Build Agent can't connect

Answered

My TeamCity installation has been running without problems for months.

Now, I have changed the SSL certificate of the TeamCity server and - since then? - the Build Agent - which is running on a different machine - no longer connects to the Server.

I am getting this error:

[2016-05-10 14:24:13,745] WARN - buildServer.AGENT.registration - Failed to resolve server communication protocol. Will try all protocols: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (enable debug to see stacktrace)

 

I have tried importing the certificate into the truststore but it didn't help. I also tried to change back to the old SSL certificate, but this doesn't resolve the problem either, which I find puzzling.

I have tested the SSLPoke class (https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html) and it successfully connects.

I am at a loss here and I am looking for help - this is a production system and this issue prevents me from shipping new versions to my clients. Any quick help is highly appreciated.

Thanks, Daniel

10 comments
Comment actions Permalink

Hi Daniel,

Sorry for delay in replying. Did you configure the JVM installation used by the agent for authentication with server certificate? Please follow the instructions from the section.

 
1
Comment actions Permalink

I just want to double check that you follow all the steps from the proposed guidelines. I have only two options in mind:

1. Some of the parameters were not passed to the JVM or were configured incorrectly:

-Djavax.net.ssl.keyStore=<path to keystore file>
-Djavax.net.ssl.keyStorePassword=<keystore password>
-Djavax.net.ssl.trustStore=<path to trust keystore file>
-Djavax.net.ssl.trustStorePassword=<trust keystore password>

Please double check it.

2. The JVM used to start the agent is not the same as was configured. Please double check it also.

1
Comment actions Permalink

As you can read from the description of my problem, I did that. Also, I even reverted back to the certificate that used to work, so it shouldn't even be necessary to do this. Also, the JVM can actually connect without problems as is shown by the SSLPoke class.

0
Comment actions Permalink

I was having the same trouble after importing the certificate.  Adding javax.net.ssl.keyStore{Password} properties to my buildAgent.properties file fixed me up.  Thanks!

0
Comment actions Permalink

Bdusek : -  How does your buildAgent.properties looks like ?

 

Alina Mishina  We are hitting this issue in our environment. 

 

We have recently added our TeamCity server to run on https://<server-name:8443, and build agents are complaining  like this 

 

[2020-02-26 05:55:06,945] WARN - buildServer.AGENT.registration - Error while asking server for the communication protocols via URL https://server-name:8443/app/agents/protocols. Will try later: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (enable debug to see stacktrace)

 

Our setup is as below 

 

TeamCity Enterprise 2019.2.1 (build 71758)

Agent  is running as docker container. 

 

[2020-02-26 05:54:53,153] INFO - s.buildServer.agent.AgentMain2 - ===========================================================
[2020-02-26 05:54:53,171] INFO - s.buildServer.agent.AgentMain2 - TeamCity Build Agent 2019.2 (build 71499)
[2020-02-26 05:54:53,187] INFO - s.buildServer.agent.AgentMain2 - OS: Linux, version 4.1.12-124.26.3.el7uek.x86_64, amd64, Current user: root, Time zone: UTC
[2020-02-26 05:54:53,189] INFO - s.buildServer.agent.AgentMain2 - Java: 1.8.0_232, OpenJDK 64-Bit Server VM (25.232-b09, mixed mode), OpenJDK Runtime Environment (1.8.0_232-b09), Amazon.com Inc.; JVM parameters: -ea -Xmx384m -Dteamcity_logs=../logs/

 

Can you please help ?

0
Comment actions Permalink

Hi Sharmaprakash1,

Are you able to connect to your server using SSLPoke?
Have you tried to manually install the key into the agent JVM keystore?
Have you tried saving the server's certificate in one of the supported formats (e.g. .der) and putting the file into the agent's /conf/trustedCertificates directory?

-Anatoly

0
Comment actions Permalink

Are you able to connect to your server using SSLPoke?

>>I am trying to connect from docker agent, and SSLPoke doesnt come in the container. 

 

Have you tried to manually install the key into the agent JVM keystore?

>>Yes I have tried installing keys manually and it does work after that , but I have to restart the container , and if I delete this container and rebuild a new one , it will not have these keys , so will have to do manuallly importing again. 

 

Have you tried saving the server's certificate in one of the supported formats (e.g. .der) and putting the file into the agent's /conf/trustedCertificates directory?

>> This is something I want to try , but i didnt find much documentation around this. Is it just putting certificate there and rebuild the image ? or do I have to change any parameters in buildAgent.properties ??

0
Comment actions Permalink

Keeping certificate file in~/conf/trustedCertificates didnt help.

 

This is what I did. 

 

openssl x509 -in /data/teamcity_agent/conf/trustedCertificates/sicklefin.cer -out /data/teamcity_agent/conf/trustedCertificates/sicklefin.pem

openssl x509 -outform der -in /data/teamcity_agent/conf/trustedCertificates/sicklefin.pem -out /data/teamcity_agent/conf/trustedCertificates/sicklefin.der

 

And i am still getting this error

 

[2020-03-19 15:35:42,507] INFO - buildServer.AGENT.registration - Registering on server via URL "https://oceanic.internal.example.com:8443": AgentDetails{Name='linuxbuil_teamcity_cont_tope', AgentId=null, BuildId=null, AgentOwnAddress='null', AlternativeAddresses=[192.168.17.2], Port=9090, Version='71499', PluginsVersion='71923-md5-06907965efbc49fc5cb95935a8bd5f53', AvailableRunners=[Ant, cargo-deploy-runner, checkmarx, DockerCommand, DockerCompose, dotnet.cli, Duplicator, ftp-deploy-runner, gradle-runner, Inspection, jb.nuget.installer, jb.nuget.pack, jb.nuget.publish, jetbrains.dotNetGenericRunner, jetbrains_powershell, JPS, Maven2, MSBuild, NAnt, NUnit, octopus.create.release, octopus.deploy.release, octopus.metadata, octopus.pack.package, octopus.promote.release, octopus.push.package, rake-runner, SBT, simpleRunner, sln2003, smb-deploy-runner, snykSecurity, sonar-plugin, sonar-qube-msbuild, sonar-qube-msbuild-finish, ssh-deploy-runner, ssh-exec-runner, VS.Solution, xUnitRunner], AvailableVcs=[tfs, cvs, jetbrains.git, mercurial, svn, perforce], AuthorizationToken='3a7107ffc631422e4209ddd969763e47', PingCode='0TtKjtj64j7ErQFMEp5Yx765EY9rtGp5'}
[2020-03-19 15:35:42,627] WARN - buildServer.AGENT.registration - Error while asking server for the communication protocols via URL https://oceanic.internal.example.com:8443/app/agents/protocols. Will try later: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (enable debug to see stacktrace)
[2020-03-19 15:35:42,628] WARN - buildServer.AGENT.registration - Error registering on the server via URL https://oceanic.internal.bunnings.com.au:8443. Will continue repeating connection attempts.

0
Comment actions Permalink

If you can get it to work with a manual import, and your only concern is that new containers would also need to manually update, can't you just mount the cacerts location in the container to a folder on the host, allowing the certs to persist despite changes in container? 

0
Comment actions Permalink

Alright this is what we had to do .. 

 

1. Copy /opt/buildagent/bin/agent.sh from inside container to host ( docker host )

2. Edit the  "TEAMCITY_AGENT_OPTS_ACTUAL"  and mention your keystore file path which gets mounted inside container, in mu case it looked like this 

TEAMCITY_AGENT_OPTS_ACTUAL="$TEAMCITY_AGENT_OPTS -ea $TEAMCITY_AGENT_MEM_OPTS_ACTUAL -Dteamcity_logs=$LOG_DIR/ -Djavax.net.ssl.keyStore=/data/teamcity_agent/conf/trustedCertificates/keystore.jks -Djavax.net.ssl.trustStore=/data/teamcity_agent/conf/trustedCertificates/keystore.jks -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStorePassword=changeit"

 

3. Edit your Dockerfile and add this line 

COPY agent.sh /opt/buildagent/bin/agent.sh

4. Build the image 

5. And run the container with the above builded image

Just to verfiy , from docker host or inside container , run ps -ef | grep java and make sure java process gets started with java keystore.

 

 

 

0

Please sign in to leave a comment.