unable to find valid certification path to requested target
Posted: March 13, 2014 Filed under: java, Linux, programing | Tags: certificate, InstallCert.java, java, jenkins, jssecacerts, keystore, sonar, SonarQube, ssl Leave a commentIt is always preferred to use https instead of http (specially when using passwords and so on…)
We have switched our SonarQube (tool for Continuous Inspection of code quality) to use https for security reasons. Anyway I have noticed that Jenkins stop sending new quality codes to our sonar. When I have checked the logs I have seen this stacktrace:
Exception in thread "main" java.lang.IllegalStateException: Fail to request server version at org.sonar.runner.Bootstrapper.getServerVersion(Bootstrapper.java:73) at org.sonar.runner.Runner.checkSonarVersion(Runner.java:220) at org.sonar.runner.Runner.execute(Runner.java:150) at org.sonar.runner.Main.execute(Main.java:84) at org.sonar.runner.Main.main(Main.java:56) Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1584) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:848) at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106) at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495) at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:877) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1089) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1116) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1100) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:402) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:951) at java.net.URLConnection.getContent(URLConnection.java:682) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getContent(HttpsURLConnectionImpl.java:406) at org.sonar.runner.Bootstrapper.remoteContent(Bootstrapper.java:125) at org.sonar.runner.Bootstrapper.getServerVersion(Bootstrapper.java:71) ... 4 more
So here you can see that Jenkins has problem to “handshake” ssl certificate.
follow these steps:
Download InstallCert.java
Search google – it originally was done in Sun, but you can find this program on google codes or somewhere else. You can even download binaries of this file.
Add Trusted Keystore
Run “InstallCert.java” on server (where you run your https service). something like java InstallCert localhost:443 -> press “1” when asked. It will add your “localhost” as a trusted keystore, and generate a file named “jssecacerts“.
[user@sonar ~]$ java InstallCert localhost:443 Loading KeyStore /usr/java/jdk1.6.0_37/jre/lib/security/cacerts... Opening connection to localhost:443... Starting SSL handshake.. Server sent 1 certificate(s): 1 Subject CN=Unknown, OU=Unknown, O=Vendavo, L=Unknown, ST=Czech republic, C=CZ Enter certificate to add to trusted keystore or 'q' to quit: [1] 1 Added certificate to keystore 'jssecacerts' using alias 'localhost-1'
I have removed most of the parts but the main parts are here:
a) press 1 when assked – you agree to add certificate for this domain into keystore
b) it created jssecacerts file
Verify Trusted Keystore
Run same command again 🙂 (this is full export – removed hashed data)
[mchowaniok@sonar ~]$ java InstallCert sonar.vmcz.vendavo.com:443 Loading KeyStore jssecacerts... Opening connection to sonar.vmcz.vendavo.com:443... Starting SSL handshake... No errors, certificate is already trusted Server sent 1 certificate(s): 1 Subject CN=Unknown, OU=Unknown, O=Vendavo, L=Unknown, ST=Czech republic, C=CZ Issuer CN=Unknown, OU=Unknown, O=Vendavo, L=Unknown, ST=Czech republic, C=CZ sha1 md5 Enter certificate to add to trusted keystore or 'q' to quit: [1] q KeyStore not changed
Copy jssecacerts
copy jssecacerts file into java/jre/lib/security folder (I had to done it under sudo )
[user@sonar ~]$ sudo cp jssecacerts /usr/java/default/jre/lib/security/
Done
verify it 🙂 in my case, run Jenkins job and verify data are uploaded to Sonar.
Jenkins on openshift #3 – building repo from github or bitbucket
Posted: December 16, 2013 Filed under: java, Linux, Mac, programing | Tags: bitbucket, git, github, jenkins, openshift, SonarQube, ssh Leave a commentNext task I wanted to do is to create jenkins on openshift and be able to build projects from github or bitbucket. It sounds simple, but you will face quite a lot of issues. So let’s do it:
Create Jenkins gear
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rhc create-app jenkins jenkins-1 "https://cartreflect-claytondev.rhcloud.com/reflect?github=majecek/openshift-community-git-ssh" |
- this creates gear called “jenkins” using jenkins-1 application and includes ssh wrapper “git-ssh” which helps you to overcome ssh obstacles (openshift forbids to write into .ssh folder) – as you will see we will have to solve this problem several times later as well
Set jenkins slave
jenkins needs other linux machines (called slaves) to use them for building, anyway we don’t have so much free gears, so we will use jenkins itself for it.
Manage Jenkins -> Configure System -> # of executors = 1 Labels = put here anything
Generate ssh key
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cd app-root/data/git-ssh/ | |
ssh-keygen (name your key as id_rsa – git-ssh will look there for it) | |
and set full path for new key (i.e. /var/lib/openshift/52ab37d0500446f3d30000ee/app-root/data/git-ssh/id_rsa) |
Add public key (id_rsa.pub) to github & bitbucket
search github/ bitbucket how to do it 🙂
Add new Jenkins Job
- in begining I mentioned that home folder is not writeable, so we are encountering several problems, like ssh can’t write into .ssh , maven can’t write into .m2 folder and so on. The only solution is to point all applications into writeable folder which is $OPENSHIFT_DATA_DIR
- Because of the problem above, you can’t use standard maven jobs but you have to use “Build a free-style software project”
- Source Code Management: git: your git url (i.e. git@bitbucket.org:majecek/testtest.git)
- Build: (add Execute shell): enter:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cd $OPENSHIFT_DATA_DIR | |
echo -e "<settings><localRepository>$OPENSHIFT_DATA_DIR/.m2</localRepository></settings>" > settings.xml | |
cd $WORKSPACE | |
mvn clean compile test package -s $OPENSHIFT_DATA_DIR/settings.xml |
- this creates setings.xml file and when runing maven commands – you have to specify where is the settings file
- check this site for more info
- next step is to add hooks in github/bitbucket – so after push in repo they will trigger jenkins to create new build – again check it in github/bitbucke or this site
Feed Sonar with data from Jenkins
This was quite a problem. I have to admit that I didn’t finish it, but found solution. Here is another problem, sonar and specially it’s mysql runs on different gear and openshift by default don’t allow any connection between gears nor from outside.
- install Sonar plugin into jenkins, add URL & jdbc url and all info needed
- I had to add into Sonar Aditional properties: -DSONAR_USER_HOME=$OPENSHIFT_DATA_DIR
- this is again, because sonar can’t write into home directory, so you have to point to writeable folder
Now you will face problem, that jenkins can’t connect to MYSQL DB – as said above, this is because gears can’t communicate to each other. There are 2 solutions:
- set up SONAR as scaled application – scalled applications can communicate to each other
- setup ssh port forwarding between applications
You can read more here.