Teamcity agent doesn't validate HTTPS teamcity server Follow
I have a large number (~100) of build agents connecting to a server which I have recently configured with SSL. For almost all of them adding the servers certificate in teamcity/conf/trustedCertificates is good enough to validate the certificate and connect.
However, I have one machine, which is a raspberry pi running Raspian 8, it's giving me this error:
[2021-02-08 16:11:25,101] WARN - buildServer.AGENT.registration - Error while asking server for the communication protocols via URL https://teamcity.apama.com/app/agents/protocols. Will try later: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (enable debug to see stacktrace)
[2021-02-08 16:11:25,102] WARN - buildServer.AGENT.registration - Error registering on the server via URL https://teamcity.apama.com. Will continue repeating connection attempts.
The conf directory is stored in SVN and it's both up to date on this machine, and identical to one of the other 8 identically configured Raspberry PIs also running teamcity agents which are connecting just fine.
I also followed the other suggestions from related threads and attempted to configure the standard Java trust store with the root cert signing this server's certificate and with specifying the location and password to the cacerts trust store in buildAgent.properties. All to no avail.
I've tried enabling DEBUG-level logging, but the stack trace doesn't contain any more interesting messages than the one produced at WARN.
Please let me know if you have any other suggestions, this is a PRODUCTION DOWN issue.
Please sign in to leave a comment.
As you've correctly identified, the error you're seeing does indicate an issue with the certificate on your agent being able to be verified. I'm not sure why it would work on one version of Raspian versus another, since it really is a JRE thing. If I may, I'd like to collect some information from you in regards to the build agent configuration used in this case.
Yeah, this was solved on a support ticket. It had fallen back to the platform JRE silently because the one I had configured got corrupted in some way. I don't know why this caused it not to validate the certificate (it was in the agent home after all), but after reinstalling the JRE we were using it's working again. Thanks,
Thanks for following up with me anyway, I'm glad to hear you were able to get it working.