Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-73434

Jenkins fails to download plugins from the update site (SunCertPathBuilderException: unable to find valid certification path to requested target)

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not A Defect
    • Icon: Minor Minor
    • update-sites-manager-plugin
    • None
    • Jenkins 2.452.1 (I also had this issue with earlier versions of Jenkins)
      open jdk 18.9 (build 11+28), linux

      in a modern or older version of jenkins update a large set of plugins (I used both Jenkins 2.452.1 and numerous earlier versions running on java 11 JDK (open JDK) on a linux machine.

       

      expected: 

      all downloads download successfully

       

      actual: 

      the first couple of downloads on the list succeed until one gets a cert failure (after which all the remaining downloads fail with the same cert issue)

       

      workaround: 

      restart repeatedly and download a few plugins at a time (this can require dozens of tedious repeated selecting update and restarts if their are 40 or 50 plugins that require updates and only 1 or 2 succeed each iteration!)

       

      what doesn't work:

      the skip-certification-check plugin doesn't fix this issue

      changing the plugin update site (from https://updates.jenkins.io/update-center.json to http://updates.jenkins.io/update-center.json) might remove the intermittent error in the update site page, but it doesn't fix the issue with the actual downloading of plugins.

       

      example error message:

      java.security.cert.CertificateException: No subject alternative DNS name matching updates.jenkins.io found.
      at java.base/sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:207)
      at java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:98)
      at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:459)
      at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:434)
      at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:291)
      at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141)
      at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1307)
      Caused: javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching updates.jenkins.io found.
      at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
      at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
      at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
      at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:259)
      at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1329)
      at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1204)
      at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1151)
      at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
      at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
      at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1065)
      at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1052)
      at java.base/java.security.AccessController.doPrivileged(Native Method)
      at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:999)
      at java.base/java.util.ArrayList.forEach(ArrayList.java:1540)
      at java.net.http/jdk.internal.net.http.common.SSLFlowDelegate.lambda$executeTasks$3(SSLFlowDelegate.java:1059)
      at java.net.http/jdk.internal.net.http.HttpClientImpl$DelegatingExecutor.execute(HttpClientImpl.java:153)
      at java.net.http/jdk.internal.net.http.common.SSLFlowDelegate.executeTasks(SSLFlowDelegate.java:1054)
      at java.net.http/jdk.internal.net.http.common.SSLFlowDelegate.doHandshake(SSLFlowDelegate.java:1020)
      at java.net.http/jdk.internal.net.http.common.SSLFlowDelegate$Reader.processData(SSLFlowDelegate.java:437)
      at java.net.http/jdk.internal.net.http.common.SSLFlowDelegate$Reader$ReaderDownstreamPusher.run(SSLFlowDelegate.java:263)
      at java.net.http/jdk.internal.net.http.common.SequentialScheduler$SynchronizedRestartableTask.run(SequentialScheduler.java:175)
      at java.net.http/jdk.internal.net.http.common.SequentialScheduler$CompleteRestartableTask.run(SequentialScheduler.java:147)
      at java.net.http/jdk.internal.net.http.common.SequentialScheduler$TryEndDeferredCompleter.complete(SequentialScheduler.java:315)
      at java.net.http/jdk.internal.net.http.common.SequentialScheduler$CompleteRestartableTask.run(SequentialScheduler.java:149)
      at java.net.http/jdk.internal.net.http.common.SequentialScheduler$SchedulableTask.run(SequentialScheduler.java:198)
      at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
      at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
      Caused: java.io.IOException: No subject alternative DNS name matching updates.jenkins.io found.
      at java.net.http/jdk.internal.net.http.HttpClientImpl.send(HttpClientImpl.java:565)
      at java.net.http/jdk.internal.net.http.HttpClientFacade.send(HttpClientFacade.java:119)
      at hudson.PluginManager.checkUpdateSiteURL(PluginManager.java:2016)
      at hudson.PluginManager.doCheckUpdateSiteUrl(PluginManager.java:1967)
      at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:710)
      at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:397)
      at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:409)
      at org.kohsuke.stapler.interceptor.RequirePOST$Processor.invoke(RequirePOST.java:78)
      at org.kohsuke.stapler.PreInvokeInterceptedFunction.invoke(PreInvokeInterceptedFunction.java:26)
      at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:207)
      at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:140)
      at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:558)
      at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:59)
      at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:770)
      at org.kohsuke.stapler.Stapler.invoke(Stapler.java:900)
      at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:172)
      at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:59)
      at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:770)
      at org.kohsuke.stapler.Stapler.invoke(Stapler.java:900)
      at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:836)
      at org.kohsuke.stapler.Stapler.invoke(Stapler.java:900)
      at org.kohsuke.stapler.MetaClass$9.dispatch(MetaClass.java:475)
      at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:770)
      at org.kohsuke.stapler.Stapler.invoke(Stapler.java:900)
      at org.kohsuke.stapler.Stapler.invoke(Stapler.java:698)
      at org.kohsuke.stapler.Stapler.service(Stapler.java:248)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
      at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:799)
      at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1656)
      at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:163)
      at jenkins.util.HttpServletFilter$1.doFilter(HttpServletFilter.java:76)
      at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:160)
      at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:166)
      at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
      at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
      at jenkins.ErrorAttributeFilter.doFilter(ErrorAttributeFilter.java:29)
      at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
      at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
      at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:154)
      at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
      at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:94)
      at jenkins.security.AcegiSecurityExceptionFilter.doFilter(AcegiSecurityExceptionFilter.java:52)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
      at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:54)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
      at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126)
      at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
      at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
      at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:110)
      at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:101)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
      at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:227)
      at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:221)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
      at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:97)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
      at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:117)
      at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
      at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:63)
      at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
      at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:111)
      at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:172)
      at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
      at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
      at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:53)
      at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
      at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
      at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:86)
      at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
      at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
      at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
      at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
      at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
      at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:38)
      at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
      at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1626)
      at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:552)
      at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
      at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:571)
      at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
      at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
      at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624)
      at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
      at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1440)
      at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
      at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:505)
      at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594)
      at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
      at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1355)
      at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
      at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:234)
      at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)
      at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
      at org.eclipse.jetty.server.Server.handle(Server.java:516)
      at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:487)
      at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:732)
      at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:479)
      at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277)
      at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
      at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
      at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
      at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338)
      at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315)
      at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173)
      at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131)
      at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:409)
      at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)
      at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)
      at java.base/java.lang.Thread.run(Thread.java:834)

       

        1. Screenshot 2024-07-10 at 1.08.31 PM.png
          Screenshot 2024-07-10 at 1.08.31 PM.png
          211 kB
        2. Screenshot 2024-07-10 at 1.29.54 PM.png
          Screenshot 2024-07-10 at 1.29.54 PM.png
          145 kB

            normana400 Andrew Norman
            normana400 Andrew Norman
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: