jenkins 安装插件的时候碰到了问题,
Failure -
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) Caused: sun.security.validator.ValidatorException: PKIX path building failed at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491) Caused: javax.net.ssl.SSLHandshakeException at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1513) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441) at sun.net.www.protocol.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:2943) at java.net.URLConnection.getHeaderFieldLong(URLConnection.java:629) at java.net.URLConnection.getContentLengthLong(URLConnection.java:501) at java.net.URLConnection.getContentLength(URLConnection.java:485) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getContentLength(HttpsURLConnectionImpl.java:398) at hudson.model.UpdateCenter$UpdateCenterConfiguration.download(UpdateCenter.java:1265) Caused: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:422) at sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1890) at sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1885) at java.security.AccessController.doPrivileged(Native Method) at sun.net.www.protocol.http.HttpURLConnection.getChainedException(HttpURLConnection.java:1884) at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1457) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) at hudson.model.UpdateCenter$UpdateCenterConfiguration.download(UpdateCenter.java:1281) Caused: java.io.IOException: Failed to load https://updates.jenkins.io/download/plugins/snakeyaml-api/1.27.0/snakeyaml-api.hpi to /Users/ftmac/.jenkins/plugins/snakeyaml-api.jpi.tmp at hudson.model.UpdateCenter$UpdateCenterConfiguration.download(UpdateCenter.java:1288) Caused: java.io.IOException: Failed to download from https://updates.jenkins.io/download/plugins/snakeyaml-api/1.27.0/snakeyaml-api.hpi at hudson.model.UpdateCenter$UpdateCenterConfiguration.download(UpdateCenter.java:1322) at hudson.model.UpdateCenter$DownloadJob._run(UpdateCenter.java:1870) at hudson.model.UpdateCenter$InstallationJob._run(UpdateCenter.java:2162) at hudson.model.UpdateCenter$DownloadJob.run(UpdateCenter.java:1844) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at hudson.remoting.AtmostOneThreadExecutor$Worker.run(AtmostOneThreadExecutor.java:118) at java.lang.Thread.run(Thread.java:745)
先介绍一下我的jenkins环境:
环境介绍:
jenkins: 2.277.4
机器环境: Mac 10.15.7 Catalina
Java:1.8.0
Tomcat:8.5.16
有个办法是给Mac加一个科学上网工具就行,但不能每台机器都这么干哪,万一其他机器碰到了呢?本着追究到底、一劳永逸解决问题的态度,咱们来好好看看遇到这类问题如何根治。
解决办法一(我的环境下行不通):
有人说因为https的原因,可以尝试https改为http(确实跟证书有关系,刚开始的时候想着快速搞定,没解决)
目前的环境是,把jenkins.war 放在MAC 的tomcat webapps里。尝试修改tomcat,添加参数:
vim /Library/Tomcat//conf/context.xml
<Context>
...
<Environment name="JENKINS_JAVA_OPTIONS" value="-Dhudson.
model.UpdateCenter.pluginDownloadReadTimeoutSeconds=120 -Dhu
dson.model.DownloadService.noSignatureCheck=true -Dmaven.wagon.
http.ssl.insecure=true -Dmaven.wagon.http.ssl.allowall=true" type="jav
a.lang.String"/>
...
</Context>
无数遍重启,不起作用,在我这个环境上看来是行不通。
解决方法二(行不通):
意外发现,原来jenkins的很多东西存放 ~/.jenkins 目录下
~/.jenkins/hudson.model.UpdateCenter.xml # 页面的修改和改这里,效果是一样的
~/.jenkins/updates/default.json # 这个是缓存文件,所以对于这个文件的修改是无效的。(至少对于2.277版本来说)
尝试换国内各个镜像地址,从https改为http,再改为https,一样报错,也是没卵用。
解决办法三:
命令行安装jenkins 插件,jenkins提供了一个工具plugin-installation-manager-tool,下面是执行命令
# 通过jenkins 后台无法安装,那就通过 命令行来手动安装
java -jar jenkins-plugin-manager-*.jar --jenkins-update-center https://
mirrors.tuna.tsinghua.edu.cn/jenkins/updates/update-center.json --war ../webapps/jenkins.war -d ~/.jenkins/plugins/ --plugins localization-z
h-cn:1.0.24 --verbose
# --jenkins-update-center 指定镜像地址,其实这里作用不大,因为这个json文件里的插件地址还是指向jenkins.update.co的
# --war 指定 jenkins.waar 的位置
# -d 告诉命令行plugin安装的位置
# --verbose debug输出安装运行过程
遇到了一个报错:
mac PKIX path building failed: sun.security.provider.certpath.SunCertP athBuilder
测试机器与updates网站的连接
java SSLPoke updates.jenkins.io 443
这个时候又遇到了问题2:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
经过一番google与度娘,原来是本机的证书有点儿问题,这个是因为: java 管理 Mac机上的证书,
Jenkins 2.77 changed the default URL of the Update Centre (UC) to use
https://
rather thanhttp://
.The Jenkins UC uses an SSL certificate from Let's Encrypt, but the root certificates that Let's Encrypt certificates depend on weren't added to Java 8 until update 101.
Upgrade your Java installation from 8u60 to at least 8u101, and it should work as expected.
升级java版本还是有风险的,我们换另一种操作方式。
生成连接的证书到本地
openssl s_client -connect updates.jenkins.io:443 | openssl x509 -out sonar_ssl.cert
# 把这个证书导入到java受信任的站点当中
sudo keytool -import -alias sonar_certificate -file sonar_ssl.cert \
-keystore /Library/Java/JavaVirtualMachines/jdk1.8.0_65.jdk/Contents/Home/jre/lib/security/cacerts
修改之后重启机器