Searching the above-mentioned stack trace reveals lots and lots of results, unsurprisingly. Most results are workarounds where you modify the code, but what about if an application (like Jenkins/Hudson CI, in my case) throws this error at you? The reason the error is occurring is because the SSL certificate of the target you’re connecting to isn’t considered valid by your Java instance’s keystore. This may be because the certificate itself is invalid, or, in my case, the CA chain couldn’t be validated (my OS is RHEL (Red Hat) 5.7, with OpenJDK 1.6). For completeness, I should also mention that the issue here arose when I asked Jenkins CI to use GitHub OAuth. As GitHub’s SSL certificate has been signed by DigiCert, and this isn’t included within RHEL 5.7, the error arises. A solution is, assuming you trust the cert or the CA, to add the relevant certificates/root certificates to your Java keystore.
To do so, get your relevant certificates/root certificates, locate your keystore, and add them accordingly:
wget https://www.digicert.com/CACerts/DigiCertHighAssuranceEVCA-1.crt wget https://www.digicert.com/testroot/DigiCertHighAssuranceEVRootCA.crt keytool -importcert -storepass changeit -keystore /etc/alternatives/java_sdk/jre/lib/security/cacerts -alias digicertevrootca -file DigiCertHighAssuranceEVRootCA.crt keytool -importcert -storepass changeit -keystore /etc/alternatives/java_sdk/jre/lib/security/cacerts -alias digicertevca1 -file DigiCertHighAssuranceEVCA-1.crt
This resolved the issue for me and GitHub OAuth completed successfully. If you’re having issues with just a single certificate, then just import that one certificate.
For the interested Googlers, here’s what the relevant chunk of stacktrace looked like:
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:371) at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:390) at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148) at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:149) at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121) at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:562) at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:415) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:754) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:732) at org.jenkinsci.plugins.GithubSecurityRealm.doFinishLogin(GithubSecurityRealm.java:278)
This fantastic post set me on the right track.
Go Top
comments powered by Disqus