Fix SunCertPathBuilderException Jenkins plugin download error

The SunCertPathBuilderException stacktrace

The stacktrace for the Jenkins SunCertPathBuilderException error looks something like this:

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: 
   unable to find valid certification path to requested target
   at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
   at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
   at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)

<tl;dr>

To quickly fix the SunCertPathBuilderException Jenkins plugin download problem, change the update site’s protocol prefix from https to http.

http://updates.jenkins.io/update-center.json

</tl;dr>

Fighting the PKIX valid cert error

I’m not exactly sure what triggers the SunCertPathBuilderException when one attempts to download Jenkins plugins. Sometimes a machine with a fresh installation of Java and the JDK and Jenkins can access the Jenkins plugins download page without triggering the error. Other times a fresh installation of Jenkins and the JDK runs into it. Maybe some incremental versions of the JDK or the embedded Jetty web server are more persnickety than others?

Sometimes I think the SunCertPathBuilderException error is related to the use of a virtual machine or a particular operating system, but the problem happens so randomly, regardless of whether I run a virtual Ubuntu box or local Windows installation, I can’t figure out exactly what the Jenkins SunCertPathBuilderException issue is.

Fix the Jenkins plugin problem with certs

If you dig though the forums, you’ll find two commonly recommended solutions. The first, which is both the most onerous and the most technically correct is to update the security certificate catalog used by the embedded Jetty web container and the underlying JDK. I might advocate this particular SunCertPathBuilderException solution if I worked at a bank, but it’s a load of work, and if you just need to install Jenkins locally in order to learn the tool and do some Jenkins tutorials, it’s overkill.

The Skip Certificate Check plugin

The second popular option to fix the SunCertPathBuilderException Jenkins plugin download problem is to install the Skip Certificate Check plugin. Jenkins creator Kohsuke Kawaguchi has created a lightweight add-on that tells the underlying JVM to bypass all security certificate checks. I’ve used this SunCertPathBuilderException solution myself, and it’s a good one. Originally I thought I’d run into the paradoxical problem of trying to install a Jenkins plugin that addresses the issue of not being able to install Jenkins plugins, but it would appear that this add-on is bundled with the tool. This solution gets a thumbs up from me, but there’s actually a much simpler solution to the SunCertPathBuilderException problem.

You can fix the SunCertPathBuilderException Jenkins plugin download error with the Skip Certificate Check plugin.

The SunCertPathBuilderException fix

The fastest SunCertPathBuilderException fix is to change the protocol of the Jenkins update site from https to http. Since it’s the secure socket layer communication that causes the problem, if you don’t use SSL, the problem goes away.

The easiest SunCertPathBuilderException Jenkins plugin download error fix.

To change the Jenkins plugin download URL,  go to the advanced tab of the Jenkins plugin manager and scroll down to the edit box for the Jenkins update site URL. Remove the ‘s’ in ‘https’, submit the change and then resume your search for Jenkins plugins. The download catalog will be easily accessed, and subsequent steps involved in the download of components such as the Jenkins Git plugin or the Jenkins Maven plugin will proceed without issue.

That’s how easy it is to fix this Jenkins error.