Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-65507

Unable to connect to gitlab server (certificate issue)

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Labels:
      None
    • Environment:
      Jenkins: 2.263.4
      GitLab Branch Source: 1.5.7
      GitLab: 13.10.2
    • Similar Issues:

      Description

      We updated recently from version 1.5.1 to 1.5.7 of the GitLab Branch Source plugin and since then it is not possible to connect to our internal GitLab anymore.

       

      We get this error message:

      PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      

      Because this is an internal service, we are using self signed certificates which may cause this issue.

      In the past this worked perfect but now the plugin is completely unusable for us because there is no option to ignore such certificate issues.

      Attached you find the complete stack trace of the error.

       

      I check the modifications that where done in the plugin since version 1.5.1 and it seems that the change in file

       src/main/java/io/jenkins/plugins/gitlabbranchsource/GitLabHookCreator.java:204

      in the commit "JENKINS-62375 Fix/secret token (#91)" from May 31, 2020 is the root cause.

       

      I think a possible solution could be to add an option to disable the SSL verification for such situations.

        Attachments

          Activity

          bboehmke Benjamin Böhmke created issue -
          bboehmke Benjamin Böhmke made changes -
          Field Original Value New Value
          Description We updated recently from version 1.5.1 to 1.5.7 of the GitLab Branch Source plugin and since then it is not possible to connect to our internal GitLab anymore.

           

          We get this error message:
          {code:java}
          PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
          {code}
          Because this is an internal service, it is using a self signed certificate.

          In the past this worked perfect but now the plugin is completely unusable for us because there is no option to ignore such certificate issues.

          Attached you find the complete stack trace of the error.

           

           

           
          We updated recently from version 1.5.1 to 1.5.7 of the GitLab Branch Source plugin and since then it is not possible to connect to our internal GitLab anymore.

           

          We get this error message:
          {code:java}
          PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
          {code}
          Because this is an internal service, it we are using self signed certificates which may cause this issue.

          In the past this worked perfect but now the plugin is completely unusable for us because there is no option to ignore such certificate issues.

          Attached you find the complete stack trace of the error.

           

           

           
          bboehmke Benjamin Böhmke made changes -
          Description We updated recently from version 1.5.1 to 1.5.7 of the GitLab Branch Source plugin and since then it is not possible to connect to our internal GitLab anymore.

           

          We get this error message:
          {code:java}
          PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
          {code}
          Because this is an internal service, it we are using self signed certificates which may cause this issue.

          In the past this worked perfect but now the plugin is completely unusable for us because there is no option to ignore such certificate issues.

          Attached you find the complete stack trace of the error.

           

           

           
          We updated recently from version 1.5.1 to 1.5.7 of the GitLab Branch Source plugin and since then it is not possible to connect to our internal GitLab anymore.

           

          We get this error message:
          {code:java}
          PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
          {code}
          Because this is an internal service, we are using self signed certificates which may cause this issue.

          In the past this worked perfect but now the plugin is completely unusable for us because there is no option to ignore such certificate issues.

          Attached you find the complete stack trace of the error.

           

           

           
          bboehmke Benjamin Böhmke made changes -
          Description We updated recently from version 1.5.1 to 1.5.7 of the GitLab Branch Source plugin and since then it is not possible to connect to our internal GitLab anymore.

           

          We get this error message:
          {code:java}
          PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
          {code}
          Because this is an internal service, we are using self signed certificates which may cause this issue.

          In the past this worked perfect but now the plugin is completely unusable for us because there is no option to ignore such certificate issues.

          Attached you find the complete stack trace of the error.

           

           

           
          We updated recently from version 1.5.1 to 1.5.7 of the GitLab Branch Source plugin and since then it is not possible to connect to our internal GitLab anymore.

           

          We get this error message:
          {code:java}
          PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
          {code}
          Because this is an internal service, we are using self signed certificates which may cause this issue.

          In the past this worked perfect but now the plugin is completely unusable for us because there is no option to ignore such certificate issues.

          Attached you find the complete stack trace of the error.

           

          I check the modifications that where done in the plugin since version 1.5.1 and it seems that the change in file

           [src/main/java/io/jenkins/plugins/gitlabbranchsource/GitLabHookCreator.java:204|https://github.com/jenkinsci/gitlab-branch-source-plugin/commit/66f422b9bc51cd2d4d3a1ef76293a292bd867710#diff-b4b7c4ae118a436cffac72f288819b3dbf53af124385a33aba42660bc24ee0faL204]

          in the commit "[JENKINS-62375] Fix/secret token (#91)" from May 31, 2020 is the root cause.

           

          I think a possible solution could be to add an option to disable the SSL verification for such situations.
          Hide
          mwinter69 Markus Winter added a comment -

          Have you tried adding the certificate of your gitlab instance to the truststore of the JVM  used by your Jenkins instance?

          Show
          mwinter69 Markus Winter added a comment - Have you tried adding the certificate of your gitlab instance to the truststore of the JVM  used by your Jenkins instance?
          Hide
          bboehmke Benjamin Böhmke added a comment -

          We have not tried this until now but it would probably work.

          We had a similar issue with the Artifactory plugin were we tried to add the CA certificate to the Java cert store. This was not easy to setup and never fully worked why stopped using this plugin. Also we don't want this certificate in the system JRE which would maybe required to maintain multiple runtime on the system.

          Because this is an internal network it would be completely fine to ignore issues with the certificate as it was before. Also a lot of other plugins (e.g. the vsphere cloud plugin) have an option that can be enabled to ignore certificate issue. Would be great to have a similar option for the Gitlab plugin. Alternative revert back to the previous behavior so the plugin works like before.

          Show
          bboehmke Benjamin Böhmke added a comment - We have not tried this until now but it would probably work. We had a similar issue with the Artifactory plugin were we tried to add the CA certificate to the Java cert store. This was not easy to setup and never fully worked why stopped using this plugin. Also we don't want this certificate in the system JRE which would maybe required to maintain multiple runtime on the system. Because this is an internal network it would be completely fine to ignore issues with the certificate as it was before. Also a lot of other plugins (e.g. the vsphere cloud plugin) have an option that can be enabled to ignore certificate issue. Would be great to have a similar option for the Gitlab plugin. Alternative revert back to the previous behavior so the plugin works like before.

            People

            Assignee:
            baymac Parichay Barpanda
            Reporter:
            bboehmke Benjamin Böhmke
            Votes:
            2 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated: