Unable to connect XL Release to external applications

Follow

Kenny Lim -

Problem: When trying to connect XL Release to an external service like Jenkins, you get SSL related error like:

javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

This is because your external application is running on HTTPS using SSL cert that is not signed by a known CA that XL Release trust. By default, XL Release uses the JRE truststore. So, you need to export the application's certificate, and add it to XLR's truststore.

Steps:

1. Get public cert of Jenkins:

openssl s_client -showcerts  -connect my-jenkins.com:8080  > jenkins.cer

2. Create a truststore for XL Release:

  • You have 2 options here. One is to create an new truststore that is empty. This would mean that XL Release would only trust the cert (from step 1) that you are going to import, and nothing else (not even publicly trusted sites with CA signed certs). The other option would be to copy Java's default truststore and add an additional cert to the truststore.

 

  • Option 1 - Empty truststore:
keytool -importcert -file jenkins.cer -keystore XLReleaseTrustStore.jks  -alias jenkins

 

  • Option 2 - Copy Java truststore:
cp $JAVA_HOME/lib/security/cacerts $XL_RELEASE_HOME/conf/XLReleaseTrustStore.jks
keytool -importcert -file jenkins.cer -keystore XLReleaseTrustStore.jks -alias jenkins

3. Then, tell XL Release to use the truststore by editing conf/xlr-wrapper-linux.conf and add:

wrapper.java.additional.X=-Djavax.net.ssl.trustStore=conf/XLReleaseTrustStore.jks
wrapper.java.additional.X+1=-Djavax.net.ssl.trustStorePassword=password

4. Last but not least, restart XL Release. It should no longer throw that error.

Have more questions? Submit a request