Gradlew failing everywhere today for SquareTrade on 1/24/2019

Today, our Jenkins automation and local developers alike are having issues with gradlew accessing https://services.gradle.org to access gradle wrapper distribution.

I have no problem hitting https://services.gradle.org/distributions/gradle-4.9-all.zip in a web browser. Chrome says that the SSL cert is fine and is using COMODO CA cert. I have validated that our Oracle jdk 1.8.0_181 installations also have this in the cacerts truststore.

A coworker found this post, which has clues: Bypass SSL certification

Any ideas?

ron@cloudbees-2:~/WorkRoot/devops/vault-config$ ./gradlew build
Downloading https://services.gradle.org/distributions/gradle-4.9-all.zip

Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1564)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:263)
	at org.gradle.wrapper.Download.downloadInternal(Download.java:66)
	at org.gradle.wrapper.Download.download(Download.java:51)
	at org.gradle.wrapper.Install$1.call(Install.java:62)
	at org.gradle.wrapper.Install$1.call(Install.java:48)
	at org.gradle.wrapper.ExclusiveFileAccessManager.access(ExclusiveFileAccessManager.java:69)
	at org.gradle.wrapper.Install.createDist(Install.java:48)
	at org.gradle.wrapper.WrapperExecutor.execute(WrapperExecutor.java:107)
	at org.gradle.wrapper.GradleWrapperMain.main(GradleWrapperMain.java:61)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
	at sun.security.validator.Validator.validate(Validator.java:262)
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
	... 20 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
	... 26 more

Thanks for reporting.

The certificate is provided by our CDN vendor CloudFlare, it’s possible something happened when they renewed the certificate. We’re investigating it.

However, I can’t reproduce it with oracle 1.8.0_181 on my local machine macOS 10.14.2. So if you can provide us more information that would be great.

Can you please run the problematic build with JAVA_OPTS=-Djavax.net.debug=all ./gradlew build, and send us the log? If you don’t want to make it public you can send it to bo@gradle.com. We’ll investigate and fix it.

Thank you very much!

I also tried RHEL 7.5 with Oracle JDK 1.8.0_181, no issues.

Hi,

CloudFlare has confirmed the issue on their side and they’re working on a fix. Please let us know if you see further errors.

@blindpirate Thank you. Just tested the build again and gradlew https distribution download works once again. I love it.

==> Run the deployVault groovy script to deploy the Vault secrets and tokens
[Pipeline] script
[Pipeline] {
[Pipeline] sh
+ ./gradlew run --args=--application=billing-event --environment=platformteam2 --cluster=ANY --create-secrets --deploy-tokens --stacktrace
Downloading https://services.gradle.org/distributions/gradle-4.10.3-all.zip
................................................................................................................
Welcome to Gradle 4.10.3!

Thank you for confirming!