After upgrade to Jenkins 2.277.1 LDAP not working

Question

I am running jenkins in docker compose from image jenkins/jenkins. After upgrading to Jenkins 2.277.1 LDAP authentication stopped working and I can't log in. I am getting following error:

jenkins.docker.new_1 | 2021-06-04 14:49:31.311+0000 [id=138] WARNING o.j.p.p.DiskUsageCollector#collect: Cannot get disk usage data. Install CloudBees Disk Usage Simple plugin to enable jenkins.docker.new_1 | 2021-06-04 14:49:32.352+0000 [id=20] WARNING h.security.LDAPSecurityRealm#throwUnlessConfigIsIgnorable: Failed communication with ldap server XXX== (ldaps://XXX:636), will not try the next configuration jenkins.docker.new_1 | sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target jenkins.docker.new_1 | at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) jenkins.docker.new_1 | at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) jenkins.docker.new_1 | at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) jenkins.docker.new_1 | at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:451) jenkins.docker.new_1 | Caused: sun.security.validator.ValidatorException: PKIX path building failed jenkins.docker.new_1 | at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:456) jenkins.docker.new_1 | at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:323) jenkins.docker.new_1 | at sun.security.validator.Validator.validate(Validator.java:271) jenkins.docker.new_1 | at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:315) jenkins.docker.new_1 | at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:223) jenkins.docker.new_1 | at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129) jenkins.docker.new_1 | at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638) jenkins.docker.new_1 | Caused: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target jenkins.docker.new_1 | at sun.security.ssl.Alert.createSSLException(Alert.java:131)

My jvm args are:

        environment:
        - JAVA_OPTS=-Djavax.net.ssl.trustStore=/mnt/jenkins/jenkins_home/cacerts -Dio.jenkins.plugins.casc.ConfigurationAsCode.initialDelay=15000 -Djavax.net.ssl.trustStorePassword=changeit

With version 2.263.3 everythings work fine.

My LDAP plugin version:

version=2.7
groupId=org.jenkins-ci.plugins
artifactId=ldap

Answer 1

Add server's certs in your trusted keystore.
Note: storepass is usually "changeit"

sudo keytool -importcert -keystore <keystore-path>/cacerts -storepass <password> -file <server's root .crt file path> -alias "ldap"

Restart & check.

If the server root cert is not available handy then load it in a file "root.crt" using below:

1. Get the server's all certificates using the below command & save them in separate files.

   openssl s_client -showcerts -connect <ldap_server>:<ldap_port>

2. Identify root certificate (Having Issuer(i:) & Subject(s:) same in the certificate file.

3. (Not needed if step-1 included certificate directly) Calculate the sha256 hash of this root certificate, copy it between lines —–BEGIN CERTIFICATE—– —–END CERTIFICATE—– & save this file as root.crt

4. Use this file's path in the above importcert command.