Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-45113

Slave issue connecting to TFS - SSL Issue (Windows)

      Building remotely on
      node1
      in workspace C:\Builds\Jenkins\workspace\Foot_Driver
      Querying for remote changeset at '$/AEXX/' as of 'D2017-06-23T15:26:13Z'...
      FATAL: com.microsoft.tfs.core.exceptions.TECoreException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

      1. Upgraded the Jenkins.
      2. Created a slave.
      3. Installed latest JDK on Slave machine and launched the slave.
      3. when tagged a job with slave and ran it, getting above error ..
      4. did search on google and as per search added public cert of my target TFS to the java keystore which is in C:\Program Files (x86)\Java\jre1.8.0_131\lib\security\cacerts.
      5. it worked for 2 jobs, for some purpose i un tagged the job and ran on master , again i tagged it back to slave and ran it.. again the issue came back.
      6. tried to add the cert again, but its prompted cert is already in keystore ..
      7 did uninstall and re install of slave and changes JAVA version .. no luck..

      rest of the log below

      sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
      at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
      at java.security.cert.CertPathBuilder.build(Unknown Source)
      Caused: sun.security.validator.ValidatorException: PKIX path building failed
      at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
      at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
      at sun.security.validator.Validator.validate(Unknown Source)
      at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
      at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
      at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
      at com.microsoft.tfs.core.config.httpclient.internal.DefaultX509TrustManager.checkServerTrusted(DefaultX509TrustManager.java:164)
      at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(Unknown Source)
      Caused: javax.net.ssl.SSLHandshakeException
      at sun.security.ssl.Alerts.getSSLException(Unknown Source)
      at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
      at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
      at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
      at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
      at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
      at sun.security.ssl.Handshaker.processLoop(Unknown Source)
      at sun.security.ssl.Handshaker.process_record(Unknown Source)
      at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
      at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
      at sun.security.ssl.SSLSocketImpl.writeRecord(Unknown Source)
      at sun.security.ssl.AppOutputStream.write(Unknown Source)
      at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
      at java.io.BufferedOutputStream.flush(Unknown Source)
      at com.microsoft.tfs.core.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:541)
      at com.microsoft.tfs.core.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2260)
      at com.microsoft.tfs.core.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1202)
      at com.microsoft.tfs.core.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:432)
      at com.microsoft.tfs.core.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:182)
      at com.microsoft.tfs.core.httpclient.HttpClient.executeMethod(HttpClient.java:428)
      at com.microsoft.tfs.core.httpclient.HttpClient.executeMethod(HttpClient.java:343)
      at com.microsoft.tfs.core.ws.runtime.client.SOAPService.executeSOAPRequestInternal(SOAPService.java:545)
      Caused: com.microsoft.tfs.core.ws.runtime.exceptions.TransportException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at com.microsoft.tfs.core.ws.runtime.client.SOAPService.executeSOAPRequestInternal(SOAPService.java:674)
      at com.microsoft.tfs.core.ws.runtime.client.SOAPService.executeSOAPRequest(SOAPService.java:444)
      at ms.tfs.versioncontrol.clientservices._03._RepositorySoap12Service.queryHistory(_RepositorySoap12Service.java:1503)
      at com.microsoft.tfs.core.clients.versioncontrol.internal.WebServiceLayer.queryHistory(WebServiceLayer.java:1573)
      at com.microsoft.tfs.core.clients.versioncontrol.internal.WebServiceLayerLocalWorkspaces.queryHistory(WebServiceLayerLocalWorkspaces.java:1254)
      at com.microsoft.tfs.core.clients.versioncontrol.VersionControlClient.queryHistory(VersionControlClient.java:4264)
      at hudson.plugins.tfs.model.MockableVersionControlClient.queryHistory(MockableVersionControlClient.java:254)
      at hudson.plugins.tfs.commands.RemoteChangesetVersionCommand.call(RemoteChangesetVersionCommand.java:65)
      at hudson.plugins.tfs.commands.RemoteChangesetVersionCommand.call(RemoteChangesetVersionCommand.java:33)
      at hudson.remoting.UserRequest.perform(UserRequest.java:153)
      at hudson.remoting.UserRequest.perform(UserRequest.java:50)
      at hudson.remoting.Request$2.run(Request.java:336)
      at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:68)
      at java.util.concurrent.FutureTask.run(Unknown Source)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
      at hudson.remoting.Engine$1$1.run(Engine.java:94)
      at java.lang.Thread.run(Unknown Source)
      Caused: com.microsoft.tfs.core.exceptions.TECoreException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at com.microsoft.tfs.core.exceptions.mappers.TECoreExceptionMapper.map(TECoreExceptionMapper.java:92)
      at com.microsoft.tfs.core.exceptions.mappers.VersionControlExceptionMapper.map(VersionControlExceptionMapper.java:43)
      at com.microsoft.tfs.core.clients.versioncontrol.internal.WebServiceLayer.queryHistory(WebServiceLayer.java:1589)
      at com.microsoft.tfs.core.clients.versioncontrol.internal.WebServiceLayerLocalWorkspaces.queryHistory(WebServiceLayerLocalWorkspaces.java:1254)
      at com.microsoft.tfs.core.clients.versioncontrol.VersionControlClient.queryHistory(VersionControlClient.java:4264)
      at hudson.plugins.tfs.model.MockableVersionControlClient.queryHistory(MockableVersionControlClient.java:254)
      at hudson.plugins.tfs.commands.RemoteChangesetVersionCommand.call(RemoteChangesetVersionCommand.java:65)
      at hudson.plugins.tfs.commands.RemoteChangesetVersionCommand.call(RemoteChangesetVersionCommand.java:33)
      at hudson.remoting.UserRequest.perform(UserRequest.java:153)
      at hudson.remoting.UserRequest.perform(UserRequest.java:50)
      at hudson.remoting.Request$2.run(Request.java:336)
      at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:68)
      at java.util.concurrent.FutureTask.run(Unknown Source)
      at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
      at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
      at hudson.remoting.Engine$1$1.run(Engine.java:94)
      at java.lang.Thread.run(Unknown Source)
      at ......remote call to JNLP4-connect connection from cmddbz73rd2-nr.brc.gbl/172.20.77.135:64067(Native Method)
      at hudson.remoting.Channel.attachCallSiteStackTrace(Channel.java:1545)
      at hudson.remoting.UserResponse.retrieve(UserRequest.java:253)
      at hudson.remoting.Channel.call(Channel.java:830)
      at hudson.plugins.tfs.model.Server.execute(Server.java:222)
      Caused: java.lang.RuntimeException
      at hudson.plugins.tfs.model.Server.execute(Server.java:226)
      at hudson.plugins.tfs.model.Project.extractChangesetNumber(Project.java:275)
      at hudson.plugins.tfs.model.Project.getRemoteChangesetVersion(Project.java:271)
      at hudson.plugins.tfs.model.Project.getRemoteChangesetVersion(Project.java:287)
      at hudson.plugins.tfs.TeamFoundationServerScm.recordWorkspaceChangesetVersion(TeamFoundationServerScm.java:359)
      at hudson.plugins.tfs.TeamFoundationServerScm.checkout(TeamFoundationServerScm.java:308)
      at hudson.model.AbstractProject.checkout(AbstractProject.java:1281)
      at hudson.model.AbstractBuild$AbstractBuildExecution.defaultCheckout(AbstractBuild.java:604)
      at jenkins.scm.SCMCheckoutStrategy.checkout(SCMCheckoutStrategy.java:86)
      at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:529)
      at hudson.model.Run.execute(Run.java:1728)
      at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43)
      at hudson.model.ResourceController.execute(ResourceController.java:98)
      at hudson.model.Executor.run(Executor.java:405)

          [JENKINS-45113] Slave issue connecting to TFS - SSL Issue (Windows)

          kumar tfs added a comment -

          Before i do that . i have few questions and few observations .

          1. I have not added any cert to my Master, it is working fine. so why its required on slave box.
          2. I used SSLPoke to see if the SSL connectivity os working on both Master and slave. what i noticed is in the master (where ssl is working fine), i see in ServerHello

          "Extension renegotiation_info, renegotiated_connection: <empty>"

          where as in non working Slave, i see it as

          "Warning: No renegotiation indication extension in ServerHello"

          3. When i used OpenSSL to import the cert from the target server, along with the cert i see below msg, does it impact ..

          :verify error:num=20:unable to get local issuer certificate
          verify return:0 "

          kumar tfs added a comment - Before i do that . i have few questions and few observations . 1. I have not added any cert to my Master, it is working fine. so why its required on slave box. 2. I used SSLPoke to see if the SSL connectivity os working on both Master and slave. what i noticed is in the master (where ssl is working fine), i see in ServerHello "Extension renegotiation_info, renegotiated_connection: <empty>" where as in non working Slave, i see it as "Warning: No renegotiation indication extension in ServerHello" 3. When i used OpenSSL to import the cert from the target server, along with the cert i see below msg, does it impact .. :verify error:num=20:unable to get local issuer certificate verify return:0 "

          kumar tfs added a comment -

          I added the chain of certs to the cacerts in JRE, here are the things i noticed., When i installed JAVA, i got 2 folders one with JRE and JDK, JDK has its own JRE under that.
          1) The job started working randomly and so i added the certs to 2 locations of JAVA (JDK and JRE).
          2) I am getting this SSL issue only on upgraded JDK boxed (windows), but not on first time JDK boxed. 3) No again i am having issues randomly, to resolve this SSL issue, i need to restart the jenkins slave.. not sure what is causing this.

          kumar tfs added a comment - I added the chain of certs to the cacerts in JRE, here are the things i noticed., When i installed JAVA, i got 2 folders one with JRE and JDK, JDK has its own JRE under that. 1) The job started working randomly and so i added the certs to 2 locations of JAVA (JDK and JRE). 2) I am getting this SSL issue only on upgraded JDK boxed (windows), but not on first time JDK boxed. 3) No again i am having issues randomly, to resolve this SSL issue, i need to restart the jenkins slave.. not sure what is causing this.

          kumar tfs added a comment -

          By adding all the certs in the chain to the cacerts, issue got resolved.

          1. Get all the list of certs in the chain by using (replace your domain with google.com)

          openssl s_client -host google.com -port 443 -prexit -showcerts

          2. copy each certs in a seprate .pem file eg - VS_cert1.pem, VS_cert2.pem

          3. import all the certs to the java cacerts
          keytool -import -alias VS1 -file "C:\Users\xxxx\Desktop\Temp\VS_cert1.pem" -keystore "C:\Program Files (x86)\Java\jre1.8.0_131\lib\security\cacerts"
          keytool -import -alias VS2 -file "C:\Users\xxxx\Desktop\Temp\VS_cert2.pem" -keystore "C:\Program Files (x86)\Java\jre1.8.0_131\lib\security\cacerts"

          4. Bounce the service.

          kumar tfs added a comment - By adding all the certs in the chain to the cacerts, issue got resolved. 1. Get all the list of certs in the chain by using (replace your domain with google.com) openssl s_client -host google.com -port 443 -prexit -showcerts 2. copy each certs in a seprate .pem file eg - VS_cert1.pem, VS_cert2.pem 3. import all the certs to the java cacerts keytool -import -alias VS1 -file "C:\Users\xxxx\Desktop\Temp\VS_cert1.pem" -keystore "C:\Program Files (x86)\Java\jre1.8.0_131\lib\security\cacerts" keytool -import -alias VS2 -file "C:\Users\xxxx\Desktop\Temp\VS_cert2.pem" -keystore "C:\Program Files (x86)\Java\jre1.8.0_131\lib\security\cacerts" 4. Bounce the service.

          kumar tfs added a comment -

          By adding all the certs in the chain to the cacerts, issue got resolved.

          1. Get all the list of certs in the chain by using (replace your domain with google.com)

          openssl s_client -host google.com -port 443 -prexit -showcerts

          2. copy each certs in a seprate .pem file eg - VS_cert1.pem, VS_cert2.pem

          3. import all the certs to the java cacerts
          keytool -import -alias VS1 -file "C:\Users\xxxx\Desktop\Temp\VS_cert1.pem" -keystore "C:\Program Files (x86)\Java\jre1.8.0_131\lib\security\cacerts"
          keytool -import -alias VS2 -file "C:\Users\xxxx\Desktop\Temp\VS_cert2.pem" -keystore "C:\Program Files (x86)\Java\jre1.8.0_131\lib\security\cacerts"

          4. Bounce the service.

          kumar tfs added a comment - By adding all the certs in the chain to the cacerts, issue got resolved. 1. Get all the list of certs in the chain by using (replace your domain with google.com) openssl s_client -host google.com -port 443 -prexit -showcerts 2. copy each certs in a seprate .pem file eg - VS_cert1.pem, VS_cert2.pem 3. import all the certs to the java cacerts keytool -import -alias VS1 -file "C:\Users\xxxx\Desktop\Temp\VS_cert1.pem" -keystore "C:\Program Files (x86)\Java\jre1.8.0_131\lib\security\cacerts" keytool -import -alias VS2 -file "C:\Users\xxxx\Desktop\Temp\VS_cert2.pem" -keystore "C:\Program Files (x86)\Java\jre1.8.0_131\lib\security\cacerts" 4. Bounce the service.

            redsolo redsolo
            tfs_kumar kumar tfs
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: