[JIRA] (JENKINS-52359) Cannot use custom CA Cert with vault plugin

[spam4dimmer@gmail.com (JIRA)]

Chris Hiestand created an issue

Jenkins / JENKINS-52359 Cannot use custom CA Cert with vault plugin Issue Type: Bug Assignee: Peter Tierno Components: hashicorp-vault-plugin Created: 2018-07-03 21:33 Environment: jobs are being run in a container via the kubernetes plugin and I have installed the custom CA Cert to the container image. Info dump below: awt.toolkit sun.awt.X11.XToolkit executable-war /usr/share/jenkins/jenkins.war file.encoding UTF-8 file.encoding.pkg sun.io file.separator / hudson.model.DirectoryBrowserSupport.CSP hudson.slaves.NodeProvisioner.initialDelay 0 hudson.slaves.NodeProvisioner.MARGIN 50 hudson.slaves.NodeProvisioner.MARGIN0 0.85 java.awt.graphicsenv sun.awt.X11GraphicsEnvironment java.awt.headless true java.awt.printerjob sun.print.PSPrinterJob java.class.path /usr/share/jenkins/jenkins.war java.class.version 52.0 java.endorsed.dirs /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/endorsed java.ext.dirs /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/ext:/usr/java/packages/lib/ext java.home /usr/lib/jvm/java-8-openjdk-amd64/jre java.io.tmpdir /tmp java.library.path /usr/java/packages/lib/amd64:/usr/lib/x86_64-linux-gnu/jni:/lib/x86_64-linux-gnu:/usr/lib/x86_64-linux-gnu:/usr/lib/jni:/lib:/usr/lib java.runtime.name OpenJDK Runtime Environment java.runtime.version 1.8.0_162-8u162-b12-1~deb9u1-b12 java.specification.name Java Platform API Specification java.specification.vendor Oracle Corporation java.specification.version 1.8 java.vendor Oracle Corporation java.vendor.url http://java.oracle.com/ java.vendor.url.bug http://bugreport.sun.com/bugreport/ java.version 1.8.0_162 java.vm.info mixed mode java.vm.name OpenJDK 64-Bit Server VM java.vm.specification.name Java Virtual Machine Specification java.vm.specification.vendor Oracle Corporation java.vm.specification.version 1.8 java.vm.vendor Oracle Corporation java.vm.version 25.162-b12 javax.accessibility.assistive_technologies org.GNOME.Accessibility.AtkWrapper jetty.git.hash 82b8fb23f757335bb3329d540ce37a2a2615f0a8 jna.loaded true jna.platform.library.path /usr/lib/x86_64-linux-gnu:/lib/x86_64-linux-gnu:/lib64:/usr/lib:/lib jnidispatch.path /tmp/jna--1712433994/jna4116952368626064570.tmp line.separator mail.smtp.sendpartial true mail.smtps.sendpartial true org.apache.commons.jelly.tags.fmt.timeZone America/Los_Angeles os.arch amd64 os.name Linux os.version 4.4.86+ path.separator : sun.arch.data.model 64 sun.boot.class.path /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/resources.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/rt.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/sunrsasign.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/jsse.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/jce.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/charsets.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/jfr.jar:/usr/lib/jvm/java-8-openjdk-amd64/jre/classes sun.boot.library.path /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/amd64 sun.cpu.endian little sun.cpu.isalist sun.font.fontmanager sun.awt.X11FontManager sun.io.unicode.encoding UnicodeLittle sun.java.command /usr/share/jenkins/jenkins.war --argumentsRealm.passwd.jenkins=[redacted] --argumentsRealm.roles.jenkins=admin sun.java.launcher SUN_STANDARD sun.jnu.encoding UTF-8 sun.management.compiler HotSpot 64-Bit Tiered Compilers sun.os.patch.level unknown svnkit.http.methods Digest,Basic,NTLM,Negotiate svnkit.ssh2.persistent false user.dir / user.home /var/jenkins_home user.language en user.name jenkins user.timezone Etc/UTC Environment Variables Name ↓ Value CA_CERTIFICATES_JAVA_VERSION 20170531+nmu1 COPY_REFERENCE_FILE_LOG /var/jenkins_home/copy_reference_file.log HOME /var/jenkins_home HOSTNAME jenkins-65cd5cd67d-v59ps JAVA_DEBIAN_VERSION 8u162-b12-1~deb9u1 JAVA_HOME /docker-java-home JAVA_OPTS -Dhudson.slaves.NodeProvisioner.initialDelay=0 -Dhudson.slaves.NodeProvisioner.MARGIN=50 -Dhudson.slaves.NodeProvisioner.MARGIN0=0.85 JAVA_VERSION 8u162 JENKINS_DISCOVERY_PORT tcp://10.51.252.119:50000 JENKINS_DISCOVERY_PORT_50000_TCP tcp://10.51.252.119:50000 JENKINS_DISCOVERY_PORT_50000_TCP_ADDR 10.51.252.119 JENKINS_DISCOVERY_PORT_50000_TCP_PORT 50000 JENKINS_DISCOVERY_PORT_50000_TCP_PROTO tcp JENKINS_DISCOVERY_SERVICE_HOST 10.51.252.119 JENKINS_DISCOVERY_SERVICE_PORT 50000 JENKINS_DISCOVERY_SERVICE_PORT_SLAVES 50000 JENKINS_HOME /var/jenkins_home JENKINS_OPTS --argumentsRealm.passwd.jenkins=[redacted] --argumentsRealm.roles.jenkins=admin JENKINS_SLAVE_AGENT_PORT 50000 JENKINS_UC https://updates.jenkins.io JENKINS_UC_EXPERIMENTAL https://updates.jenkins.io/experimental JENKINS_UI_PORT tcp://10.51.242.56:8080 JENKINS_UI_PORT_8080_TCP tcp://10.51.242.56:8080 JENKINS_UI_PORT_8080_TCP_ADDR 10.51.242.56 JENKINS_UI_PORT_8080_TCP_PORT 8080 JENKINS_UI_PORT_8080_TCP_PROTO tcp JENKINS_UI_SERVICE_HOST 10.51.242.56 JENKINS_UI_SERVICE_PORT 8080 JENKINS_UI_SERVICE_PORT_UI 8080 JENKINS_VERSION 2.119 KUBERNETES_PORT tcp://10.51.240.1:443 KUBERNETES_PORT_443_TCP tcp://10.51.240.1:443 KUBERNETES_PORT_443_TCP_ADDR 10.51.240.1 KUBERNETES_PORT_443_TCP_PORT 443 KUBERNETES_PORT_443_TCP_PROTO tcp KUBERNETES_SERVICE_HOST 10.51.240.1 KUBERNETES_SERVICE_PORT 443 KUBERNETES_SERVICE_PORT_HTTPS 443 LANG C.UTF-8 PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin PWD / SHLVL 0 Plugins Name ↓ Version Enabled ace-editor 1.1 true ant 1.8 true antisamy-markup-formatter 1.5 true apache-httpcomponents-client-4-api 4.5.5-2.0 true artifactory 2.16.1 true authentication-tokens 1.3 true blueocean 1.1.4 true blueocean-autofavorite 1.0.0 true blueocean-commons 1.1.6 true blueocean-config 1.1.4 true blueocean-dashboard 1.1.4 true blueocean-display-url 2.0 true blueocean-events 1.1.4 true blueocean-git-pipeline 1.1.6 true blueocean-github-pipeline 1.1.6 true blueocean-i18n 1.1.4 true blueocean-jwt 1.1.6 true blueocean-personalization 1.1.4 true blueocean-pipeline-api-impl 1.1.6 true blueocean-pipeline-editor 0.2.0 true blueocean-pipeline-scm-api 1.1.6 true blueocean-rest 1.1.6 true blueocean-rest-impl 1.1.6 true blueocean-web 1.1.6 true bouncycastle-api 2.16.1 true branch-api 2.0.9 true build-user-vars-plugin 1.5 true cloudbees-folder 6.3 true clover 4.8.0 true command-launcher 1.2 true config-file-provider 2.18 true credentials 2.1.16 true credentials-binding 1.15 true cvs 2.13 true display-url-api 2.0 true docker-commons 1.11 true docker-workflow 1.15.1 true durable-task 1.17 true email-ext 2.62 true external-monitor-job 1.7 true favorite 2.3.0 true ghprb 1.42.0 true git 3.9.1 true git-client 2.7.2 true git-server 1.7 true github 1.29.1 true github-api 1.92 true github-branch-source 2.3.6 true github-organization-folder 1.6 true google-login 1.4 true google-metadata-plugin 0.2 true google-oauth-plugin 0.6 true google-source-plugin 0.3 true gradle 1.28 true handlebars 1.1.1 true hashicorp-vault-plugin 2.1.1 true htmlpublisher 1.16 true http_request 1.8.22 true icon-shim 2.0.3 true ivy 1.28 true jackson2-api 2.8.11.1 true javadoc 1.4 true jdk-tool 1.0 true jquery-detached 1.2.1 true jsch 0.1.54.1 true junit 1.24 true kubernetes 1.7.1 true kubernetes-credentials 0.3.1 true ldap 1.14 true mailer 1.21 true mapdb-api 1.0.9.0 true matrix-auth 2.2 true matrix-project 1.11 true maven-plugin 3.1.2 true metrics 3.1.2.10 true momentjs 1.1.1 true oauth-credentials 0.3 true pam-auth 1.3 true pipeline-build-step 2.5.1 true pipeline-github-lib 1.0 true pipeline-graph-analysis 1.3 true pipeline-input-step 2.8 true pipeline-milestone-step 1.3.1 true pipeline-model-api 1.1.8 true pipeline-model-declarative-agent 1.1.1 true pipeline-model-definition 1.1.8 true pipeline-model-extensions 1.1.8 true pipeline-rest-api 2.8 true pipeline-stage-step 2.2 true pipeline-stage-tags-metadata 1.1.8 true pipeline-stage-view 2.8 true plain-credentials 1.4 true pubsub-light 1.10 true role-strategy 2.7.0 true scm-api 2.2.6 true script-security 1.44 true slack 2.3 true sse-gateway 1.15 true ssh-agent 1.15 true ssh-credentials 1.13 true ssh-slaves 1.26 true structs 1.14 true subversion 2.10.5 true token-macro 2.5 true translation 1.16 true variant 1.1 true windows-slaves 1.2 true workflow-aggregator 2.5 true workflow-api 2.25 true workflow-basic-steps 2.6 true workflow-cps 2.36.1 true workflow-cps-global-lib 2.8 true workflow-durable-task-step 2.12 true workflow-job 2.11.1 true workflow-multibranch 2.15 true workflow-scm-step 2.5 true workflow-step-api 2.12 true workflow-support 2.14 true Priority: Minor Reporter: Chris Hiestand Inside the container, I've used SSLPoke (from here: https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html) to test whether or not the CA cert was succesfully installed into the $JAVA_HOME keystore and it was: $JAVA_HOME/bin/java SSLPoke 1.2.3.4 1234 Successfully connected Note: if it matters I am connecting to the vault IP and not a hostname. Inside the container, JAVA_HOME is /docker-java-home and /docker-java-home/jre/lib/security/cacerts is a symlink to /etc/ssl/certs/java/cacerts (which does contain the custom CA cert) My pipeline is defined like so: node { // define the secrets and the env variables def secrets = [ [ $class: 'VaultSecret', path: 'jenkins/test', secretValues: [ [$class: 'VaultSecretValue', envVar: 'blah1', vaultKey: 'value'] ] ], ] def configuration = [$class: 'VaultConfiguration', vaultCredentialId: 'vault-jenkins-approle-1'] stage('Test') { // inside this block your credentials will be available as env variables wrap([$class: 'VaultBuildWrapper', configuration: configuration, vaultSecrets: secrets]) { sh 'echo "blah1: $blah1"' } } } And here is the output: [Pipeline] { [Pipeline] stage [Pipeline] { (Test) [Pipeline] wrap [Pipeline] // wrap [Pipeline] } [Pipeline] // stage [Pipeline] } [Pipeline] // node [Pipeline] End of Pipeline sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) Caused: sun.security.validator.ValidatorException: PKIX path building failed at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596) Caused: javax.net.ssl.SSLHandshakeException at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) at sun.security.ssl.Handshaker.process_record(Handshaker.java:987) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1334) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1309) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:259) at com.bettercloud.vault.rest.Rest.postOrPutImpl(Rest.java:369) Caused: com.bettercloud.vault.rest.RestException at com.bettercloud.vault.rest.Rest.postOrPutImpl(Rest.java:386) at com.bettercloud.vault.rest.Rest.post(Rest.java:276) at com.bettercloud.vault.api.Auth.loginByAppRole(Auth.java:228) Caused: com.bettercloud.vault.VaultException at com.bettercloud.vault.api.Auth.loginByAppRole(Auth.java:253) at com.datapipe.jenkins.vault.credentials.VaultAppRoleCredential.authorizeWithVault(VaultAppRoleCredential.java:42) at com.datapipe.jenkins.vault.VaultAccessor.auth(VaultAccessor.java:29) at com.datapipe.jenkins.vault.VaultBuildWrapper.provideEnvironmentVariablesFromVault(VaultBuildWrapper.java:142) at com.datapipe.jenkins.vault.VaultBuildWrapper.setUp(VaultBuildWrapper.java:91) at org.jenkinsci.plugins.workflow.steps.CoreWrapperStep$Execution.start(CoreWrapperStep.java:80) at org.jenkinsci.plugins.workflow.cps.DSL.invokeStep(DSL.java:224) at org.jenkinsci.plugins.workflow.cps.DSL.invokeMethod(DSL.java:150) at org.jenkinsci.plugins.workflow.cps.CpsScript.invokeMethod(CpsScript.java:108) at sun.reflect.GeneratedMethodAccessor3640.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:93) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:325) at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1213) at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1022) at org.codehaus.groovy.runtime.callsite.PogoMetaClassSite.call(PogoMetaClassSite.java:42) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113) at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:157) at org.kohsuke.groovy.sandbox.GroovyInterceptor.onMethodCall(GroovyInterceptor.java:23) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:133) at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:155) at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:159) at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:129) at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:129) at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:16) Caused: com.datapipe.jenkins.vault.exception.VaultPluginException: could not log in into vault at com.datapipe.jenkins.vault.credentials.VaultAppRoleCredential.authorizeWithVault(VaultAppRoleCredential.java:44) at com.datapipe.jenkins.vault.VaultAccessor.auth(VaultAccessor.java:29) at com.datapipe.jenkins.vault.VaultBuildWrapper.provideEnvironmentVariablesFromVault(VaultBuildWrapper.java:142) at com.datapipe.jenkins.vault.VaultBuildWrapper.setUp(VaultBuildWrapper.java:91) at org.jenkinsci.plugins.workflow.steps.CoreWrapperStep$Execution.start(CoreWrapperStep.java:80) at org.jenkinsci.plugins.workflow.cps.DSL.invokeStep(DSL.java:224) at org.jenkinsci.plugins.workflow.cps.DSL.invokeMethod(DSL.java:150) at org.jenkinsci.plugins.workflow.cps.CpsScript.invokeMethod(CpsScript.java:108) at sun.reflect.GeneratedMethodAccessor3640.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:93) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:325) at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1213) at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1022) at org.codehaus.groovy.runtime.callsite.PogoMetaClassSite.call(PogoMetaClassSite.java:42) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113) at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:157) at org.kohsuke.groovy.sandbox.GroovyInterceptor.onMethodCall(GroovyInterceptor.java:23) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SandboxInterceptor.onMethodCall(SandboxInterceptor.java:133) at org.kohsuke.groovy.sandbox.impl.Checker$1.call(Checker.java:155) at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:159) at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:129) at org.kohsuke.groovy.sandbox.impl.Checker.checkedCall(Checker.java:129) at com.cloudbees.groovy.cps.sandbox.SandboxInvoker.methodCall(SandboxInvoker.java:16) at WorkflowScript.run(WorkflowScript:17) at ___cps.transform___(Native Method) at com.cloudbees.groovy.cps.impl.ContinuationGroup.methodCall(ContinuationGroup.java:57) at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.dispatchOrArg(FunctionCallBlock.java:109) at com.cloudbees.groovy.cps.impl.FunctionCallBlock$ContinuationImpl.fixArg(FunctionCallBlock.java:82) at sun.reflect.GeneratedMethodAccessor376.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at com.cloudbees.groovy.cps.impl.ContinuationPtr$ContinuationImpl.receive(ContinuationPtr.java:72) at com.cloudbees.groovy.cps.impl.ClosureBlock.eval(ClosureBlock.java:46) at com.cloudbees.groovy.cps.Next.step(Next.java:83) at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:173) at com.cloudbees.groovy.cps.Continuable$1.call(Continuable.java:162) at org.codehaus.groovy.runtime.GroovyCategorySupport$ThreadCategoryInfo.use(GroovyCategorySupport.java:122) at org.codehaus.groovy.runtime.GroovyCategorySupport.use(GroovyCategorySupport.java:261) at com.cloudbees.groovy.cps.Continuable.run0(Continuable.java:162) at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.access$001(SandboxContinuable.java:19) at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:35) at org.jenkinsci.plugins.workflow.cps.SandboxContinuable$1.call(SandboxContinuable.java:32) at org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox.runInSandbox(GroovySandbox.java:108) at org.jenkinsci.plugins.workflow.cps.SandboxContinuable.run0(SandboxContinuable.java:32) at org.jenkinsci.plugins.workflow.cps.CpsThread.runNextChunk(CpsThread.java:174) at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.run(CpsThreadGroup.java:330) at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup.access$100(CpsThreadGroup.java:82) at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:242) at org.jenkinsci.plugins.workflow.cps.CpsThreadGroup$2.call(CpsThreadGroup.java:230) at org.jenkinsci.plugins.workflow.cps.CpsVmExecutorService$2.call(CpsVmExecutorService.java:64) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at hudson.remoting.SingleLaneExecutorService$1.run(SingleLaneExecutorService.java:131) at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28) at jenkins.security.ImpersonatingExecutorService$1.run(ImpersonatingExecutorService.java:59) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Finished: FAILURE   Add Comment

This message was sent by Atlassian JIRA (v7.10.1#710002-sha1:6efc396)

[spam4dimmer@gmail.com (JIRA)]

Chris Hiestand updated an issue

Jenkins / JENKINS-52359 Cannot use custom CA Cert with vault plugin

Change By: Chris Hiestand I would expect that this plugin should use a standard cert store and tls library and this should just work. But it doesn't work, apologies if it's something I've setup incorrectly.

Inside the container, I've used SSLPoke (from here: [https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html)] to test whether or not the CA cert was succesfully installed into the $JAVA_HOME keystore and it was: $JAVA_HOME/bin/java SSLPoke 1.2.3.4 1234 Successfully connected Note: if it matters I am connecting to the vault IP and not a hostname. Inside the container, JAVA_HOME is /docker-java-home and /docker-java-home/jre/lib/security/cacerts is a symlink to /etc/ssl/certs/java/cacerts (which does contain the custom CA cert) My pipeline is defined like so:

{code:java}

node {        // define the secrets and the env variables     def secrets = [         [             $class: 'VaultSecret', path: 'jenkins/test', secretValues: [                 [$class: 'VaultSecretValue', envVar: 'blah1', vaultKey: 'value']             ]         ],     ]  def configuration = [$class: 'VaultConfiguration',                      vaultCredentialId: 'vault-jenkins-approle-1']    stage('Test') {         // inside this block your credentials will be available as env variables         wrap([$class: 'VaultBuildWrapper', configuration: configuration, vaultSecrets: secrets]) {             sh 'echo "blah1: $blah1"'         }     } }

{code}

And here is the output:

{noformat}

Finished: FAILURE{noformat}

Add Comment

[spam4dimmer@gmail.com (JIRA)]

[spam4dimmer@gmail.com (JIRA)]

Chris Hiestand updated an issue

Jenkins / JENKINS-52359 Cannot use custom CA Cert with vault plugin Change By: Chris Hiestand

I would expect that this plugin should use a standard cert store and tls library and this should just work. But it doesn't work, apologies if it's something I've setup incorrectly. Inside the container, I've used SSLPoke (from here: [https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html)] to test whether or not the CA cert was succesfully installed into the $JAVA_HOME keystore and it was: $JAVA_HOME/bin/java SSLPoke 1.2.3.4 1234 Successfully connected Note: if it matters I am connecting to the vault IP and not a hostname. Inside the container, JAVA_HOME is /docker-java-home and /docker-java-home/jre/lib/security/cacerts is a symlink to /etc/ssl/certs/java/cacerts (which does contain the custom CA cert)

My global configuration looks like (with actual values instead of these dummies): Vault URL: [https://1.2.3.4:1234 |https://1.2.3.4:1234/]Vault Credential: Vault Jenkins Approle 1   My pipeline is defined like so:

[spam4dimmer@gmail.com (JIRA)]

Chris Hiestand updated an issue

Jenkins / JENKINS-52359 Cannot use custom CA Cert with vault plugin Change By: Chris Hiestand

I would expect that this plugin should use a standard cert store and tls library and this should just work. But it doesn't work, apologies if it's something I've setup incorrectly. Inside the container, I've used SSLPoke (from here: [https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html)] to test whether or not the CA cert was succesfully installed into the $JAVA_HOME keystore and it was: $JAVA_HOME/bin/java SSLPoke 1.2.3.4 1234 Successfully connected Note: if it matters I am connecting to the vault IP and not a hostname. Inside the container, JAVA_HOME is /docker-java-home and /docker-java-home/jre/lib/security/cacerts is a symlink to /etc/ssl/certs/java/cacerts (which does contain the custom CA cert)   My global configuration looks like (with actual values instead of these dummies):

{noformat}

Vault URL: [ https://1.2.3.4:1234

|https://1.2.3.4:1234/] Vault Credential: Vault Jenkins Approle 1 {noformat}

[spam4dimmer@gmail.com (JIRA)]

Chris Hiestand updated an issue

Jenkins / JENKINS-52359 Cannot use custom CA Cert with vault plugin Change By: Chris Hiestand

I would expect that this plugin should use a standard cert store and tls library and this should just work. But it doesn't work, apologies if it's something I've setup incorrectly.

Inside the container, I've used SSLPoke (from here: [https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html |https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html )]  ) to test whether or not the CA cert was succesfully installed into the $JAVA_HOME keystore and it was:

$JAVA_HOME/bin/java SSLPoke 1.2.3.4 1234 Successfully connected Note: if it matters I am connecting to the vault IP and not a hostname. Inside the container, JAVA_HOME is /docker-java-home and /docker-java-home/jre/lib/security/cacerts is a symlink to /etc/ssl/certs/java/cacerts (which does contain the custom CA cert)   My global configuration looks like (with actual values instead of these dummies):   {noformat} Vault URL: https://1.2.3.4:1234

[spam4dimmer@gmail.com (JIRA)]

Chris Hiestand updated an issue

Jenkins / JENKINS-52359 Cannot use custom CA Cert with vault plugin Change By: Chris Hiestand

I would expect that this plugin should use a standard cert store and tls library and this should just work. But it doesn't work, apologies if it's something I've setup incorrectly.

Inside the container, I've used SSLPoke (from here:   [ SSLPoke|[ https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html|https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html)]   ] )to test whether or not the CA cert was succesfully installed into the $JAVA_HOME keystore and it was:

[spam4dimmer@gmail.com (JIRA)]

Chris Hiestand updated an issue

Jenkins / JENKINS-52359 Cannot use custom CA Cert with vault plugin Change By: Chris Hiestand

I would expect that this plugin should use a standard cert store and tls library and this should just work. But it doesn't work, apologies if it's something I've setup incorrectly.

Inside the container, I've used SSLPoke (from here: [SSLPoke|[https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html|https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html)]] ) to test whether or not the CA cert was succesfully installed into the $JAVA_HOME keystore and it was:   {code:java}

$JAVA_HOME/bin/java SSLPoke 1.2.3.4 1234 Successfully connected

{code}

[spam4dimmer@gmail.com (JIRA)]

Chris Hiestand updated an issue

Jenkins / JENKINS-52359 Cannot use custom CA Cert with vault plugin Change By: Chris Hiestand

I would expect that this plugin should use a standard cert store and tls library and this should just work. But it doesn't work, apologies if it's something I've setup incorrectly.

Inside the container, I've used SSLPoke (from here:  [ https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html |https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html)]  ) to test whether or not the CA cert was succesfully installed into the $JAVA_HOME keystore and it was:

[spam4dimmer@gmail.com (JIRA)]

Chris Hiestand updated an issue

Jenkins / JENKINS-52359 Cannot use custom CA Cert with vault plugin Change By: Chris Hiestand

I would expect that this plugin should use a standard cert store and tls library and this should just work. But it doesn't work, apologies if it's something I've setup incorrectly.

Inside the container, I've used SSLPoke (from here: [ SSLPoke|[ https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html|https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html)] ]   ) to test whether or not the CA cert was succesfully installed into the $JAVA_HOME keystore and it was:

[spam4dimmer@gmail.com (JIRA)]

Chris Hiestand updated an issue

Jenkins / JENKINS-52359 Cannot use custom CA Cert with vault plugin

Change By: Chris Hiestand

Add Comment

[raphael@pigulla.net (JIRA)]

Raphael Pigulla commented on JENKINS-52359

Re: Cannot use custom CA Cert with vault plugin I'm having the same issue. Did you ever find a solution?

Add Comment

This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

[spam4dimmer@gmail.com (JIRA)]

Chris Hiestand commented on JENKINS-52359

Re: Cannot use custom CA Cert with vault plugin

No. I switched to concourse CI which has really good vault integration and supports custom CA certs.

Add Comment

[spam4dimmer@gmail.com (JIRA)]

Chris Hiestand edited a comment on JENKINS-52359

Re: Cannot use custom CA Cert with vault plugin

No. I switched to concourse CI which has really good vault integration and supports custom CA certs. But this issue was not the only reason why I switched.

Add Comment

[mtabolsky@gmail.com (JIRA)]

Michael Tabolsky commented on JENKINS-52359

Re: Cannot use custom CA Cert with vault plugin

For anyone bumping into this, the plugin uses better cloud's code to access vault and all the communication stuff is done there. FWIW, you can disable the certificate validation by setting the environment variable VAULT_SSL_VERIFY to "false" or in case of custom CA you have to extend the plugin's capabilities to allow the keystore to be configured as described here

Add Comment

[simoncelliott@gmail.com (JIRA)]

Simon Elliott commented on JENKINS-52359

Re: Cannot use custom CA Cert with vault plugin

I've hit this same issue. I want to use a Self-Signed Certificate and an internal domain, Vault is happy to talk to itself with this certificate, but i can't retrieve secrets from it using this plug-in. with the same error described above

Add Comment

[miroslav.hadzhiev@gmail.com (JIRA)]

Miroslav E. Hadzhiev commented on JENKINS-52359

Re: Cannot use custom CA Cert with vault plugin

Hi Team - I've hit the same issue. Is it going to be fixed any time soon?

Add Comment

[syaramada-c@scrippsnetworks.com (JIRA)]

suryatej yaramada commented on JENKINS-52359

Re: Cannot use custom CA Cert with vault plugin

Any update on this issue as we are also facing a similar problem

Add Comment

[josephp90@gmail.com (JIRA)]

Joseph Petersen commented on JENKINS-52359

Re: Cannot use custom CA Cert with vault plugin

Should be fixed in v3.0.0 https://github.com/jenkinsci/hashicorp-vault-plugin/releases/tag/hashicorp-vault-plugin-3.0.0 For it to work you need to import your certificate into the default truststore. https://stackoverflow.com/questions/11617210/how-to-properly-import-a-selfsigned-certificate-into-java-keystore-that-is-avail

Add Comment

This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)

[josephp90@gmail.com (JIRA)]

Joseph Petersen resolved as Fixed

Jenkins / JENKINS-52359

Cannot use custom CA Cert with vault plugin

Change By: Joseph Petersen Status: Open Resolved Assignee: Peter Tierno Joseph Petersen Resolution: Fixed Released As: https://github.com/jenkinsci/hashicorp-vault-plugin/releases/tag/hashicorp-vault-plugin-3.0.0

Add Comment

[josephp90@gmail.com (JIRA)]

Joseph Petersen assigned an issue to Joseph Petersen

Jenkins / JENKINS-52359 Cannot use custom CA Cert with vault plugin

Change By: Joseph Petersen Assignee: Joseph Petersen (old)

Add Comment

This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)