Summary

Typically,  a "PKIX path building failed" error occurs if an SSL CA is unknown to JVM which can be solved by importing the certificate to JVM . However, there are other causes of this error.

It is known that SSL/TLS works on top of an established TCP connection (i.e. after the TCP handshake is successful), so if Bamboo is setup behind a firewall or proxy, the firewall or proxy policy may block SSL handshake packets for URLs not included in the allowed list event if it successfully established a TCP connection.  When this occurs, requests will fail with with several errors one of which is PKIX error similar to this seen in the log.

2023-05-12 11:54:38,363 ERROR [https-jsse-nio-8185-exec-111] [ThrowableExceptionMapper] Uncaught exception thrown by REST service: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at com.atlassian.bamboo.rest.utils.RESTCall.execute(RESTCall.java:187)
	at com.atlassian.bamboo.plugins.bitbucket.impl.BitbucketApiServiceImpl.getJSONResponseFromUrl(BitbucketApiServiceImpl.java:438)
	at com.atlassian.bamboo.plugins.bitbucket.impl.BitbucketApiServiceImpl.getPageFromResource(BitbucketApiServiceImpl.java:349)
	at com.atlassian.bamboo.plugins.bitbucket.impl.BitbucketApiServiceImpl.findRepositories(BitbucketApiServiceImpl.java:126)
	at com.atlassian.bamboo.plugins.bitbucket.rest.resource.BitbucketResource.lambda$getAvailableRepositories$0(BitbucketResource.java:77)
	at com.atlassian.bamboo.plugins.bitbucket.rest.resource.BitbucketResource.executeCall(BitbucketResource.java:291)
	at com.atlassian.bamboo.plugins.bitbucket.rest.resource.BitbucketResource.getAvailableRepositories(BitbucketResource.java:70)
	at sun.reflect.GeneratedMethodAccessor19147.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)

Environment

• For any Bamboo Server or Datacenter

Diagnosis

• Enable DEBUG log level for the classpath org.apache.http.wire to monitor the TCP request and response between Bamboo and the remote server

  • TCP connection is successfully established, however the connection terminates with a PKIX exception immediately after TCP connection is established as seen in the logs;

    2023-05-15 11:03:05,196 DEBUG [https-jsse-nio-8185-exec-29] [wire]  >> " CONNECT api.bitbucket.org:443 HTTP/1.1[\r][\n]"
    2023-05-15 11:03:05,197 DEBUG [https-jsse-nio-8185-exec-29] [wire]  >> "Host: api.bitbucket.org:443[\r][\n]"
    2023-05-15 11:03:05,197 DEBUG [https-jsse-nio-8185-exec-29] [wire]  >> "Proxy-Connection: Keep-Alive[\r][\n]"
    2023-05-15 11:03:05,197 DEBUG [https-jsse-nio-8185-exec-29] [wire]  >> "User-Agent: Apache-HttpClient/4.5.10 (Java/1.8.0_361)[\r][\n]"
    2023-05-15 11:03:05,197 DEBUG [https-jsse-nio-8185-exec-29] [wire]  >> "[\r][\n]"
    2023-05-15 11:03:05,201 DEBUG [https-jsse-nio-8185-exec-29] [wire]  << "HTTP/1.1 200 Connection Established[\r][\n]"
    2023-05-15 11:03:05,201 DEBUG [https-jsse-nio-8185-exec-29] [wire]  << "Proxy-Agent: Zscaler/6.2[\r][\n]"
    2023-05-15 11:03:05,201 DEBUG [https-jsse-nio-8185-exec-29] [wire]  << "[\r][\n]"
    
    

Cause

• The firewall or proxy uses a URL filter which may have excluded the request URL from its allowed list

Solution

• Confirm that the Firewall or Proxy implicitly or explicitly has a URL filter policy.

  • If it does, add the remote server URL and port to the allowed list.

    • You can find the URL and port Bamboo is trying to establish connection with in the TCP log;

      2023-05-15 11:03:05,196 DEBUG [https-jsse-nio-8185-exec-29] [wire]  >> " CONNECT api.bitbucket.org:443 HTTP/1.1[\r][\n]"