PKIX path building failed. Unable to connect to Azure Devops Git Repo using HTTPS

I am a TeamCity newbie.  Have inherited this project from developers that have since left the company.

The last build was performed in November 2022 and when I try now I get this error:
List remote refs failed: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I think it is TLS 1.2 related but not sure if there is a setting I can change on the build server.

SSH connection to Git shows connection success but then the git fetch fails so a build cannot progress.

TeamCity version is 9.1.7 which I realize is way out of date but I don't know enough to upgrade that right now.

I think the SSH issue is a known bug.  So I'd like to get the HTTPS connection working if possible.

0
9 comments

Using SSLPoke (found here https://matthewdavis111.com/java/poke-ssl-test-java-certs/) the connection to dev.azure.com on port 443 says Successfully connected

0
Hi Jason,

since you are using TeamCity 9.1.7, chances are your JVM is also very, very old. Without replacing teamcity, you could try to replace the JVM and that might be enough. Alternatively, your network infrastructure might intercept the connection and require an intermediate certificate. Please keep in mind that teamcity 9 being so old, you are probably better off using one of the last versions of java 8 rather than trying to jump to a newer one.

Upgrading should be reasonably simple but requiring an old jump would probably be better after testing it in a test environment. You can use the free professional edition for that, following the steps here on a copy of your production server: https://www.jetbrains.com/help/teamcity/upgrading-teamcity-server-and-agents.html
0

When I check the java version it says Version 8 Update 381 (build 1.8.0_381-b09).  I think that is the latest one.  Or am I looking in the wrong place?

0

When I look in
“C:\ci\TeamCity\jre” the release file says 1.8.0_66 
“C:\ci\BuildAgents\BuildAgent<#>\jre” the release file says 1.8.0_192
 

0

I did this:
-set environment variable JRE_HOME = C:\Program Files\Java\jre-1.8
-stop teamCity service
-rename old folder
--C:\ci\TeamCity\jre --> C:\ci\TeamCity\jre-original
-start teamCity service

update build agent jre
-stop all three build agent services
-rename C:\ci\BuildAgents\BuildAgent<#>\jre to C:\ci\BuildAgents\BuildAgent<#>\jre-original
-copy contents of C:\Program Files\Java\jre-1.8 to new jre folder in each agent
-start the services

And now the VCS Roots show they can connect using HTTPS and the user name and password I supplied.

0

Now I don't see any changes since Jan 18 2023 in the pending changes but doing a new build seems to pull down the latest files.

0

Pushed a new change to branch and that shows up.  Not sure why the intervening changes don't show.

0
Hi Jason,

the PKIX error is now fixed, right? It does seem like it was an issue with a too old version of the JVM for that.

With regards to the pending changes, teamcity collects those and stores them into the database. This should not be impacted by a change in the JVM. If there are changes to the VCS root itself, then teamcity might detach the changes from the VCS root if it deems them to not be a part of the new settings. New changes should be picked up as soon as they are being tracked correctly. Is there any remaining issue?
0

Yes the PKIX issue is resolved.

The latest code does get pulled and new changes are being listed correctly.

Thanks for your help.

0

Please sign in to leave a comment.