶我可以访问 https://my-server.com:8888 和 chrome 说证书有效那么为什么詹金斯抱怨?使用 -noCertificateCheck 似乎很愚蠢,因为我为该死的东西付出了很多钱
Mar 28, 2018 9:34:49 PM org.jenkinsci.remoting.engine.WorkDirManager
initializeWorkDir INFO: Using c:\Jenkins\remoting as a remoting work
directory Both error and output logs will be printed to
c:\Jenkins\remoting Exception in thread "main" java.io.IOException:
Failed to validate a server certificate. If you are using a
self-signed certificate, you can use the -noCertificateCheck option to
bypass this check.
at hudson.remoting.Launcher.parseJnlpArguments(Launcher.java:548)
at hudson.remoting.Launcher.run(Launcher.java:322)
at hudson.remoting.Launcher.main(Launcher.java:283) Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid c ertification path to requested target
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown
Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown
Source)
at hudson.remoting.Launcher.parseJnlpArguments(Launcher.java:490)
... 2 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown
Source)
... 14 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown
Source)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 20 more
编辑:
所以我根本无法连接。如果我使用 -noCertificateCheck 我得到 Incorrect acknowledgement sequence 我假设因为我使用 HTTPS 没有验证证书
在您的问题中,您使用了端口 8888 (https://my-server.com:8888)。我看到端口不存在或为 443 的 jnlp 脚本。
当我看到像你这样的错误时,我将证书导入 Java 密钥库。更多详情 here.
keytool -import -alias $ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts -file $PATH_TO_PEM_FILE
只有 public 证书才需要此导入,例如 self-signed,但您可以尝试。可能有证书链,如 所述。
我的问题是我需要将整个证书链导入 java 密钥库
像 chrome 这样的浏览器将遵循 aia 扩展并为您下载链,但 java 密钥库想让您的生活变得艰难。
我试过了
- 在 salve 机器上更新 Java 以获得 Java 最新的信任库。
- 使用 public SSL (steps).
手动更新 Java 信任库
但上面没有任何效果。
最后,通过绕过以下命令末尾的 -noCertificateCheck,我能够从从属服务器连接到主服务器:
java -jar agent.jar -jnlpUrl https://example.com/computer/windows_slave/jenkins-agent.jnlp -secret [secret] -noCertificateCheck
按照文档使用 Java Web Start,我已经到了 运行 从站上的这个命令连接到主站的地步:
java -jar agent.jar -jnlpUrl https://my-server.com:8888/computer/myslave/slave-agent.jnlp -secret sdfsdfsdfsdf -workDir "c:\Jenkins"
我有一个有效的 public 证书。从奴隶我可以访问 https://my-server.com:8888 和 chrome 说证书有效那么为什么詹金斯抱怨?使用 -noCertificateCheck 似乎很愚蠢,因为我为该死的东西付出了很多钱
Mar 28, 2018 9:34:49 PM org.jenkinsci.remoting.engine.WorkDirManager initializeWorkDir INFO: Using c:\Jenkins\remoting as a remoting work directory Both error and output logs will be printed to c:\Jenkins\remoting Exception in thread "main" java.io.IOException: Failed to validate a server certificate. If you are using a self-signed certificate, you can use the -noCertificateCheck option to bypass this check. at hudson.remoting.Launcher.parseJnlpArguments(Launcher.java:548) at hudson.remoting.Launcher.run(Launcher.java:322) at hudson.remoting.Launcher.main(Launcher.java:283) Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid c ertification path to requested target at sun.security.ssl.Alerts.getSSLException(Unknown Source) at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source) at sun.security.ssl.Handshaker.fatalSE(Unknown Source) at sun.security.ssl.Handshaker.fatalSE(Unknown Source) at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source) at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) at sun.security.ssl.Handshaker.processLoop(Unknown Source) at sun.security.ssl.Handshaker.process_record(Unknown Source) at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source) at hudson.remoting.Launcher.parseJnlpArguments(Launcher.java:490) ... 2 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(Unknown Source) at sun.security.validator.PKIXValidator.engineValidate(Unknown Source) at sun.security.validator.Validator.validate(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source) ... 14 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source) at java.security.cert.CertPathBuilder.build(Unknown Source) ... 20 more
编辑:
所以我根本无法连接。如果我使用 -noCertificateCheck 我得到 Incorrect acknowledgement sequence 我假设因为我使用 HTTPS 没有验证证书
在您的问题中,您使用了端口 8888 (https://my-server.com:8888)。我看到端口不存在或为 443 的 jnlp 脚本。
当我看到像你这样的错误时,我将证书导入 Java 密钥库。更多详情 here.
keytool -import -alias $ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts -file $PATH_TO_PEM_FILE
只有 public 证书才需要此导入,例如 self-signed,但您可以尝试。可能有证书链,如
我的问题是我需要将整个证书链导入 java 密钥库
像 chrome 这样的浏览器将遵循 aia 扩展并为您下载链,但 java 密钥库想让您的生活变得艰难。
我试过了
- 在 salve 机器上更新 Java 以获得 Java 最新的信任库。
- 使用 public SSL (steps). 手动更新 Java 信任库
但上面没有任何效果。
最后,通过绕过以下命令末尾的 -noCertificateCheck,我能够从从属服务器连接到主服务器:
java -jar agent.jar -jnlpUrl https://example.com/computer/windows_slave/jenkins-agent.jnlp -secret [secret] -noCertificateCheck