SSL problem in jenkins-slave jobs with kubernetes

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL problem in jenkins-slave jobs with kubernetes

dev null
Hello all, i have a jenkins master on premise and i want execute jobs in gcp kubernetes cluster with a jenkins-slave image.
I have a problem with SSL, the pod error log says:


NAME                READY   STATUS    RESTARTS   AGE
jenkins-pod-1r6g1   1/2     Error     0          3m


Mar 13, 2019 3:33:42 PM hudson.remoting.jnlp.Main createEngine
INFO: Setting up agent: jenkins-pod-zwp9s
Mar 13, 2019 3:33:42 PM hudson.remoting.jnlp.Main$CuiListener <init>
INFO: Jenkins agent is running in headless mode.
Mar 13, 2019 3:33:43 PM hudson.remoting.Engine startEngine
INFO: Using Remoting version: 3.28
Mar 13, 2019 3:33:43 PM hudson.remoting.Engine startEngine
WARNING: No Working Directory. Using the legacy JAR Cache location: /home/jenkins/.jenkins/cache/jars
Mar 13, 2019 3:33:43 PM hudson.remoting.jnlp.Main$CuiListener status
INFO: Locating server among [https://myhost.com:8443/]
Mar 13, 2019 3:33:44 PM hudson.remoting.jnlp.Main$CuiListener error
SEVERE: Failed to connect to https://myhost.com:8443/tcpSlaveAgentListener/: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
java.io.IOException: Failed to connect to https://myhost.com:8443/tcpSlaveAgentListener/: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at org.jenkinsci.remoting.engine.JnlpAgentEndpointResolver.resolve(JnlpAgentEndpointResolver.java:197)
        at hudson.remoting.Engine.innerRun(Engine.java:523)
        at hudson.remoting.Engine.run(Engine.java:474)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:162)
        at org.jenkinsci.remoting.engine.JnlpAgentEndpointResolver.resolve(JnlpAgentEndpointResolver.java:194)
        ... 2 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
        at sun.security.validator.Validator.validate(Validator.java:262)
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
        ... 13 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
        ... 19 more

I have read a lot of documentation and i have tried everything without success:

* Parameters -Dcom.sun.net.ssl.checkRevocation=false and -noCertificateCheck in "Arguments to pass to the command" kubernetes pugin box
* I have built my own image importing my certificate and my intermediate certificate in /docker-java-home/jre/lib/security/cacerts. If i use keytool for list certificates i see my imported certificates.
In fact, if i test jenkins-cli.jar manually in the pod works fine:

# java -jar jenkins-cli.jar -s https://myhost.com:8443 -auth user:pass
  add-job-to-view
    Adds jobs to view.
  build
    Builds a job, and optionally waits until its completion.
  cancel-quiet-down
[...]

I followed https://support.cloudbees.com/hc/en-us/articles/218097237-How-to-troubleshoot-JNLP-slaves-connection-issues-with-Jenkins- (How to troubleshoot JNLP slaves connection issues with Jenkins?)
All tests works fine
 
Also, i enabled "Use browser for metadata download" box in global security

I attach my kubernetes plugin configuration, the test connection works fine

Can someone help me please? thank you so much

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/2ae6d5a1-5f65-4615-a649-d45e7a2b8645%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

jenkins-1.png (70K) Download Attachment
jenkins-2.png (45K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: SSL problem in jenkins-slave jobs with kubernetes

dev null
any ideas?

thanks


El jueves, 14 de marzo de 2019, 18:15:46 (UTC+1), dev null escribió:
Hello all, i have a jenkins master on premise and i want execute jobs in gcp kubernetes cluster with a jenkins-slave image.
I have a problem with SSL, the pod error log says:


NAME                READY   STATUS    RESTARTS   AGE
jenkins-pod-1r6g1   1/2     Error     0          3m


Mar 13, 2019 3:33:42 PM hudson.remoting.jnlp.Main createEngine
INFO: Setting up agent: jenkins-pod-zwp9s
Mar 13, 2019 3:33:42 PM hudson.remoting.jnlp.Main$CuiListener <init>
INFO: Jenkins agent is running in headless mode.
Mar 13, 2019 3:33:43 PM hudson.remoting.Engine startEngine
INFO: Using Remoting version: 3.28
Mar 13, 2019 3:33:43 PM hudson.remoting.Engine startEngine
WARNING: No Working Directory. Using the legacy JAR Cache location: /home/jenkins/.jenkins/cache/jars
Mar 13, 2019 3:33:43 PM hudson.remoting.jnlp.Main$CuiListener status
INFO: Locating server among [<a href="https://myhost.com:8443/" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fmyhost.com%3A8443%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGNU08i2C8AG6PF3FCXNOJ2rt-Mvw&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fmyhost.com%3A8443%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGNU08i2C8AG6PF3FCXNOJ2rt-Mvw&#39;;return true;">https://myhost.com:8443/]
Mar 13, 2019 3:33:44 PM hudson.remoting.jnlp.Main$CuiListener error
SEVERE: Failed to connect to <a href="https://myhost.com:8443/tcpSlaveAgentListener/" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fmyhost.com%3A8443%2FtcpSlaveAgentListener%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHL1JKJ3lYvTdC4QwaCWtYAlS3bYg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fmyhost.com%3A8443%2FtcpSlaveAgentListener%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHL1JKJ3lYvTdC4QwaCWtYAlS3bYg&#39;;return true;">https://myhost.com:8443/tcpSlaveAgentListener/: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
java.io.IOException: Failed to connect to <a href="https://myhost.com:8443/tcpSlaveAgentListener/" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fmyhost.com%3A8443%2FtcpSlaveAgentListener%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHL1JKJ3lYvTdC4QwaCWtYAlS3bYg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fmyhost.com%3A8443%2FtcpSlaveAgentListener%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHL1JKJ3lYvTdC4QwaCWtYAlS3bYg&#39;;return true;">https://myhost.com:8443/tcpSlaveAgentListener/: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at org.jenkinsci.remoting.engine.JnlpAgentEndpointResolver.resolve(JnlpAgentEndpointResolver.java:197)
        at hudson.remoting.Engine.innerRun(Engine.java:523)
        at hudson.remoting.Engine.run(Engine.java:474)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:162)
        at org.jenkinsci.remoting.engine.JnlpAgentEndpointResolver.resolve(JnlpAgentEndpointResolver.java:194)
        ... 2 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
        at sun.security.validator.Validator.validate(Validator.java:262)
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
        ... 13 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
        ... 19 more

I have read a lot of documentation and i have tried everything without success:

* Parameters -Dcom.sun.net.ssl.checkRevocation=false and -noCertificateCheck in "Arguments to pass to the command" kubernetes pugin box
* I have built my own image importing my certificate and my intermediate certificate in /docker-java-home/jre/lib/security/cacerts. If i use keytool for list certificates i see my imported certificates.
In fact, if i test jenkins-cli.jar manually in the pod works fine:

# java -jar jenkins-cli.jar -s <a href="https://myhost.com:8443" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fmyhost.com%3A8443\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFUPqOnVD_5jTW6Br8xWx6vgldwhQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fmyhost.com%3A8443\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFUPqOnVD_5jTW6Br8xWx6vgldwhQ&#39;;return true;">https://myhost.com:8443 -auth user:pass
  add-job-to-view
    Adds jobs to view.
  build
    Builds a job, and optionally waits until its completion.
  cancel-quiet-down
[...]

I followed <a href="https://support.cloudbees.com/hc/en-us/articles/218097237-How-to-troubleshoot-JNLP-slaves-connection-issues-with-Jenkins-" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fsupport.cloudbees.com%2Fhc%2Fen-us%2Farticles%2F218097237-How-to-troubleshoot-JNLP-slaves-connection-issues-with-Jenkins-\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGWOe6xl5EPpSYOHKZuO6Lhf3BK5A&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fsupport.cloudbees.com%2Fhc%2Fen-us%2Farticles%2F218097237-How-to-troubleshoot-JNLP-slaves-connection-issues-with-Jenkins-\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGWOe6xl5EPpSYOHKZuO6Lhf3BK5A&#39;;return true;">https://support.cloudbees.com/hc/en-us/articles/218097237-How-to-troubleshoot-JNLP-slaves-connection-issues-with-Jenkins- (How to troubleshoot JNLP slaves connection issues with Jenkins?)
All tests works fine
 
Also, i enabled "Use browser for metadata download" box in global security

I attach my kubernetes plugin configuration, the test connection works fine

Can someone help me please? thank you so much

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/b2906762-f5c7-4456-8ba8-f7b3136c8d78%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.