Solve Jenkins unable to find valid certification path error |Video upload date:  · Duration: PT1M50S  · Language: EN

Fix Jenkins SSL trust error by importing the server certificate into the Java keystore or using a trusted CA

So Jenkins is throwing that bland but terrifying message about an invalid certification path. Relax a little and get your keystore game on. This guide shows the practical steps to add the target server certificate to the Java truststore that Jenkins is using. It is the usual DevOps ritual where you fetch a certificate, drop it in the right place, and pretend you always knew what you were doing.

Why this happens

Jenkins runs on a Java JVM and Java trusts only certificates present in its truststore by default. If the remote service uses a certificate that Java does not recognize you will see errors mentioning an invalid certification path. This is a CI security feature doing its job even when it ruins your morning.

What you will do

  • Export the server certificate from the service or browser
  • Copy the certificate file to the Jenkins host
  • Import the certificate into the Java truststore used by the Jenkins JVM
  • Restart Jenkins and verify the connection

1 Export the server certificate

Use the browser certificate export feature or ask the service owner for a PEM or CRT file. Browsers are surprisingly handy and do not require heroic command line skills. Save the file as server.crt or similar.

2 Move the certificate to the Jenkins host

Place the file in a controlled location that the Jenkins administrator owns. No stray files on the desktop. You will need shell access for the import step.

3 Back up the current truststore

Back up the truststore before you change it. Break stuff now and you get to explain it later.

cp /path/to/jre/lib/security/cacerts /path/to/jre/lib/security/cacerts.bak

4 Import the certificate using keytool

Import the certificate into the same cacerts file that your Jenkins JVM uses. The default cacerts password is changeit unless your admin changed it for good reasons. Example command for a typical setup

keytool -import -alias myserver -file server.crt -keystore /path/to/jre/lib/security/cacerts -storepass changeit

Answer yes to trust the certificate when prompted. If the remote server presents an intermediate CA make sure you import the full chain or import the root and intermediate certs as needed.

5 Restart Jenkins and verify

Restart the Jenkins service so the JVM picks up the updated truststore. Use your system service tool to restart Jenkins. Then re run the failing job or access the remote resource from the Jenkins host with a browser to confirm the SSL handshake no longer fails.

Troubleshooting tips

  • If the error persists check that you updated the truststore used by the actual Jenkins JVM and not some other Java on the machine
  • Confirm the entire certificate chain is present rather than only the leaf certificate
  • Verify file permissions so the Jenkins user can read the cacerts file

Final tip Prefer certificates signed by a trusted CA and avoid turning off SSL checks. A proper CA signed certificate saves time and prevents future headaches for your CI and security teams. You did not really want to disable security checks anyway unless you enjoy chaos.

I know how you can get Azure Certified, Google Cloud Certified and AWS Certified. It's a cool certification exam simulator site called certificationexams.pro. Check it out, and tell them Cameron sent ya!