Jenkins Kubernetes agents fail handshake with master.

Sun, 08 Apr 2018 14:21:41 -0700 

I've got Jenkins running on an instance on Google Compute Engine. I've got 
a Kubernetes cluster set up on GKE to run agents on. I followed the steps 
here:  
https://cloud.google.com/solutions/configuring-jenkins-kubernetes-engin 
<https://cloud.google.com/solutions/configuring-jenkins-kubernetes-engine> The 
master successfully creates pods, but the SSL handshake always fails with 
this error:

Error in provisioning; agent=KubernetesSlave name: jenkins-t4lpw, 
template=PodTemplate{inheritFrom='', name='jenkins', namespace='', 
instanceCap=5, label='debian-8', nodeSelector='', nodeUsageMode=NORMAL, 
workspaceVolume=org.csanchez.jenkins.plugins.kubernetes.volumes.workspace.EmptyDirWorkspaceVolume@22c413cb,
 containers=[ContainerTemplate{name='build-agent', image='jenkins/jnlp-slave', 
workingDir='/home/jenkins', command='/bin/sh -c', args='cat', ttyEnabled=true, 
resourceRequestCpu='', resourceRequestMemory='', resourceLimitCpu='', 
resourceLimitMemory='', 
livenessProbe=org.csanchez.jenkins.plugins.kubernetes.ContainerLivenessProbe@76480942}]}.
 Container jnlp exited with error 255. Logs:       at 
sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
        at 
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
        at 
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
        at 
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
        at 
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
        at 
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
        at 
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
        at 
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
        at 
sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:162)
        at 
org.jenkinsci.remoting.engine.JnlpAgentEndpointResolver.resolve(JnlpAgentEndpointResolver.java:189)
        ... 2 more
Caused by: sun.security.validator.ValidatorException: PKIX path building 
failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to 
find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
        at 
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
        at sun.security.validator.Validator.validate(Validator.java:260)
        at 
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
        at 
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
        at 
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
        at 
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
        ... 13 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable 
to find valid certification path to requested target
        at 
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
        at 
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
        ... 19 more


I know the SSL cert used by my master is valid, so I don't know what the 
issue is. I've tried using a local IP and providing a cert signed by my own 
CA, then making a new image off of 
gcr.io/cloud-solutions-images/jenkins-k8s-slave:v4 that imports the CA into 
the jave keystore, but I still get the same error.

Is there any way to pass the  --httpsKeyStore argument to Jenkins agents 
that are run on GKE? If that isn't the problem, where should I look in my 
config?

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-users/6c9bc8b9-731b-4fcb-8eb1-c0e8f4973b52%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to