unable to find valid certification path to requested target

It is always preferred to use https instead of http (specially when using passwords and so on…)

We have switched our SonarQube (tool for Continuous Inspection of code quality) to use https for security reasons. Anyway I have noticed that Jenkins stop sending new quality codes to our sonar. When I have checked the logs I have seen this stacktrace:

Exception in thread "main" java.lang.IllegalStateException: Fail to request server version
	at org.sonar.runner.Bootstrapper.getServerVersion(Bootstrapper.java:73)
	at org.sonar.runner.Runner.checkSonarVersion(Runner.java:220)
	at org.sonar.runner.Runner.execute(Runner.java:150)
	at org.sonar.runner.Main.execute(Main.java:84)
	at org.sonar.runner.Main.main(Main.java:56)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1584)
	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
	at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:848)
	at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
	at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
	at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:877)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1089)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1116)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1100)
	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:402)
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:951)
	at java.net.URLConnection.getContent(URLConnection.java:682)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getContent(HttpsURLConnectionImpl.java:406)
	at org.sonar.runner.Bootstrapper.remoteContent(Bootstrapper.java:125)
	at org.sonar.runner.Bootstrapper.getServerVersion(Bootstrapper.java:71)
	... 4 more

So here you can see that Jenkins has problem to “handshake” ssl certificate.

follow these steps:

Download InstallCert.java

Search google – it originally was done in Sun, but you can find this program on google codes or somewhere else. You can even download binaries of this file.

Add Trusted Keystore

Run “InstallCert.java” on server (where you run your https service). something like java InstallCert localhost:443 -> press “1”  when asked. It will add your “localhost” as a trusted keystore, and generate a file named “jssecacerts“.

[user@sonar ~]$ java InstallCert localhost:443
Loading KeyStore /usr/java/jdk1.6.0_37/jre/lib/security/cacerts...
Opening connection to localhost:443...
Starting SSL handshake..
Server sent 1 certificate(s):
1 Subject CN=Unknown, OU=Unknown, O=Vendavo, L=Unknown, ST=Czech republic, C=CZ
Enter certificate to add to trusted keystore or 'q' to quit: [1]
1
Added certificate to keystore 'jssecacerts' using alias 'localhost-1'

I have removed most of the parts but the main parts are here:

a) press 1 when assked – you agree to add certificate for this domain into keystore

b) it created jssecacerts file

Verify Trusted Keystore

Run same command again 🙂  (this is full export – removed hashed data)

[mchowaniok@sonar ~]$ java InstallCert sonar.vmcz.vendavo.com:443
Loading KeyStore jssecacerts...
Opening connection to sonar.vmcz.vendavo.com:443...
Starting SSL handshake...
No errors, certificate is already trusted
Server sent 1 certificate(s):
1 Subject CN=Unknown, OU=Unknown, O=Vendavo, L=Unknown, ST=Czech republic, C=CZ
 Issuer CN=Unknown, OU=Unknown, O=Vendavo, L=Unknown, ST=Czech republic, C=CZ
 sha1 
 md5 
Enter certificate to add to trusted keystore or 'q' to quit: [1]
q
KeyStore not changed

Copy jssecacerts

copy jssecacerts file into java/jre/lib/security folder (I had to done it under sudo )

[user@sonar ~]$ sudo cp jssecacerts /usr/java/default/jre/lib/security/

Done

verify it 🙂   in my case, run Jenkins job and verify data are uploaded to Sonar.

Advertisements

Jenkins on openshift #3 – building repo from github or bitbucket

Next task I wanted to do is to create jenkins on openshift and be able to build projects from github or bitbucket. It sounds simple, but you will face quite a lot of issues. So let’s do it:

Create Jenkins gear

  • this creates gear called “jenkins” using jenkins-1 application and includes ssh wrapper “git-ssh” which helps you to overcome ssh obstacles (openshift forbids to write into .ssh folder) – as you will see we will have to solve this problem several times later as well

Set jenkins slave

jenkins needs other linux machines (called slaves) to use them for building, anyway we don’t have so much free gears, so we will use jenkins itself for it.

Manage Jenkins -> Configure System -> 
# of executors = 1
Labels = put here anything

Generate ssh key

Add public key (id_rsa.pub) to github & bitbucket

search github/ bitbucket how to do it 🙂

Add new Jenkins Job

  • in begining I mentioned that home folder is not writeable, so we are encountering several problems, like ssh can’t write into .ssh , maven can’t write into .m2 folder and so on. The only solution is to point all applications into writeable folder which is $OPENSHIFT_DATA_DIR
  • Because of the problem above, you can’t use standard maven jobs but you have to use “Build a free-style software project”
  • Source Code Management: git: your git url (i.e. git@bitbucket.org:majecek/testtest.git)
  • Build: (add Execute shell): enter:

  • this creates setings.xml file and when runing maven commands – you have to specify where is the settings file
  • check this site for more info
  • next step is to add hooks in github/bitbucket – so after push in repo they will trigger jenkins to create new build – again check it in github/bitbucke or this site

Feed Sonar with data from Jenkins

This was quite a problem. I have to admit that I didn’t finish it, but found solution. Here is another problem, sonar and specially it’s mysql runs on different gear and openshift by default don’t allow any connection between gears nor from outside.

  • install Sonar plugin into jenkins, add URL & jdbc url and all info needed
  • I had to add into Sonar Aditional properties: -DSONAR_USER_HOME=$OPENSHIFT_DATA_DIR
    • this is again, because sonar can’t write into home directory, so you have to point to writeable folder

Now you will face problem, that jenkins can’t connect to MYSQL DB – as said above, this is because gears can’t communicate to each other. There are 2 solutions:

  • set up SONAR as scaled application – scalled applications can communicate to each other
  • setup ssh port forwarding between applications

You can read more here.