Skip to main content
Background Image
  1. Posts/

Upload artifacts failed to Artifactory from AIX

·784 words·4 mins· ·
Xianpeng Shen
Author
Xianpeng Shen

Recently my CI pipeline suddenly does not work on AIX 7.1 with error Caused by: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath..

Click to see more details about the failure log.
22:13:30  Executing command: /bin/sh -c git log --pretty=format:%s -1
22:13:36  [consumer_0] Deploying artifact: https://artifactory.company.com/artifactory/generic-int-den/myproject/PRs/PR-880/1/myproject_bin_rel_AIX_5797b20.tar.Z
22:13:36  Error occurred for request GET /artifactory/api/system/version HTTP/1.1: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
22:13:36  	java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US is not trusted; internal cause is:
22:13:36  	java.security.cert.CertPathValidatorException: Certificate chaining error.
22:13:36  Error occurred for request PUT /artifactory/generic-int-den/myproject/PRs/PR-880/1/cpplinter_bin_rel_AIX_5797b20.tar.Z;build.timestamp=1693273923987;build.name=PR-880;build.number=1 HTTP/1.1: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
22:13:36  	java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US is not trusted; internal cause is:
22:13:36  	java.security.cert.CertPathValidatorException: Certificate chaining error.
22:13:36  [consumer_0] An exception occurred during execution:
22:13:36  java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
22:13:36  	java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US is not trusted; internal cause is:
22:13:36  	java.security.cert.CertPathValidatorException: Certificate chaining error
22:13:36  	at org.jfrog.build.extractor.clientConfiguration.util.spec.SpecDeploymentConsumer.consumerRun(SpecDeploymentConsumer.java:44)
22:13:36  	at org.jfrog.build.extractor.producerConsumer.ConsumerRunnableBase.run(ConsumerRunnableBase.java:11)
22:13:36  	at java.lang.Thread.run(Thread.java:785)
22:13:36  Caused by: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
22:13:36  	java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US is not trusted; internal cause is:
22:13:36  	java.security.cert.CertPathValidatorException: Certificate chaining error
22:13:36  	at com.ibm.jsse2.j.a(j.java:3)
22:13:36  	at com.ibm.jsse2.as.a(as.java:213)
22:13:36  	at com.ibm.jsse2.C.a(C.java:339)
22:13:36  	at com.ibm.jsse2.C.a(C.java:248)
22:13:36  	at com.ibm.jsse2.D.a(D.java:291)
22:13:36  	at com.ibm.jsse2.D.a(D.java:217)
22:13:36  	at com.ibm.jsse2.C.r(C.java:373)
22:13:36  	at com.ibm.jsse2.C.a(C.java:352)
22:13:36  	at com.ibm.jsse2.as.a(as.java:752)
22:13:36  	at com.ibm.jsse2.as.i(as.java:338)
22:13:36  	at com.ibm.jsse2.as.a(as.java:711)
22:13:36  	at com.ibm.jsse2.as.startHandshake(as.java:454)
22:13:36  	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
22:13:36  	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
22:13:36  	at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
22:13:36  	at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376)
22:13:36  	at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
22:13:36  	at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
22:13:36  	at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
22:13:36  	at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
22:13:36  	at org.apache.http.impl.execchain.ServiceUnavailableRetryExec.execute(ServiceUnavailableRetryExec.java:85)
22:13:36  	at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
22:13:36  	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
22:13:36  	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
22:13:36  	at org.jfrog.build.client.PreemptiveHttpClient.execute(PreemptiveHttpClient.java:76)
22:13:36  	at org.jfrog.build.client.PreemptiveHttpClient.execute(PreemptiveHttpClient.java:64)
22:13:36  	at org.jfrog.build.client.JFrogHttpClient.sendRequest(JFrogHttpClient.java:133)
22:13:36  	at org.jfrog.build.extractor.clientConfiguration.client.JFrogService.execute(JFrogService.java:112)
22:13:36  	at org.jfrog.build.extractor.clientConfiguration.client.artifactory.services.Upload.execute(Upload.java:77)
22:13:36  	at org.jfrog.build.extractor.clientConfiguration.client.artifactory.ArtifactoryManager.upload(ArtifactoryManager.java:267)
22:13:36  	at org.jfrog.build.extractor.clientConfiguration.client.artifactory.ArtifactoryManager.upload(ArtifactoryManager.java:262)
22:13:36  	at org.jfrog.build.extractor.clientConfiguration.util.spec.SpecDeploymentConsumer.consumerRun(SpecDeploymentConsumer.java:39)
22:13:36  	... 2 more
22:13:36  Caused by: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
22:13:36  	java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US is not trusted; internal cause is:
22:13:36  	java.security.cert.CertPathValidatorException: Certificate chaining error
22:13:36  	at com.ibm.jsse2.util.f.a(f.java:107)
22:13:36  	at com.ibm.jsse2.util.f.b(f.java:143)
22:13:36  	at com.ibm.jsse2.util.e.a(e.java:6)
22:13:36  	at com.ibm.jsse2.aA.a(aA.java:99)
22:13:36  	at com.ibm.jsse2.aA.a(aA.java:112)
22:13:36  	at com.ibm.jsse2.aA.checkServerTrusted(aA.java:28)
22:13:36  	at com.ibm.jsse2.D.a(D.java:588)
22:13:36  	... 29 more
22:13:36  Caused by: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
22:13:36  	java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US is not trusted; internal cause is:
22:13:36  	java.security.cert.CertPathValidatorException: Certificate chaining error
22:13:36  	at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:422)
22:13:36  	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
22:13:36  	at com.ibm.jsse2.util.f.a(f.java:120)
22:13:36  	... 35 more
22:13:36  Caused by: java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US is not trusted; internal cause is:
22:13:36  	java.security.cert.CertPathValidatorException: Certificate chaining error
22:13:36  	at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:111)
22:13:36  	at com.ibm.security.cert.PKIXCertPathValidatorImpl.engineValidate(PKIXCertPathValidatorImpl.java:199)
22:13:36  	at com.ibm.security.cert.PKIXCertPathBuilderImpl.myValidator(PKIXCertPathBuilderImpl.java:749)
22:13:36  	at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:661)
22:13:36  	at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:607)
22:13:36  	at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:368)
22:13:36  	... 37 more
22:13:36  Caused by: java.security.cert.CertPathValidatorException: Certificate chaining error
22:13:36  	at com.ibm.security.cert.CertPathUtil.findIssuer(CertPathUtil.java:316)
22:13:36  	at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:108)
22:13:36  	... 42 more
22:13:36

I have tried to download certificate.pem from my Artifactory and run this command, but the issue still there on my AIX 7.3.

/usr/java8_64/jre/bin/keytool -importcert -alias cacertalias -keystore /usr/java8_64/jre/lib/security/cacerts -file /path/to/your/certificate.pem

It investing it can not reproduce on my Windows, Linux and AIX 7.3 build machines.

What’s the different between them? the only different is Java runtime. On my problematic AIX 7.1 build machine, I used a shared runtime which is a link to path /tools/AIX-7.1/Java8_64-8.0.0.401/usr/java8_64/bin/java

bash-5.0$ /tools/AIX-7.1/Java8_64-8.0.0.401/usr/java8_64/bin/java -version
java version "1.8.0"
Java(TM) SE Runtime Environment (build pap6480sr4fp1-20170215_01(SR4 FP1))
IBM J9 VM (build 2.8, JRE 1.8.0 AIX ppc64-64 Compressed References 20170209_336038 (JIT enabled, AOT enabled)
J9VM - R28_20170209_0201_B336038
JIT  - tr.r14.java.green_20170125_131456
GC   - R28_20170209_0201_B336038_CMPRSS
J9CL - 20170209_336038)
JCL - 20170215_01 based on Oracle jdk8u121-b13

And I have anther Java runtime installed my that machine which is /usr/java8_64/bin/java

bash-5.0$ /usr/java8_64/bin/java -version
java version "1.8.0_241"
Java(TM) SE Runtime Environment (build 8.0.6.5 - pap6480sr6fp5-20200111_02(SR6 FP5))
IBM J9 VM (build 2.9, JRE 1.8.0 AIX ppc64-64-Bit Compressed References 20200108_436782 (JIT enabled, AOT enabled)
OpenJ9   - 7d1059c
OMR      - d059105
IBM      - c8aee39)
JCL - 20200110_01 based on Oracle jdk8u241-b07

Actually the versions of these two java versions are different. I just changed configuration of JavaPath from /tools/AIX-7.1/Java8_64-8.0.0.401/usr/java8_64/bin/java to /usr/java8_64/bin/java in the Jenkins node and disconnect then launch agent again, it works.

I don’t why it works, I don’t know much about Java certificate, if you know the reason please leave comments and let me know. Thank you.

Related

Resolved - The Pip Inspector tree parse failed to produce output
·455 words·1 min
This article explains how to resolve the “The Pip Inspector tree parse failed to produce output” error in Black Duck Detect, including the root cause and solution.
Resolved problem that ESlint HTML report is not displayed correctly in Jenkins job
·159 words·1 min
This article explains how to resolve the issue of ESlint HTML report not displaying correctly in Jenkins jobs due to Content Security Policy restrictions, including the steps to configure Jenkins to allow the report to load properly.
How to download the entire folder artifacts when Artifactory "Download Folder functionality is disabled"?
·371 words·1 min
This article explains how to download the entire folder artifacts from JFrog Artifactory when the “Download Folder functionality is disabled”. It provides a workaround using Artifactory REST APIs to retrieve and download artifacts programmatically.
How to fix ".NET Framework 2.0 or later is required on this computer to run a Jenkins agent as a Windows service"
·211 words·1 min
Resolve the issue of Jenkins Windows agents not connecting due to missing .NET Framework, including steps to install .NET Framework 3.5 and set up the Jenkins agent service.