SSL issue

Answered

 Hi,

 

I'm running TeamCity Professional 9.1.4 (build 37293).

 

I'm using a valid Godaddy certificate with this configuration in "server.xml" file -

<Connector port="443"

   protocol="HTTP/1.1"

   SSLEnabled="true"

   scheme="https"

   secure="true"

   clientAuth="false"

   sslProtocol="TLS"

   keystoreFile="C:\TeamCity\conf\XXX.pfx"

   keystorePass="password"

   keystoreType="PKCS12"

   maxThreads="150"

   address="X.X.X.X"

    />

 

All is working as expected until I wanted to replace the certificate.

The certificate will be expired soon, so I have replaced the "keystoreFile" with a new PFX file, and the agent stopped to communicate with the TeamCity server.

 

WARN - buildServer.AGENT.registration - Failed to resolve server communication protocol. Will try all protocols: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (enable debug to see stacktrace)

 

Please advise.

Thanks!

Ido

20 comments
Comment actions Permalink

When you connect to TeamCity server from the browser, does it show any warnings about this certificate?

0
Comment actions Permalink

Hi Pavel,

 

Thank you for the follow up.

No, there are no warnings about the new certificate.

 

Ido

0
Comment actions Permalink

This error means that agent cannot verify certificate provided by the server. If browser does not show any warnings, maybe Java which runs this agent is outdated and does not know about CA who signed this certificate. I'd try to run agent using a more recent JVM to see if it helps. See also: https://confluence.jetbrains.com/display/TCD10/Setting+up+and+Running+Additional+Build+Agents#SettingupandRunningAdditionalBuildAgents-ConfiguringJava

0
Comment actions Permalink

It's not sure that I understand your recommendation, Can you please elaborate?

 

By the way, the agent is installed on a different server (not in TeamCity server) and I tried to install the agent on another server and it's still not working.

 

0
Comment actions Permalink

My recommendation is to update JVM which is used to run agent to a more recent version. Chances are it will help.

0
Comment actions Permalink

I have upgraded JAVA Oracle to the latest version (JAVA 8 update 111 64-bit) on the agent windows machine.

It's still not working.

 

0
Comment actions Permalink

And agent is now running under this Java?

0
Comment actions Permalink

I don't know.

How can I check this?

0
Comment actions Permalink

You can see version of JVM in teamcity-agent.log, when agent starts it prints something like this:

[2016-11-14 05:41:36,210]   INFO - s.buildServer.agent.AgentMain2 - TeamCity Build Agent 10.0.4 EAP (build 42441), OS: Windows 7, User: builduser, Java: 1.8.0_65, Java HotSpot(TM) 64-Bit Server VM (25.65-b01, mixed mode), Java(TM) SE Runtime Environment (1.8.0_65-b17), Oracle Corporation, JVM parameters: -ea -Xmx512m -XX:+HeapDumpOnOutOfMemoryError -Xrs -Dlog4j.configuration=file:../conf/teamcity-agent-log4j.xml -Dteamcity_logs=../logs/ 
0
Comment actions Permalink

It looks like that TeamCity agent is not running under this java.

 

TeamCity Build Agent 9.1.4 (build 37293), OS: Windows Server 2012, User: teamcity_service, JRE: 1.8.0_66, Java HotSpot(TM) Client VM (32 bit) (25.66-b17, mixed mode), Java(TM) SE Runtime Environment (1.8.0_66-b17), Oracle Corporation, JVM parameters: -ea -Xmx512m -XX:+HeapDumpOnOutOfMemoryError -Xrs -Dlog4j.configuration=file:../conf/teamcity-agent-log4j.xml -Dteamcity_logs=../logs/

 

How can I update TeamCity agent JAVA?

 

0
Comment actions Permalink

I have configured the agent - env.TEAMCITY_JRE=C\:\\Program Files (x86)\\Java\\jre1.8.0_111

But the agent is still using 1.8.0_66

TeamCity Build Agent 9.1.4 (build 37293), OS: Windows Server 2012, User: teamcity_service, JRE: 1.8.0_66, Java HotSpot(TM) Client VM (32 bit) (25.66-b17, mixed mode), Java(TM) SE Runtime Environment (1.8.0_66-b17), Oracle Corporation, JVM parameters: -ea -Xmx512m -XX:+HeapDumpOnOutOfMemoryError -Xrs -Dlog4j.configuration=file:../conf/teamcity-agent-log4j.xml -Dteamcity_logs=../logs/

 

Please advise.

0
Comment actions Permalink

Hi,

 

Is there any update?

Thanks!

Ido

0
Comment actions Permalink

Hello.

It seems that TeamCity documentation needs change about this. We will fix it soon.

At the moment to change Java version for Agent service please:

- stop Build Agent Service;

- replace buildAgent\jre folder contents with the contents of newer java (C:\Program Files (x86)\Java\jre1.8.0_111);

- start Build Agent service.

1
Comment actions Permalink

Ok, I was able to update Java, but the is issue was not resolved.

I get the same SSL error.

 

0
Comment actions Permalink

If you have curl utility on agent machine, please try running this command:

curl -iv <TeamCity server URL>

If everything is ok, it should retrieve HTML page from the server. Otherwise some SSL specific errors can be shown.

0
Comment actions Permalink

I'm getting an error, please advise.

 

C:\Users\ido>curl -iv https://tc.X.com
* Rebuilt URL to: https://tc.X.com/
* timeout on name lookup is not supported
*   Trying Y...
* Connected to tc.X.com (Y) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: C:\Users\ido\AppData\Local\Apps\cURL\bin\curl-ca-bundle.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

0
Comment actions Permalink

Hi,

Can you please advise?

Thanks!

Ido

0
Comment actions Permalink

At this point, I don't see how this problem is related to TeamCity. As you can see curl also has problems connecting to server, so my bet is that certificate is invalid.I don't know why browser works, maybe it showed warning for the first time, but then this warning was suppressed.

So at this point it looks like you need to contact your system administrators and find out what is wrong with certificate.

0
Comment actions Permalink

Not sure if it is current, but I had a similar issue and I had to add all certs in the certification path (except the server cert itself) to a Build Agent cacerts keystore.

0

Please sign in to leave a comment.