-
Type:
Bug
-
Resolution: Unresolved
-
Priority:
Major
-
Component/s: hashicorp-vault-plugin
-
Environment:Docker Image on Kubernetes Deployment
Jenkins >= 2.279 (custom CASC Image based on jenkins/jenkins:2.279)
hashicorp-vault-plugin:3.7.0
configuration-as-code:1.47
`hashicorp-vault-plugin` denies self signed CA from own vault deployment on startup with CASC config.
The Vault Config is passed via CASC_VAULT_FILE as described here
Our CAs are installed viaÂ
update-ca-certificates
I have also installed CURL on the same docker-image. Curl trusts the CA from our vault instance.Â
the issue first started with upgrade to Jenkins 2.279. Rollback to 2.278 fixes the Issue for now.
exception:
2021-02-16 16:16:15.673+0000 [id=1] INFO o.e.j.s.handler.ContextHandler#doStart: Started w.@24f43aa3{Jenkins v2.280,/,file:///var/jenkins_home/war/,AVAILABLE}{/var/jenkins_home/war}
2021-02-16 16:16:15.688+0000 [id=1] INFO o.e.j.server.AbstractConnector#doStart: Started ServerConnector@29d80d2b{HTTP/1.1, (http/1.1)}{0.0.0.0:8080}
2021-02-16 16:16:15.688+0000 [id=1] INFO org.eclipse.jetty.server.Server#doStart: Started @2153ms
2021-02-16 16:16:15.691+0000 [id=22] INFO winstone.Logger#logInternal: Winstone Servlet Engine running: controlPort=disabled
2021-02-16 16:16:16.796+0000 [id=29] INFO jenkins.InitReactorRunner$1#onAttained: Started initialization
2021-02-16 16:16:17.227+0000 [id=28] INFO hudson.PluginManager#considerDetachedPlugin: Loading a detached plugin as a dependency: /var/jenkins_home/plugins/command-launcher.jpi
2021-02-16 16:16:17.234+0000 [id=28] INFO hudson.PluginManager#considerDetachedPlugin: Loading a detached plugin as a dependency: /var/jenkins_home/plugins/jdk-tool.jpi
2021-02-16 16:16:17.497+0000 [id=30] WARNING hudson.ClassicPluginStrategy#createClassJarFromWebInfClasses: Created /var/jenkins_home/plugins/cloudbees-credentials/WEB-INF/lib/classes.jar; update plugin to a version created with a newer harness
2021-02-16 16:16:17.500+0000 [id=30] INFO hudson.PluginManager#considerDetachedPlugin: Loading a detached plugin as a dependency: /var/jenkins_home/plugins/matrix-auth.jpi
2021-02-16 16:16:17.509+0000 [id=30] INFO hudson.PluginManager#considerDetachedPlugin: Loading a detached plugin as a dependency: /var/jenkins_home/plugins/windows-slaves.jpi
2021-02-16 16:16:18.566+0000 [id=27] WARNING hudson.ClassicPluginStrategy#createClassJarFromWebInfClasses: Created /var/jenkins_home/plugins/job-dsl/WEB-INF/lib/classes.jar; update plugin to a version created with a newer harness
2021-02-16 16:16:19.638+0000 [id=28] INFO jenkins.InitReactorRunner$1#onAttained: Listed all plugins
2021-02-16 16:16:24.165+0000 [id=28] INFO jenkins.InitReactorRunner$1#onAttained: Prepared all plugins
2021-02-16 16:16:24.171+0000 [id=31] INFO jenkins.InitReactorRunner$1#onAttained: Started all plugins
2021-02-16 16:16:25.313+0000 [id=31] INFO jenkins.InitReactorRunner$1#onAttained: Augmented all extensions
2021-02-16 16:16:25.364+0000 [id=34] INFO jenkins.InitReactorRunner$1#onAttained: System config loaded
2021-02-16 16:16:25.929+0000 [id=32] WARNING c.d.j.v.j.s.VaultSecretSource#init: Could not authenticate with vault client
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:451)
Caused: sun.security.validator.ValidatorException: PKIX path building failed
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:456)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:265)
at sun.security.validator.Validator.validate(Validator.java:271)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:315)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:223)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
Caused: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:324)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:262)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:149)
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1143)
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1054)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:394)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1340)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1315)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:264)
at com.bettercloud.vault.rest.Rest.postOrPutImpl(Rest.java:399)
Caused: com.bettercloud.vault.rest.RestException
at com.bettercloud.vault.rest.Rest.postOrPutImpl(Rest.java:416)
at com.bettercloud.vault.rest.Rest.post(Rest.java:306)
at com.bettercloud.vault.api.Auth.loginByAppRole(Auth.java:518)
Caused: com.bettercloud.vault.VaultException
at com.bettercloud.vault.api.Auth.loginByAppRole(Auth.java:544)
at com.datapipe.jenkins.vault.jcasc.secrets.VaultAppRoleAuthenticator.authenticate(VaultAppRoleAuthenticator.java:25)
at com.datapipe.jenkins.vault.jcasc.secrets.VaultSecretSource.init(VaultSecretSource.java:241)
at java.util.ArrayList.forEach(ArrayList.java:1259)
at io.jenkins.plugins.casc.ConfigurationAsCode.configureWith(ConfigurationAsCode.java:733)
at io.jenkins.plugins.casc.ConfigurationAsCode.configureWith(ConfigurationAsCode.java:614)
at io.jenkins.plugins.casc.ConfigurationAsCode.configure(ConfigurationAsCode.java:298)
at io.jenkins.plugins.casc.ConfigurationAsCode.init(ConfigurationAsCode.java:290)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at hudson.init.TaskMethodFinder.invoke(TaskMethodFinder.java:104)
at hudson.init.TaskMethodFinder$TaskImpl.run(TaskMethodFinder.java:175)
at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:296)
at jenkins.model.Jenkins$5.runTask(Jenkins.java:1131)
at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:214)
at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:117)
at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:68)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
2021-02-16 16:16:25.978+0000 [id=32] WARNING c.d.j.v.j.s.VaultSecretSource#readSecretsFromVault: Unable to fetch secret from Vault
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:451)
Caused: sun.security.validator.ValidatorException: PKIX path building failed
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:456)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:265)
at sun.security.validator.Validator.validate(Validator.java:271)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:315)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:223)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
Caused: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:324)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:262)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:149)
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1143)
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1054)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:394)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1570)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498)
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:352)
at com.bettercloud.vault.rest.Rest.connectionStatus(Rest.java:543)
at com.bettercloud.vault.rest.Rest.get(Rest.java:282)
Caused: com.bettercloud.vault.rest.RestException
at com.bettercloud.vault.rest.Rest.get(Rest.java:288)
at com.bettercloud.vault.api.Logical.read(Logical.java:94)
Caused: com.bettercloud.vault.VaultException
at com.bettercloud.vault.api.Logical.read(Logical.java:120)
at com.bettercloud.vault.api.Logical.read(Logical.java:76)
at com.datapipe.jenkins.vault.jcasc.secrets.VaultSecretSource.readSecretsFromVault(VaultSecretSource.java:176)
at com.datapipe.jenkins.vault.jcasc.secrets.VaultSecretSource.init(VaultSecretSource.java:247)
at java.util.ArrayList.forEach(ArrayList.java:1259)
at io.jenkins.plugins.casc.ConfigurationAsCode.configureWith(ConfigurationAsCode.java:733)
at io.jenkins.plugins.casc.ConfigurationAsCode.configureWith(ConfigurationAsCode.java:614)
at io.jenkins.plugins.casc.ConfigurationAsCode.configure(ConfigurationAsCode.java:298)
at io.jenkins.plugins.casc.ConfigurationAsCode.init(ConfigurationAsCode.java:290)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at hudson.init.TaskMethodFinder.invoke(TaskMethodFinder.java:104)
at hudson.init.TaskMethodFinder$TaskImpl.run(TaskMethodFinder.java:175)
at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:296)
at jenkins.model.Jenkins$5.runTask(Jenkins.java:1131)
at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:214)
at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:117)
at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:68)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
