Hello, When I try updating plugins, the very first plugin gets downloaded successfully, but the subsequent ones fail to download.
[image: Jenkins.png] According to *Details* the SSL handshake fails due to a certificate error: [...] Caused: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490) at java.base/sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1963) at java.base/sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1958) at java.base/java.security.AccessController.doPrivileged(Native Method) at java.base/sun.net.www.protocol.http.HttpURLConnection.getChainedException(HttpURLConnection.java:1957) at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1525) at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1509) at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:245) at hudson.model.UpdateCenter$UpdateCenterConfiguration.download(UpdateCenter.java:1277) Caused: java.io.IOException: Failed to load https://updates.jenkins.io/download/plugins/antisamy-markup-formatter/2.5/antisamy-markup-formatter.hpi to /home/jenkins/Jenkins/DATA/plugins/antisamy-markup-formatter.jpi.tmp at hudson.model.UpdateCenter$UpdateCenterConfiguration.download(UpdateCenter.java:1284) Caused: java.io.IOException: Failed to download from https://updates.jenkins.io/download/plugins/antisamy-markup-formatter/2.5/antisamy-markup-formatter.hpi (redirected to: https://get.jenkins.io/plugins/antisamy-markup-formatter/2.5/antisamy-markup-formatter.hpi) [...] I don't really see why do I get a certificate error for the other downloads if the first one was successful. I turned on ssl handshake logging at java level (-Djavax.net.debug=ssl:handshake), and the log shows that the download request for the first plugin was sent to - updates.jenkins.io having a proper certificate chain and the request get redirected to - get.jenkins.io also having a proper certificate chain, and redirecting the request to - mirror site mirror.gruenehoelle.nl and the download succeeded. However I was not able to track down the requests for the subsequent plugins, all I could find is that the ssl handshake failed on this certificate: javax.net.ssl|DEBUG|4C|Update center installer thread [#1]|2021-11-19 17:27:28.618 CET|CertificateMessage.java:1148|Consuming server Certificate handshake message ( "Certificate": { "certificate_request_context": "", "certificate_list": [ { "certificate" : { "version" : "v3", "serial number" : "23 20 37 D2 97 B4 6A DB E3 CA 51 43 0D F9 9E F3", "signature algorithm": "SHA256withRSA", *"issuer" : "CN=Kubernetes Ingress Controller Fake Certificate, O=Acme Co"*, "not before" : "2021-11-18 16:23:38.000 CET", "not after" : "2022-11-18 16:23:38.000 CET", *"subject" : "CN=Kubernetes Ingress Controller Fake Certificate, O=Acme Co"*, "subject public key" : "RSA", "extensions" : [ { ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:false PathLen: undefined ] }, { ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverAuth ] }, { ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Key_Encipherment ] }, { ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: ingress.local ] } ]} "extensions": { <no extension> } }, ] } ) javax.net.ssl|DEBUG|4C|Update center installer thread [#1]|2021-11-19 17:27:28.618 CET|SSLExtensions.java:148|Ignore unavailable extension: status_request javax.net.ssl|ERROR|4C|Update center installer thread [#1]|2021-11-19 17:27:28.630 CET|TransportContext.java:313|Fatal (CERTIFICATE_UNKNOWN): PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target ("throwable" : { sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidato .java:385) at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:290) at java.base/sun.security.validator.Validator.validate(Validator.java:264) at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:321) at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:221) at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129) at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1 313) at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.ja va:1204) at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1151) at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421) at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:178) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402) at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567) at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnect ion.java:185) at java.base/sun.net.www.protocol.http.HttpURLConnection.followRedirect0(HttpURLConnection.java:2768) at java.base/sun.net.www.protocol.http.HttpURLConnection.followRedirect(HttpURLConnection.java:2680) at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1843) at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1509) at java.base/sun.net.www.protocol.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:3084) at java.base/java.net.URLConnection.getHeaderFieldLong(URLConnection.java:636) at java.base/java.net.URLConnection.getContentLengthLong(URLConnection.java:508) at java.base/java.net.URLConnection.getContentLength(URLConnection.java:492) at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getContentLength(HttpsURLConnectionImpl.java:389) at hudson.model.UpdateCenter$UpdateCenterConfiguration.download(UpdateCenter.java:1261) at hudson.model.UpdateCenter$DownloadJob._run(UpdateCenter.java:1872) at hudson.model.UpdateCenter$InstallationJob._run(UpdateCenter.java:2167) at hudson.model.UpdateCenter$DownloadJob.run(UpdateCenter.java:1846) at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515) at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264) at hudson.remoting.AtmostOneThreadExecutor$Worker.run(AtmostOneThreadExecutor.java:121) at java.base/java.lang.Thread.run(Thread.java:834) Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to reques ted target at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) ... 35 more} Does anyone have any idea what this might be? This issue is really annoying, I can upgrade plugins only one by one, restarting Jenkins after each plugin upgrade. My Jenkins version is 2.303.3 (LTS). java.runtime.version: 11.0.1+13-LTS (but I've also tried it on latest openjdk-11 with the same result). I've also created a standalone java application downloading the same plugins from updates.jenkins.io using simple HttpsURLConnection calls. All plugins were successfully downloaded. There were always a redirect to get.jenkins.io and then to a mirror site, and the certificates were always correct. It could not reproduce the issue with this test application using the exact same jre as used for the Jenkins, indicating the jre has the correct CA certificates in its keystore. According to google, Kubernetes Ingress is a load balancing/networking tool, and the certificate above is its factory default certificate which intended to be replaced. I'm pretty sure we do not use Kubernetes Ingress on our servers. Any idea about how to solve this issue would be appreciated. -- Tamas -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/ad981260-4d6b-4c8f-b114-4eb5c7d3a364n%40googlegroups.com.
