TLS/ssl problems talking to github enterprise

108 views
Skip to first unread message

Benson Margulies

unread,
Oct 27, 2016, 12:01:09 PM10/27/16
to Jenkins Users
Our GFE instance uses a certificate from an annoying certificate authority (godata). To get Jenkins to talk to it at all, I had to create a trust store with their intermediate certificates. And now, basic operations work, everything tests out on the configuration page, etc. But when a pull request webhook fires, I get the following backtraces.

Can anyone advise?


Failed to login with creds cc1f844d-c149-46c3-9685-971711912a94
org.kohsuke.github.HttpException: Server returned HTTP response code: -1, message: 'null' for URL: https://git.basistech.net/api/v3/user
	at org.kohsuke.github.Requester.parse(Requester.java:540)
	at org.kohsuke.github.Requester._to(Requester.java:251)
	at org.kohsuke.github.Requester.to(Requester.java:213)
	at org.kohsuke.github.GitHub.getMyself(GitHub.java:283)
	at org.kohsuke.github.GitHub.<init>(GitHub.java:149)
	at org.kohsuke.github.GitHubBuilder.build(GitHubBuilder.java:201)
	at org.jenkinsci.plugins.github.internal.GitHubLoginFunction.applyNullSafe(GitHubLoginFunction.java:73)
	at org.jenkinsci.plugins.github.internal.GitHubLoginFunction.applyNullSafe(GitHubLoginFunction.java:46)
	at org.jenkinsci.plugins.github.util.misc.NullSafeFunction.apply(NullSafeFunction.java:18)
	at org.jenkinsci.plugins.github.config.GitHubServerConfig$ClientCacheFunction.applyNullSafe(GitHubServerConfig.java:348)
	at org.jenkinsci.plugins.github.config.GitHubServerConfig$ClientCacheFunction.applyNullSafe(GitHubServerConfig.java:344)
	at org.jenkinsci.plugins.github.util.misc.NullSafeFunction.apply(NullSafeFunction.java:18)
	at com.google.common.collect.Iterators$8.next(Iterators.java:812)
	at com.google.common.collect.Iterators$7.computeNext(Iterators.java:648)
	at com.google.common.collect.AbstractIterator.tryToComputeNext(AbstractIterator.java:143)
	at com.google.common.collect.AbstractIterator.hasNext(AbstractIterator.java:138)
	at org.jenkinsci.plugins.github.util.FluentIterableWrapper.first(FluentIterableWrapper.java:128)
	at com.github.kostyasha.github.integration.generic.GitHubTriggerDescriptor.githubFor(GitHubTriggerDescriptor.java:63)
	at org.jenkinsci.plugins.github.pullrequest.GitHubPRTrigger.readyToBuildCauses(GitHubPRTrigger.java:267)
	at org.jenkinsci.plugins.github.pullrequest.GitHubPRTrigger.doRun(GitHubPRTrigger.java:236)
	at org.jenkinsci.plugins.github.pullrequest.GitHubPRTrigger$1.run(GitHubPRTrigger.java:201)
	at hudson.util.SequentialExecutionQueue$QueueEntry.run(SequentialExecutionQueue.java:119)
	at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1906)
	at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1889)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1410)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
	at com.squareup.okhttp.Connection.connectTls(Connection.java:235)
	at com.squareup.okhttp.Connection.connectSocket(Connection.java:199)
	at com.squareup.okhttp.Connection.connect(Connection.java:172)
	at com.squareup.okhttp.Connection.connectAndSetOwner(Connection.java:367)
	at com.squareup.okhttp.OkHttpClient$1.connectAndSetOwner(OkHttpClient.java:128)
	at com.squareup.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:328)
	at com.squareup.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:245)
	at com.squareup.okhttp.internal.huc.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:438)
	at com.squareup.okhttp.internal.huc.HttpURLConnectionImpl.getResponse(HttpURLConnectionImpl.java:389)
	at com.squareup.okhttp.internal.huc.HttpURLConnectionImpl.getResponseCode(HttpURLConnectionImpl.java:502)
	at com.squareup.okhttp.internal.huc.DelegatingHttpsURLConnection.getResponseCode(DelegatingHttpsURLConnection.java:105)
	at com.squareup.okhttp.internal.huc.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:25)
	at org.kohsuke.github.Requester.parse(Requester.java:514)
	... 27 more
Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
	at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:90)
	at sun.security.validator.Validator.getInstance(Validator.java:179)
	at sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:312)
	at sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:171)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:184)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
	... 41 more
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
	at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
	at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)
	at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)
	at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:88)
	... 53 more


Oct 27, 2016 9:58:05 AM SEVERE org.jenkinsci.plugins.github.pullrequest.GitHubPRTrigger doRun
Can't process check (Can't find appropriate client for github repo <https://git.basistech.net/raas/rosapi1.5>)
org.jenkinsci.plugins.github.internal.GHPluginConfigException: Can't find appropriate client for github repo <https://git.basistech.net/raas/rosapi1.5>
	at com.github.kostyasha.github.integration.generic.GitHubTriggerDescriptor.githubFor(GitHubTriggerDescriptor.java:67)
	at org.jenkinsci.plugins.github.pullrequest.GitHubPRTrigger.readyToBuildCauses(GitHubPRTrigger.java:267)
	at org.jenkinsci.plugins.github.pullrequest.GitHubPRTrigger.doRun(GitHubPRTrigger.java:236)
	at org.jenkinsci.plugins.github.pullrequest.GitHubPRTrigger$1.run(GitHubPRTrigger.java:201)
	at hudson.util.SequentialExecutionQueue$QueueEntry.run(SequentialExecutionQueue.java:119)
	at jenkins.util.ContextResettingExecutorService$1.run(ContextResettingExecutorService.java:28)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)

Benson Margulies

unread,
Oct 27, 2016, 12:03:06 PM10/27/16
to Jenkins Users
Please also note the last exception:

Benson Margulies

unread,
Oct 27, 2016, 12:32:54 PM10/27/16
to Jenkins Users
I solved this for myself. It turns out that the stock Docker image for java8, used by jenkins, has it's own special approach to trust stores.
Reply all
Reply to author
Forward
0 new messages