How to Solve Jenkins Plugins Installation Problem?

Question

I am trying to install the version 2.162 of the open source Jenkins. The Jenkins successfully came up but, when I go to Manage Jenkins-> Manage Plugins, I see following error:

I've done some search and see this problem is regarding the certificate issue

There were errors checking the update sites: SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to > find valid certification path to requested target

In the keystore, which website certs should I add so that jenkins can donwload the plugins from?

Answer 1

As others have suggested, the first step is to check your Java version and try updating to the most recent version that is relevant for your environment. This is particularly important for sites using Let's Encrypt, as they occasionally change their certificate chain (either intermediate or root certificates). That's why updating Java might resolve this issue, as newer releases include the updated certificates in the keystore shipped with the JRE (or JDK). If you're using Linux as your build server, your OS's certificates might also need to be updated. Here's how you can do that on Ubuntu:

 sudo update-ca-certificates -f

Don't forget to restart Jenkins afterwards.

Answer 2

I was using java version "1.8.0_91" when getting the SSL handshake error. Problem got solved after following instructions followed to upgrade Java to version 11.

I downloaded JDK version 11.0.14 from
https://www.oracle.com/java/technologies/downloads/#java11

and installed it.

Also installed fontconfig using

yum install fontconfig

Modified below in /etc/init.d/jenkins with path of Java 11. Ex - /root/jdk-11.0.14/bin/java. Gave 755 permission to all folders and files in path /root/jdk-11.0.14/bin/java

Also configured update site in Jenkins configuration as

http://updates.jenkins-ci.org/update-center.json

If your problem is still not solved with above changes and if you are using a proxy where proxy is giving its own SSL certificate instead of original certificate of the website then below steps will be needed.

Add your HTTP proxy certificate (Get it from your IT team. Or access Jenkins update site in your laptop using same proxy and export certificate from browser as base64 cer file) to trusted certificates using below commands. Put the exported certificates in cer file in linux using vim. Make sure to give 755 permission for all folders and files in below paths so that jenkins user can read them.
CA cert paths

/root/jdk-11.0.14/jre/lib/security/cacerts
/root/jdk-11.0.14/lib/security/cacerts

keytool -import -noprompt -trustcacerts -alias proxy3 -file /root/proxy1.cer -keystore /root/jdk-11.0.14/lib/security/cacerts -storepass changeit -keypass changeit
keytool -import -noprompt -trustcacerts -alias jenkins3 -file /root/jenkins1.cer -keystore /root/jdk-11.0.14/lib/security/cacerts -storepass changeit -keypass change

configured /etc/sysconfig/jenkins with

JENKINS_HTTPS_KEYSTORE="/root/jdk-11.0.14/lib/security/cacerts"
JENKINS_HTTPS_KEYSTORE_PASSWORD="changeit"

Modified below in /etc/init.d/jenkins

candidates="
/root/jdk-11.0.14/bin/java
PARAMS="--logfile=/var/log/jenkins/jenkins.log --webroot=/var/cache/jenkins/war -Djavax.net.ssl.trustStore=/root/jdk-11.0.14/lib/security/cacerts"

Answer 3

To fix this you need to download all the certificates used by all the sites related to the update plugin process in Jenkins.

Typically:

1. get.jenkins.io.cer
2. mirror.gruenehoelle.nl.cer
3. updates.jenkins.io.cer

There may be more. As you install a plugin. If it fails. Just repeat the process to download the certificate and add it to your keystore.

> Example: keytool -import -alias mirrorgruen -keystore
> $JAVA_HOME/jre/lib/security/cacerts -file ./mirror.gruenehoelle.nl.cer

This worked on MACOSx. Tip: Unless you've changed it. Use the default password of 'changeit' when prompted to type in your password.

Finally restart Jenkins - then attempt to install the plugins. That should turn the results green.

Answer 4

You should have latest version of JDK. I faced same issue and it was because while installing I used jdk1.8.0_241 instead of Java 2.91. And here I ended up in all kind of issues. First I need to move to http from https (Solution above) and then still got same error while installing plugin. To resolve this , you can see which Java version your Jenkins is referring, in your Jenkins installation HOME folder, under file named Jenkins.xml. Search for following line - C:\Program Files\Java\jre1.8.0_291\bin\java.exe

if it is outdated, update it, JDK 1.8.291 worked like a charm for me !

This JIRA ticket helped me in getting to root cause of this - https://issues.jenkins.io/browse/JENKINS-63515

Answer 5

You have to configure JENKINS update-site CA-s certificates in your JENKINS java store. Just get those certificates (you can get it from your browser accessing update-site URL) and add it to your java store (java store path: $JAVA_HOME/jre/lib/security/cacerts)

Answer 6

I was able to solve this from Jenkins UI very easy to login to Jenkins with Admin

• Manage Jenkins
• Manage Plugins
• Advance (Under the Manage Plugins)

• 

• Change URL from https to http and click on Submit

• In the Last click on Check Now

Answer 7

Just a small hack. Update the URL in the file "hudson.model.UpdateCenter.xml" from https to http

<?xml version='1.1' encoding='UTF-8'?>
<sites>
  <site>
    <id>default</id>
    <url>http://updates.jenkins.io/update-center.json</url>
  </site>
</sites>

Answer 8

I think the answer here might solve your problem, sounds like the same issue:

Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?