在密钥库中,我应该添加哪些网站证书,以便Jenkins可以从中下载插件?
您需要在JENKINS的Java存储中配置JENKINS更新站点CA证书。只需获取这些证书(您可以从浏览器访问更新站点URL获取),然后将其添加到您的Java存储中(Java存储路径:$JAVA_HOME/jre/lib/security/cacerts
)。
可能还会有更多。当您安装插件时,如果失败了,请重复该过程以下载证书并将其添加到密钥库中。
> Example: keytool -import -alias mirrorgruen -keystore
> $JAVA_HOME/jre/lib/security/cacerts -file ./mirror.gruenehoelle.nl.cer
I was using java version "1.8.0_91" when getting the SSL handshake error. Problem got solved after following instructions followed to upgrade Java to version 11
I downloaded jdk version 11.0.14 from https://www.oracle.com/java/technologies/downloads/#java11 and installed it
Also installed fontconfig using
yum install fontconfig
Modified below in /etc/init.d/jenkins with path of Java 11. Ex - /root/jdk-11.0.14/bin/java . Gave 755 permission to all folders and files in path /root/jdk-11.0.14/bin/java
Also configured update site in Jenkins configuration as
http://updates.jenkins-ci.org/update-center.json
If your problem is still not solved with above changes and if you are using a proxy where proxy is giving its own SSL certificate instead of original certficate of the website then below steps will be needed.
Add your HTTP proxy certificate (Get it from your IT team. Or access Jenkins update site in your laptop using same proxy and export certificate from browser as base64 cer file) to trusted certificates using below commands. Put the exported certificates in cer file in linux using vim. Make sure to give 755 permission for all folders and files in below paths so that jenkins user can read them.
CA cert paths
/root/jdk-11.0.14/jre/lib/security/cacerts
/root/jdk-11.0.14/lib/security/cacerts
keytool -import -noprompt -trustcacerts -alias proxy3 -file /root/proxy1.cer -keystore /root/jdk-11.0.14/lib/security/cacerts -storepass changeit -keypass changeit
keytool -import -noprompt -trustcacerts -alias jenkins3 -file /root/jenkins1.cer -keystore /root/jdk-11.0.14/lib/security/cacerts -storepass changeit -keypass change
configured /etc/sysconfig/jenkins with
ENKINS_HTTPS_KEYSTORE="/root/jdk-11.0.14/lib/security/cacerts"
JENKINS_HTTPS_KEYSTORE_PASSWORD="changeit"
Modified below in /etc/init.d/jenkins
candidates="
/root/jdk-11.0.14/bin/java
PARAMS="--logfile=/var/log/jenkins/jenkins.log --webroot=/var/cache/jenkins/war -Djavax.net.ssl.trustStore=/root/jdk-11.0.14/lib/security/cacerts"
我认为这里的答案可能会解决你的问题,听起来像是同样的问题:
解决javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException:PKIX路径构建失败错误?
您应该拥有最新版本的JDK。
我曾经遇到过同样的问题,那是因为在安装时我使用了jdk1.8.0_241而不是Java 2.91。结果我遇到了各种问题。
首先,我需要从https转移到http(请参见上面的解决方案),然后在安装插件时仍然遇到相同的错误。
要解决此问题,请查看您的Jenkins引用的Java版本,在Jenkins安装HOME文件夹下的名为Jenkins.xml的文件中搜索以下行 - C:\Program Files\Java\jre1.8.0_291\bin\java.exe
如果它已过时,请更新它,对我来说,JDK 1.8.291非常好用!
这个JIRA票据帮助我找到了根本原因 - https://issues.jenkins.io/browse/JENKINS-63515
只是一个小技巧。在文件“hudson.model.UpdateCenter.xml”中将URL从https更新为http。
<?xml version='1.1' encoding='UTF-8'?>
<sites>
<site>
<id>default</id>
<url>http://updates.jenkins.io/update-center.json</url>
</site>
</sites>