A note on what to do if you get an untrusted SSL certificate error (javax.net.ssl.SSLHandshakeException) in Java when trying to install Jenkins on MacOSX using homebrew
After the installation was completed, when I started it and tried to perform the initial settings, I was offline and could not install the plug-in at all, so when I looked at the log, I got an error like this.
Apr 28, 2018 12:40:10 AM hudson.model.UpdateCenter updateDefaultSite
warning: Upgrading Jenkins. Failed to update the default Update Site 'default'. Plugin upgrades may fail.
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1513)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
at hudson.model.DownloadService.loadJSON(DownloadService.java:167)
at hudson.model.UpdateSite.updateDirectlyNow(UpdateSite.java:190)
at hudson.model.UpdateCenter.updateDefaultSite(UpdateCenter.java:2194)
at jenkins.install.SetupWizard.init(SetupWizard.java:174)
at jenkins.install.InstallState$InitialSecuritySetup.initializeState(InstallState.java:142)
at jenkins.model.Jenkins.setInstallState(Jenkins.java:1033)
at jenkins.install.InstallUtil.proceedToNextStateFrom(InstallUtil.java:97)
at jenkins.install.InstallState$Unknown.initializeState(InstallState.java:75)
at jenkins.model.Jenkins$17.run(Jenkins.java:3149)
at org.jvnet.hudson.reactor.TaskGraphBuilder$TaskImpl.run(TaskGraphBuilder.java:169)
at org.jvnet.hudson.reactor.Reactor.runTask(Reactor.java:296)
at jenkins.model.Jenkins$5.runTask(Jenkins.java:1062)
at org.jvnet.hudson.reactor.Reactor$2.run(Reactor.java:214)
at org.jvnet.hudson.reactor.Reactor$Node.run(Reactor.java:117)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
... 29 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
... 35 more
The cause is that when the certificate is verified with java, it cannot be trusted, so it is said that the certificate should be added directly to the trusted certificate information of java, so add it according to the following flow.
As of April 28, 2018, https://updates.jenkins.io/update-center.json
It was okay if I put the certificate of, so access the site with chrome etc., display the certificate and download it.
(For the DL of the certificate, display the site in chrome, press "Protected communication" in the URL field and select "Certificate", then "Image part" of the displayed certificate Drag & Drop to a suitable folder and you should get "updates.jenkins.io.cer" etc.)
cd `/usr/libexec/java_home`/jre/lib/security
sudo keytool -importcert -file [DL path of cert]/updates.jenkins.io.cer -keystore cacerts
At this time, you will be asked for the keystore password, so enter "change it". (Since it is the default setting, it is better to search for "java default keystore password")
You should probably be able to access it now.