SSL issue

Answered

 Hi,

 

I'm running TeamCity Professional 9.1.4 (build 37293).

 

I'm using a valid Godaddy certificate with this configuration in "server.xml" file -

<Connector port="443"

   protocol="HTTP/1.1"

   SSLEnabled="true"

   scheme="https"

   secure="true"

   clientAuth="false"

   sslProtocol="TLS"

   keystoreFile="C:\TeamCity\conf\XXX.pfx"

   keystorePass="password"

   keystoreType="PKCS12"

   maxThreads="150"

   address="X.X.X.X"

    />

 

All is working as expected until I wanted to replace the certificate.

The certificate will be expired soon, so I have replaced the "keystoreFile" with a new PFX file, and the agent stopped to communicate with the TeamCity server.

 

WARN - buildServer.AGENT.registration - Failed to resolve server communication protocol. Will try all protocols: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (enable debug to see stacktrace)

 

Please advise.

Thanks!

Ido

0
20 comments

When you connect to TeamCity server from the browser, does it show any warnings about this certificate?

0

Hi Pavel,

 

Thank you for the follow up.

No, there are no warnings about the new certificate.

 

Ido

0

This error means that agent cannot verify certificate provided by the server. If browser does not show any warnings, maybe Java which runs this agent is outdated and does not know about CA who signed this certificate. I'd try to run agent using a more recent JVM to see if it helps. See also: https://confluence.jetbrains.com/display/TCD10/Setting+up+and+Running+Additional+Build+Agents#SettingupandRunningAdditionalBuildAgents-ConfiguringJava

0

It's not sure that I understand your recommendation, Can you please elaborate?

 

By the way, the agent is installed on a different server (not in TeamCity server) and I tried to install the agent on another server and it's still not working.

 

0

My recommendation is to update JVM which is used to run agent to a more recent version. Chances are it will help.

0

I have upgraded JAVA Oracle to the latest version (JAVA 8 update 111 64-bit) on the agent windows machine.

It's still not working.

 

0

And agent is now running under this Java?

0

I don't know.

How can I check this?

0

You can see version of JVM in teamcity-agent.log, when agent starts it prints something like this:

[2016-11-14 05:41:36,210]   INFO - s.buildServer.agent.AgentMain2 - TeamCity Build Agent 10.0.4 EAP (build 42441), OS: Windows 7, User: builduser, Java: 1.8.0_65, Java HotSpot(TM) 64-Bit Server VM (25.65-b01, mixed mode), Java(TM) SE Runtime Environment (1.8.0_65-b17), Oracle Corporation, JVM parameters: -ea -Xmx512m -XX:+HeapDumpOnOutOfMemoryError -Xrs -Dlog4j.configuration=file:../conf/teamcity-agent-log4j.xml -Dteamcity_logs=../logs/ 
0

It looks like that TeamCity agent is not running under this java.

 

TeamCity Build Agent 9.1.4 (build 37293), OS: Windows Server 2012, User: teamcity_service, JRE: 1.8.0_66, Java HotSpot(TM) Client VM (32 bit) (25.66-b17, mixed mode), Java(TM) SE Runtime Environment (1.8.0_66-b17), Oracle Corporation, JVM parameters: -ea -Xmx512m -XX:+HeapDumpOnOutOfMemoryError -Xrs -Dlog4j.configuration=file:../conf/teamcity-agent-log4j.xml -Dteamcity_logs=../logs/

 

How can I update TeamCity agent JAVA?

 

0

I have configured the agent - env.TEAMCITY_JRE=C\:\\Program Files (x86)\\Java\\jre1.8.0_111

But the agent is still using 1.8.0_66

TeamCity Build Agent 9.1.4 (build 37293), OS: Windows Server 2012, User: teamcity_service, JRE: 1.8.0_66, Java HotSpot(TM) Client VM (32 bit) (25.66-b17, mixed mode), Java(TM) SE Runtime Environment (1.8.0_66-b17), Oracle Corporation, JVM parameters: -ea -Xmx512m -XX:+HeapDumpOnOutOfMemoryError -Xrs -Dlog4j.configuration=file:../conf/teamcity-agent-log4j.xml -Dteamcity_logs=../logs/

 

Please advise.

0

Hi,

 

Is there any update?

Thanks!

Ido

0

Hello.

It seems that TeamCity documentation needs change about this. We will fix it soon.

At the moment to change Java version for Agent service please:

- stop Build Agent Service;

- replace buildAgent\jre folder contents with the contents of newer java (C:\Program Files (x86)\Java\jre1.8.0_111);

- start Build Agent service.

1

Ok, I was able to update Java, but the is issue was not resolved.

I get the same SSL error.

 

0

If you have curl utility on agent machine, please try running this command:

curl -iv <TeamCity server URL>

If everything is ok, it should retrieve HTML page from the server. Otherwise some SSL specific errors can be shown.

0

I'm getting an error, please advise.

 

C:\Users\ido>curl -iv https://tc.X.com
* Rebuilt URL to: https://tc.X.com/
* timeout on name lookup is not supported
*   Trying Y...
* Connected to tc.X.com (Y) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: C:\Users\ido\AppData\Local\Apps\cURL\bin\curl-ca-bundle.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

0

Hi,

Can you please advise?

Thanks!

Ido

0

At this point, I don't see how this problem is related to TeamCity. As you can see curl also has problems connecting to server, so my bet is that certificate is invalid.I don't know why browser works, maybe it showed warning for the first time, but then this warning was suppressed.

So at this point it looks like you need to contact your system administrators and find out what is wrong with certificate.

0

Not sure if it is current, but I had a similar issue and I had to add all certs in the certification path (except the server cert itself) to a Build Agent cacerts keystore.

0

Please sign in to leave a comment.