小贝子编程

升级到Jenkins 2.277.1后,LDAP无法工作



我在docker compose中运行jenkins/jenkins。升级到Jenkins 2.277.1后,LDAP身份验证停止工作,我无法登录。我收到以下错误:

jenkins.docker.new_1|2021-06-04 14:49:31.311+000[id=138]警告o.j.p.p.DiskUsageCollector#collect:无法获取磁盘使用数据。安装CloudBees Disk Usage Simple插件以启用jenkins.docker.new_1|2021-06-04 14:49:32.352+000[id=20]警告h.security.LDAPSecurityRealm#throwUnlessConfigIsIgnorable:与ldap服务器XXX通信失败==(ldaps://XXX:636),将尝试下一个配置jenkins.docker.new_1|sun.security.provider.certpath.SunCertPathBuilderException:无法查找请求的目标jenkins.docker.new_1的有效证书路径|在sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuildr.java:141(jenkins.docker.new_1|在sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuildr.java:126(jenkins.docker.new_1|在java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280(jenkins.docker.new_1|在sun.security.validator.PIXValidator.doBuild(PKIXValidator.java:451(jenkins.docker.new_1|原因:sun.security.validator.ValidatorException:PKIX路径构建失败jenkins.docker.new_1|在sun.security.validator.PIXValidator.doBuild(PKIXValidator.java:456(jenkins.docker.new_1|在sun.security.validator.PIXValidator.engineValidate(PKIXValidator.java:323(jenkins.docker.new_1|在sun.security.validator.validate(validator.java:271(jenkins.docker.new_1|在sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:315(jenkins.docker.new_1|在sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:223(jenkins.docker.new_1|在sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129(jenkins.docker.new_1|在sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638(jenkins.docker.new_1|导致:javax.net.ssl.ssl握手异常:PKIX路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:无法查找请求的目标jenkins.docker.new_1的有效证书路径|在sun.security.ssl.Alert.createSSLException(Alert.java:131(

我的jvm参数是:

environment:
- JAVA_OPTS=-Djavax.net.ssl.trustStore=/mnt/jenkins/jenkins_home/cacerts -Dio.jenkins.plugins.casc.ConfigurationAsCode.initialDelay=15000 -Djavax.net.ssl.trustStorePassword=changeit

有了2.263.3版本,一切都很好。

我的LDAP插件版本:

version=2.7
groupId=org.jenkins-ci.plugins
artifactId=ldap

在您信任的密钥库中添加服务器的证书
注意:存储通行证通常是"changeit">

sudo keytool -importcert -keystore <keystore-path>/cacerts -storepass <password> -file <server's root .crt file path> -alias "ldap"

重新启动&检查

如果服务器根证书不方便,则将其加载到文件"中;root.crt";使用以下内容:

  1. 使用以下命令获取服务器的所有证书&将它们保存在单独的文件中。

    openssl s_client-showcerts-connect<ldap_server>:<ldap_port>

  2. 标识根证书(具有颁发者(i:(&证书文件中的主题相同。

  3. (如果步骤1直接包含证书,则不需要(计算此根证书的sha256哈希,将其复制到行之间--–BEGIN certificate--––END certificate--–&将此文件保存为root.crt

  4. 在上面的importcert命令中使用此文件的路径。

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium