Java Jenkins 在导入 Git 存储库时“无法找到请求目标的有效认证路径”错误
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/24563694/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Jenkins "unable to find valid certification path to requested target" error while importing Git repository
提问by user2118245
I'm trying to build a Git repofrom Jenkins using the Jenkins Git Pluginon my laptop. The Git repo resides on company trusted server which has self-signed certificates. While specifying the URL I'm always getting an error:
我正在尝试使用笔记本电脑上的Jenkins Git 插件从 Jenkins构建一个Git 存储库。Git 存储库驻留在具有自签名证书的公司可信服务器上。在指定 URL 时,我总是收到错误消息:
Failed to connect to repository : sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
I understand this error surfaces due to self-signed certificates but the server belongs to my company and is signed by authority.
我了解此错误是由于自签名证书而导致的,但服务器属于我的公司并由授权机构签名。
I also tried to import the same repo from another laptop using self-signed and keep getting the same error.
我还尝试使用自签名从另一台笔记本电脑导入相同的 repo 并不断收到相同的错误。
Any help will be appreciated
任何帮助将不胜感激
回答by Matt Jennings
Java ships with a default list of trusted root certificate authorities. If it can't find a path back to one of these trusted certificate authorities, it will not trust the certificate.
Java 附带了受信任的根证书颁发机构的默认列表。如果它找不到返回这些受信任证书颁发机构之一的路径,它将不信任该证书。
It sounds like the server you are attempting to connect to uses a certificate signed by an internal certificate authority. That's typical for internal servers. You wouldn't want to pay for a certificate if it isn't external facing.
听起来您尝试连接的服务器使用了由内部证书颁发机构签署的证书。这是内部服务器的典型情况。如果证书不是面向外部的,您就不会想要为证书付费。
You can add your company's root certificate authority to java using the keytool command. Then you will be able to make ssl connections to any certificate signed by this root certificate.
您可以使用 keytool 命令将您公司的根证书颁发机构添加到 java。然后,您将能够与此根证书签署的任何证书建立 ssl 连接。
回答by Markus
while the above answer is generally correct, it may be also due to an expired certificate in the chain (server cert, intermediate, root). Just got the same error and my server certificate was expired.
虽然上述答案通常是正确的,但也可能是由于链中的证书已过期(服务器证书、中间证书、根证书)。刚刚遇到同样的错误,我的服务器证书已过期。
回答by Highway of Life
That error is a common error message reported by the Java Virtual Machine. This is caused when the Java environment does not have information about the HTTPS server to verify that it is a valid website. Sometimes the certificate is provided by an internal Root CA or is a Self-Signed Certificate. This sometimes can confuse the JVM as it is not one of the ones on the Java “trusted” list who can provide these certificates.
该错误是 Java 虚拟机报告的常见错误消息。这是因为 Java 环境没有关于 HTTPS 服务器的信息来验证它是一个有效的网站。有时,证书由内部根 CA 提供或者是自签名证书。这有时会使 JVM 感到困惑,因为它不是 Java“受信任”列表中可以提供这些证书的人之一。
Because we know that the certififcate is “valid” we can import this certificate directly into the JVM. In doing so, we tell the JVM that this is is a “trusted” certificate and to “ignore” any issues with it.
因为我们知道证书是“有效的”,所以我们可以将该证书直接导入到 JVM 中。这样做时,我们告诉 JVM 这是一个“可信”证书,并“忽略”它的任何问题。
You will need to add the certificate to your Java Certificate Authority file. For an Debian/Ubuntu Linux machine, that's usually located here:
您需要将证书添加到 Java 证书颁发机构文件中。对于 Debian/Ubuntu Linux 机器,它通常位于此处:
$JAVA_HOME/jre/lib/security/cacerts
However, you don't want to add it to the JRE cacert keystore because it will be overwritten/rewritten by the JRE, so it's best to duplicate this file for Jenkins.
但是,您不想将它添加到 JRE cacert 密钥库,因为它会被 JRE 覆盖/重写,因此最好为 Jenkins 复制此文件。
$JAVA_HOME- This should be the location of where your current java home is. If you only have the Java Runtime Environment (JRE) installed, then you can replace$JAVA_HOME/jrewith the$JRE_HOME.$ALIAS- This can be any value. It is a value to distinguish this certificate from others. Example would be “git-repo”, or “artifact server”.$JENKINS_HOME- This is the path to your Jenkins home. Often/var/lib/jenkins.
$JAVA_HOME- 这应该是您当前的 java home 所在的位置。如果您只安装了 Java 运行时环境 (JRE),则可以替换$JAVA_HOME/jre为$JRE_HOME.$ALIAS- 这可以是任何值。将此证书与其他证书区分开来是一种价值。示例是“git-repo”或“工件服务器”。$JENKINS_HOME- 这是通往 Jenkins 家的路。经常/var/lib/jenkins。
You can import the certificate into your JVM cacerts file using the following commands. -- In your Jenkins master. Obtain the certificate, copy the JVM keystore for Jenkins, import the certificate into the keystore, add the trusted keystore to the Jenkins startup parameters and restart Jenkins.
您可以使用以下命令将证书导入 JVM cacerts 文件。-- 在你的詹金斯大师中。获取证书,复制Jenkins的JVM keystore,将证书导入keystore,将可信keystore添加到Jenkins启动参数中,重启Jenkins。
# Import certificate
openssl s_client -showcerts -connect https://your-target-server\
< /dev/null 2> /dev/null | openssl x509 -outform PEM > ~/root_ca.pem
# Duplicate Java Keystore file and move into Jenkins...
mkdir $JENKINS_HOME/keystore/
cp $JAVA_HOME/jre/lib/security/cacerts $JENKINS_HOME/keystore/
# Add Certificate to Keystore
keytool -import -alias $ALIAS -keystore $JENKINS_HOME/keystore/cacerts -file ~/root_ca.pem
# Add -Djavax.net.ssl.trustStore=$JENKINS_HOME/keystore/cacerts to the
# Jenkins startup parameters. For Debian/Ubuntu, this is /etc/default/jenkins
echo 'JAVA_ARGS="$JAVA_ARGS -Djavax.net.ssl.trustStore=$JENKINS_HOME/keystore/cacerts"'\
>> /etc/default/jenkins
sudo service jenkins restart
Reference Help:
参考帮助:
回答by Sairam Krish
From the question, my understanding is that this Jenkins is installed on a developer box.
从问题来看,我的理解是这个Jenkins安装在开发人员盒子上。
If security is not a core concern in this box, you may in Jenkins web UI go to Manage Jenkins> Manage Plugins> tab Availableand search for "skip-certificate-check"plugin.
如果安全性不是此框中的核心问题,您可以在 Jenkins Web UI 中转到“管理 Jenkins”>“管理插件”>“可用”选项卡并搜索“skip-certificate-check”插件。
On installing this, the issue should be fixed. Use this plugin with caution, since it is not advised from security perspective.
在安装它时,问题应该得到解决。谨慎使用此插件,因为从安全角度不建议使用。
回答by it3xl
For Jeinkins on Windows
对于Windows 上的Jeinkins
After installing a stand-alone Java version on my PC, the mentioned error has disappeared.
在我的 PC 上安装独立的 Java 版本后,上述错误消失了。
To be precise, I have installed JDK 8u162 (Java SE Development Kit 8u162) from Java SE Development Kit 8 Downloads
准确地说,我已经从Java SE Development Kit 8 Downloads安装了 JDK 8u162(Java SE Development Kit 8u162)
回答by Stella
I've just launched jenkins.war with jdk cacerts as an workaround java -Djavax.net.ssl.trustStore="/scratch/install/jdk1.8.0_102/jre/lib/security/cacerts" -jar jenkins.war &
我刚刚用 jdk cacerts 启动 jenkins.war 作为解决方法 java -Djavax.net.ssl.trustStore="/scratch/install/jdk1.8.0_102/jre/lib/security/cacerts" -jar jenkins.war &
回答by Vinay Yella
Add Root CA (GlobalSign.cer) downloaded from your browser to JAVA_HOME/jre/lib/security/cacerts.
将从浏览器下载的根 CA (GlobalSign.cer) 添加到 JAVA_HOME/jre/lib/security/cacerts。
You can use "Keystore explorer" tool to add Root CA to Java cacerts. Check this linkfor sequence of steps to add Root CA to Java cacerts :
您可以使用“密钥库资源管理器”工具将根 CA 添加到 Java cacerts。检查此链接以了解将根 CA 添加到 Java cacerts 的步骤序列:
After successfully adding Root CA to Java cert, restart Jenkins.
将 Root CA 成功添加到 Java 证书后,重启 Jenkins。
回答by Anshul Gupta
Go To ->Manage Jenkins -> Configure Global Security -> Plugin Manager and check the box for Use browser for metadata download.
转到 -> 管理 Jenkins -> 配置全局安全性 -> 插件管理器并选中使用浏览器进行元数据下载框。
It will solve the problem.
它将解决问题。
回答by Rafael Zhou
Manage Jenkins -> Manage plugins -> Plugin Manager -> Advanced
管理 Jenkins -> 管理插件 -> 插件管理器 -> 高级
change "Update Site" to use http not https. this solves my problem.
更改“更新站点”以使用 http 而不是 https。这解决了我的问题。
回答by MD5
For Newer Version of Jenkins Go to Jenkins-->Manage Jenkins--> Configure Global Security check the option Use browser for metadata download[by default its unchecked] and Restart Jenkins
对于较新版本的 Jenkins 转到 Jenkins--> 管理 Jenkins--> 配置全局安全性检查选项Use browser for metadata download[默认情况下未选中] 并重新启动 Jenkins
