SSL Issue - Jenkins slave connection issue with TFS

问题

1. Upgraded the Jenkins.
2. Created a slave.
3. Installed latest JDK on Slave machine and launched the slave.
4. when tagged a job with slave and ran it, getting above error ..
5. did search on google and as per search added public cert of my target TFS to the java keystore which is in C:\Program Files (x86)\Java\jre1.8.0_131\lib\security\cacerts.
6. it worked for 2 jobs, for some purpose i un tagged the job and ran on master , again i tagged it back to slave and ran it.. again the issue came back.
7. tried to add the cert again, but its prompted cert is already in keystore .. 7 did uninstall and re install of slave and changes JAVA version .. no luck.. rest of the log below5)

Building remotely on
node1
in workspace C:\Builds\Jenkins\workspace\Foot_Driver Querying for remote changeset at '$/AEXX/' as of 'D2017-06-23T15:26:13Z'... FATAL: com.microsoft.tfs.core.exceptions.TECoreException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targe

回答1:

According to the error info sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targe which clearly complains about certificate validation. This may due to when working on a client that works with an SSL enabled server running in https protocol.

Try to add -Djavax.net.ssl.trustStore location in jenkins-slave.xml and well as add jssecacerts to lib\security of java used for your Jenkins's slave to run.

More info about the error please take a look this blog--unable to find valid certification path to requested target

回答2:

By adding all the certs in the chain to the cacerts, issue got resolved.

1. Get all the list of certs in the chain by using (replace your domain with google.com)
   openssl s_client -host google.com -port 443 -prexit -showcerts
2. copy each certs in a seprate .pem file eg - VS_cert1.pem, VS_cert2.pem
3. import all the certs to the java cacerts
   keytool -import -alias VS1 -file "C:\Users\xxxx\Desktop\Temp\VS_cert1.pem" -keystore "C:\Program Files (x86)\Java\jre1.8.0_131\lib\security\cacerts"
   keytool -import -alias VS2 -file "C:\Users\xxxx\Desktop\Temp\VS_cert2.pem" -keystore "C:\Program Files (x86)\Java\jre1.8.0_131\lib\security\cacerts"
4. Bounce the service.

来源：https://stackoverflow.com/questions/44728080/ssl-issue-jenkins-slave-connection-issue-with-tfs