Newbie using macOS here.
We have Jenkins installed on MacOS.
I need to know which JRE and cacerts it uses because I need to import GitHub enterprise server's self-signed certificate for integration. I have SSL error and trying to follow resolving PKIX-path-building-failed-error-message guide which I successfully done in Windows.
In Windows Jenkins installation, it has its own JENKINS_HOME/jre folder where lib/security/cacerts can be found.
Question 1: Where/How to find jre used by Jenkins in MacOS?
So far, what I have found is the java_home which is in
/usr/libexec/java_home
But this one I am not so sure as my next steps' results were failing.
Question 2:How to add the truststore and password for the modified cacerts file to jenkins startup?
Using the jre in /usr/libexec/java_home, I have copied the /jre/lib/security/cacerts to my JENKINS_HOME/custom-keystore/cacerts and imported the self-signed certificate there.
sudo keytool -importcert -alias github -file JENKINS_HOME/custom-keystore/selfsigned.cer -keystore JENKINS_HOME/custom-keystore/cacerts
After that, I modified the Jenkins startup arguments:
-Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/cacert
-Djavax.net.ssl.trustStorePassword=changeit
using:
defaults write /Library/Preferences/org.jenkins-ci.plist Djavax.net.ssl.keyStore JENKINS_HOME/custom-keystore/cacerts
defaults write /Library/Preferences/org.jenkins-ci.plist Djavax.net.ssl.keyStorePassword changeit
then restarted Jenkins using:
sudo launchctl unload /Library/LaunchDaemons/org.jenkins-ci.plist
sudo launchctl load /Library/LaunchDaemons/org.jenkins-ci.plist
After this, I faced various issues:
Proxy Issue - (resolved after adding the server URL in proxylist - macOS network config)
The GitHub and other previously successful integrations are now having the following error:
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
Other Questions Is there anything I missed in my steps?
Is the way I add the arguments in Jenkins startup correct? (In Windows, I just modified jenkins.xml, also used arguments with "-", while here seems "-" is not needed?)
Since I am using Launch Daemon instead of Launch Agent, do I have to restart the system? -Or the defaults unload and load should suffice for the changes to apply?
Successfully resolved the issues now. I corrected 1 step, and then added another step.
sudo defaults write /Library/Preferences/org.jenkins-ci.plist Djavax.net.ssl.trustStore /Users/Shared/Jenkins/Home/custom-keystore/cacerts
sudo defaults write /Library/Preferences/org.jenkins-ci.plist Djavax.net.ssl.trustStorePassword changeit
I edited the jenkins_runner.sh which is found in /Library/Application\ Support/Jenkins:
javaArgs="-Dfile.encoding=UTF-8 -Djavax.net.ssl.trustStore=/Users/Shared/Jenkins/Home/custom-keystore/cacerts -Djavax.net.ssl.trustStorePassword=changeit"
(restart) After executing the
launchctl unload /Library/LaunchDaemons/org.jenkins-ci.plist
launchctl load /Library/LaunchDaemons/org.jenkins-ci.plist
I found that the changes I made did not apply completely. So I had to restart my mac.
It turns out that the Java/JRE in the /usr/libexec/java_home which I used for the keytool and importing cacerts is the correct one.