How to configure a keystore with trusted certificates for jenkins pod slaves created by Jenkins Kubernetes Plugin SunCertPathBuilderException

10/11/2018

I am using Jenkins Kubernetes plugin to provision slave agents (pods) that run the different tasks of a Java project build pipeline.

One of the pipeline stages consists of using Sonarqube to analyze the Java code:

try {
    withSonarQubeEnv('SONARQUBE_CFG') {
        sh "./mvnw org.sonarsource.scanner.maven:sonar-maven-plugin:3.2:sonar -Dsonar.branch=$branch -Dsonar.verbose=true"
    }
} catch (ex) {
    ex.printStackTrace()
}

The problem is I'm getting a SunCertPathBuilderException because it can't validate the certificate chain.

[ERROR] SonarQube server [https://sonarqube.profile.es] can not be reached
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 19.894 s
[INFO] Finished at: 2018-10-11T16:45:10Z
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:3.2:sonar (default-cli) on project myproject: Unable to execute SonarQube: Fail to download libraries from server: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target -> [Help 1]

I have mounted the keystore from a config map in the jenkins slave pod at /cfg/keystore.jks path but can't come up with a way to enforce the usage of that keystore. Ideas?

-- codependent
jenkins
jenkins-pipeline
jenkins-plugins
kubernetes
maven

1 Answer

3/6/2019

Your issue is not a certificate error. Your server simply cannot be reached.

  • Is it on?
  • Can you ping it from your jenkins server/pod?
  • Is the necessary port opened for Jenkins to reach it? (gotta google this)
-- Katone Vi
Source: StackOverflow