Teamcity can't check for new updates
Hi,
I updated our Teamcity server on 20th of February to the latest version: 2025.11.3 Build 208117
Today I wanted to check something in the administration and recognized on the update section following error message:
Unable to check for updates via URL "https://www.jetbrains.com/teamcity/update.xml": PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (see details in teamcity-server.log).
Having a look in the log file did not provide more or helpfull information to me.
Searching for this type of error (PKIX path building failed) reveals only topics trying to connect something to/with teamcity and user/customer needs to add some certificates to the java certificate store. None of these relates to the update mechanism of Teamcity itself. I also don't remember that I ever had to add some certificates somewhere manually to have a working update check.
The server where teamcity runs is definitely unchanged since the last update.
So what is the problem and how can it be resolved? I can't determine the time since that problem occurs, because the server log is currently spammed with entries and the files just date back for some hours.
Best regards
Daniel
Please sign in to leave a comment.
Hi,
further analysis showed that it was an firewall issue so the update url was not accessible for the server. In that I case I was expecting some error stating that the url is not reachable or a timeout or something like that, so the logged issue about PKIX path building was a bit misleading in our case.
Best regards
Daniel
Hi Daniel,
Thank you for reaching out.
The error
usually indicates that the JVM used by the TeamCity server does not trust the certificate chain presented when accessing: https://www.jetbrains.com/teamcity/update.xml
In most cases, this is related to SSL/TLS inspection or certificate replacement by a proxy, firewall, or other network security device, rather than to TeamCity’s update mechanism itself.
Could you please confirm whether HTTPS traffic from the TeamCity server is being terminated, inspected, or rewritten by a corporate proxy/firewall?
If a corporate TLS proxy is used, please export its root or intermediate CA certificate in Base64 .cer format and import it into the JRE truststore used by TeamCity.
You can do this with a command like:
The default password for the truststore is usually:
changeitAfter importing the certificate, please restart the TeamCity server and re-test the Updates page.
If the PKIX error still persists after that, please send us an updated excerpt from teamcity-server.log around the failed request to update.xml, and we’ll be happy to investigate further.
Thank you for the update and for sharing the findings.
If the firewall was blocking access to https://www.jetbrains.com/teamcity/update.xml, then TeamCity was unable to complete the HTTPS connection required for the update check. In some network configurations, especially when a firewall or proxy intercepts or partially processes HTTPS traffic, the connection may fail during the TLS handshake stage rather than producing a simple “host unreachable” or timeout error. In such cases, the JVM reports a certificate validation problem, which results in the PKIX path building failed message you saw.
We understand that this message can be somewhat misleading when the underlying cause is actually a network restriction rather than a certificate issue.
If you encounter similar issues in the future, it can be helpful to verify connectivity from the TeamCity server host directly (for example using curl or OpenSSL) to confirm that the update endpoint is reachable and that the TLS handshake completes successfully.