我正在尝试安装 2.162 版的开源 Jenkins。 Jenkins 成功出现,但是当我转到 Manage Jenkins-> Manage Plugins 时,我看到以下错误:
我做了一些搜索,发现这个问题与证书问题有关
检查更新站点时出错:SSLHandshakeException: sun.security.validator.ValidatorException:PKIX 路径构建失败:> sun.security.provider.certpath.SunCertPathBuilderException:无法> 找到请求目标的有效证书路径
在密钥库中,我应该添加哪些网站证书以便 jenkins 可以从其中下载插件?
【问题讨论】:
【讨论】:
您必须在您的 JENKINS Java 商店中配置 JENKINS 更新站点 CA-s 证书。只需获取这些证书(您可以从访问更新站点 URL 的浏览器中获取)并将其添加到您的 java 存储(java 存储路径:$JAVA_HOME/jre/lib/security/cacerts)
【讨论】:
您应该拥有最新版本的 JDK。 我遇到了同样的问题,这是因为在安装时我使用了 jdk1.8.0_241 而不是 Java 2.91。在这里,我遇到了各种各样的问题。 首先我需要从 https 迁移到 http(上面的解决方案),然后在安装插件时仍然遇到同样的错误。 要解决此问题,您可以在 Jenkins 安装 HOME 文件夹中名为 Jenkins.xml 的文件下查看您的 Jenkins 所指的 Java 版本。搜索以下行 - C:\Program Files\Java\jre1.8.0_291\bin\java.exe
如果它已过时,请更新它,JDK 1.8.291 对我来说就像一个魅力!
这张 JIRA 票帮助我找到了这个问题的根本原因 - https://issues.jenkins.io/browse/JENKINS-63515
【讨论】:
要解决此问题,您需要下载与 Jenkins 中的更新插件过程相关的所有站点使用的所有证书。
通常:
可能还有更多。当您安装插件时。如果失败。只需重复该过程即可下载证书并将其添加到您的密钥库中。
> Example: keytool -import -alias mirrorgruen -keystore
> $JAVA_HOME/jre/lib/security/cacerts -file ./mirror.gruenehoelle.nl.cer
这适用于 MACOSx。提示:除非你改变了它。当提示您输入密码时,使用默认密码 'changeit'。
最后重新启动 Jenkins - 然后尝试安装插件。这应该会将结果变为绿色。
【讨论】:
I was using java version "1.8.0_91" when getting the SSL handshake error. Problem got solved after following instructions followed to upgrade Java to version 11
I downloaded jdk version 11.0.14 from https://www.oracle.com/java/technologies/downloads/#java11 and installed it
Also installed fontconfig using
yum install fontconfig
Modified below in /etc/init.d/jenkins with path of Java 11. Ex - /root/jdk-11.0.14/bin/java . Gave 755 permission to all folders and files in path /root/jdk-11.0.14/bin/java
Also configured update site in Jenkins configuration as
http://updates.jenkins-ci.org/update-center.json
If your problem is still not solved with above changes and if you are using a proxy where proxy is giving its own SSL certificate instead of original certficate of the website then below steps will be needed.
Add your HTTP proxy certificate (Get it from your IT team. Or access Jenkins update site in your laptop using same proxy and export certificate from browser as base64 cer file) to trusted certificates using below commands. Put the exported certificates in cer file in linux using vim. Make sure to give 755 permission for all folders and files in below paths so that jenkins user can read them.
CA cert paths
/root/jdk-11.0.14/jre/lib/security/cacerts
/root/jdk-11.0.14/lib/security/cacerts
keytool -import -noprompt -trustcacerts -alias proxy3 -file /root/proxy1.cer -keystore /root/jdk-11.0.14/lib/security/cacerts -storepass changeit -keypass changeit
keytool -import -noprompt -trustcacerts -alias jenkins3 -file /root/jenkins1.cer -keystore /root/jdk-11.0.14/lib/security/cacerts -storepass changeit -keypass change
configured /etc/sysconfig/jenkins with
ENKINS_HTTPS_KEYSTORE="/root/jdk-11.0.14/lib/security/cacerts"
JENKINS_HTTPS_KEYSTORE_PASSWORD="changeit"
Modified below in /etc/init.d/jenkins
candidates="
/root/jdk-11.0.14/bin/java
PARAMS="--logfile=/var/log/jenkins/jenkins.log --webroot=/var/cache/jenkins/war -Djavax.net.ssl.trustStore=/root/jdk-11.0.14/lib/security/cacerts"
【讨论】:
只是一个小技巧。将文件“hudson.model.UpdateCenter.xml”中的 URL 从 https 更新为 http
<?xml version='1.1' encoding='UTF-8'?>
<sites>
<site>
<id>default</id>
<url>http://updates.jenkins.io/update-center.json</url>
</site>
</sites>
【讨论】: