slack-plugin Slack Test connection fails with PKIX path validation failed

Jenkins version is 2.263.1-LTS
Slack Notification Plugin - 2.45
Java Version - openjdk version "1.8.0_275"
OS - CentOS -8.2

Problem: Under Manage Jenkins > slack - Test connection shows failure. In my Jenkins Systems log shown below error message.

Error posting to Slack
java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits. RSA 1024bit key used with certificate: CN=slack.com, O="Slack Technologies, Inc.", L=San Francisco, ST=California, C=US.  Usage was tls server
	at sun.security.util.DisabledAlgorithmConstraints$KeySizeConstraint.permits(DisabledAlgorithmConstraints.java:819)
	at sun.security.util.DisabledAlgorithmConstraints$Constraints.permits(DisabledAlgorithmConstraints.java:421)
	at sun.security.util.DisabledAlgorithmConstraints.permits(DisabledAlgorithmConstraints.java:167)
	at sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:326)
	at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
Caused: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits. RSA 1024bit key used with certificate: CN=slack.com, O="Slack Technologies, Inc.", L=San Francisco, ST=California, C=US.  Usage was tls server
	at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
	at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233)
	at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141)
	at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80)
	at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
	at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:381)
Caused: sun.security.validator.ValidatorException: PKIX path validation failed
	at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:386)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:291)
	at sun.security.validator.Validator.validate(Validator.java:271)
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:315)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:223)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
	at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)

I have no issue in installing and updating the Jenkins plugins.

Have followed the instructions provided in this link - https://support.cloudbees.com/hc/en-us/articles/217078498-PKIX-path-building-failed-error-message

However i have no success. So please help me to resolve this issue.

Feb 24 '21 03:02 mohanss08

I don't know enough about centos and how they have java configured but it seems you need to enable TLS 1.3

Please test out a different java runtime such as adoptopenjdk or azul

Feb 24 '21 04:02 jetersen

Also check out https://github.com/jenkinsci/slack-plugin/issues/673

Feb 24 '21 04:02 jetersen

We have corporate proxy our proxy team member have already enabled the access to slack.com for our jenkins instance. Also tried by enabling the -Dhttps.protocols=TLSv1.2 and with openjdk latest - openjdk version "1.8.0_282" still test connection fails. system log message as follows.

Feb 24, 2021 12:07:28 PM WARNING jenkins.plugins.slack.StandardSlackService postToSlack
Error posting to Slack
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:451)
Caused: sun.security.validator.ValidatorException: PKIX path building failed

Feb 24 '21 06:02 mohanss08

@mohanss08 could you try -Djavax.net.debug=ssl,handshake ?

Can you verify that the digicert is included in the cabundle that is used by your java runtime? That would be the DigiCert Global Root CA and DigiCert TLS RSA SHA256 2020 CA1

You can download the cacert and use something like https://keystore-explorer.org/ to inspect the cacert keystore.

Feb 24 '21 06:02 jetersen

Id suggest trying another java runtime. Just to see whether it is how centos has packaged openjdk

Feb 24 '21 07:02 jetersen

@jetersen. Test connection succeed with the below workaround.

    1) Created crt file using openssl - openssl s_client -connect www.slack.com:443
    2) Save it in - /tmp/slack.crt
    3) Added into Java cacerts keystore - keytool -import -alias slack -keystore $JAVA_HOME/jre/lib/security/cacerts -file /tmp/slack.crt
    4) Password - changeit
    5) Restarted the Jenkins

Feb 24 '21 08:02 mohanss08

@jetersen, Thanks a lot.

Feb 24 '21 09:02 mohanss08

slack-plugin slack-plugin copied to clipboard

Slack Test connection fails with PKIX path validation failed

slack-plugin
slack-plugin copied to clipboard