As I continue to publish Maven, Git and Jenkins tutorials as part of TechTarget’s coverage of popular DevOps tools, occasionally as I work on examples I run into peculiar problems that are both difficult to diagnose and frustrating to fix. The random and annoying SunCertPathBuilderException Jenkins plugin download error is just one of the many such problems that comes to mind. I’m not sure why plugins regularly become a source of consternation, be it a Jenkins plugin or a Maven plugin, but plugins are routinely problematic.
The SunCertPathBuilderException stacktrace
The stacktrace for the Jenkins SunCertPathBuilderException error looks something like this:
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
To quickly fix the SunCertPathBuilderException Jenkins plugin download problem, change the update site’s protocol prefix from https to http.
Fighting the PKIX valid cert error
I’m not exactly sure what triggers the SunCertPathBuilderException when one attempts to download Jenkins plugins. Sometimes a machine with a fresh installation of the JDK and Jenkins can access the Jenkins plugins download page without triggering the error. Other times a fresh installation of Jenkins and the JDK runs into it. Maybe some incremental versions of the JDK or the embedded Jetty web server are more persnickety than others?
Sometimes I think the SunCertPathBuilderException error is related to the use of a virtual machine or a particular operating system, but the problem happens so randomly, regardless of whether I run a virtual Ubuntu box or local Windows installation, I can’t figure out exactly what the Jenkins SunCertPathBuilderException issue is.
Fix the Jenkins plugin problem with certs
If you dig though the forums, you’ll find two commonly recommended solutions. The first, which is both the most onerous and the most technically correct is to update the security certificate catalog used by the embedded Jetty web container and the underlying JDK. I might advocate this particular SunCertPathBuilderException solution if I worked at a bank, but it’s a load of work, and if you just need to install Jenkins locally in order to learn the tool and do some Jenkins tutorials, it’s overkill.
The Skip Certificate Check plugin
The second popular option to fix the SunCertPathBuilderException Jenkins plugin download problem is to install the Skip Certificate Check plugin. Jenkins creator Kohsuke Kawaguchi has created a lightweight add-on that tells the underlying JVM to bypass all security certificate checks. I’ve used this SunCertPathBuilderException solution myself, and it’s a good one. Originally I thought I’d run into the paradoxical problem of trying to install a Jenkins plugin that addresses the issue of not being able to install Jenkins plugins, but it would appear that this add-on is bundled with the tool. This solution gets a thumbs up from me, but there’s actually a much simpler solution to the SunCertPathBuilderException problem.
The SunCertPathBuilderException fix
The fastest SunCertPathBuilderException fix is to change the protocol of the Jenkins update site from https to http. Since it’s the secure socket layer communication that causes the problem, if you don’t use SSL, the problem goes away.
To change the Jenkins plugin download URL, go to the advanced tab of the Jenkins plugin manager and scroll down to the edit box for the Jenkins update site URL. Remove the ‘s’ in ‘https’, submit the change and then resume your search for Jenkins plugins. The download catalog will be easily accessed, and subsequent steps involved in the download of components such as the Jenkins Git plugin or the Jenkins Maven plugin will proceed without issue.