Jenkins Agent Java Certificate Error

[TJ Patterson]

Hello everyone!

We are running Jenkins Master via Docker (Jenkins/Jenkins:LTS Java 11) and then using an NGINX Docker reverse proxy container to provide SSL certificate and more security.  We changed the URL in Manage Jenkins > Configure System > Jenkins Location from "http://jenkinsserver.com:8080" to "https://jenkinsserver.com"

We are now receiving an error when connecting the nodes to Jenkins. 

 

This is the error from our java  JNLP agent connection (I’ve changed server name/node names, etc.):

 

~ % curl -sO https://jenkinsserveraddress/jnlpJars/agent.jar

java -jar agent.jar -jnlpUrl https://jenkinsserveraddress/manage/computer/nodename/jenkins-agent.jnlp -secret secretphrasegoeshere

Exception in thread "main" java.io.IOException: Failed to validate a server certificate. If you are using a self-signed certificate, you can use the -noCertificateCheck option to bypass this check.

 

Thank you for any assistance anyone can offer!

[Dirk Heinrichs]

Am Mittwoch, dem 08.02.2023 um 14:29 -0800 schrieb TJ Patterson:

If you are using a self-signed certificate

So, do you?

HTH...

Dirk

-- 

Dirk Heinrichs

Senior Systems Engineer, Delivery Pipeline

OpenText ™ Discovery | Recommind

Phone: +49 2226 15966 18

Email: dhei...@opentext.com

Website: www.recommind.de

Recommind GmbH, Von-Liebig-Straße 1, 53359 Rheinbach

Vertretungsberechtigte Geschäftsführer Gordon Davies, Madhu Ranganathan, Christian Waida, Registergericht Amtsgericht Bonn, Registernummer HRB 10646

This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail sind nicht gestattet.

[TJ Patterson]

We are not using a self-signed cert

[Thomas Markus]

Hi,

Am 08.02.23 um 23:29 schrieb TJ Patterson:

That depends on how old your java setup is. Java uses its own truststore to validate server certificates. When installed via system all distributions link to generated truststore with system certificates. So any system update should update them. For manually installed java setup check your truststore. See file $JAVAHOME/lib/security/cacerts

If not a linked to system trustore you can start your agent with

java -Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts -Djavax.net.ssl.trustStorePassword=changeit -jar ...

system package ca-certificates (or similiar) must be installed. Verify location for that file, it depends on your distribution

best regards
Thomas