In this article, I would like to document the problems encountered when upgrading from IBM XLC 10.1 to XLC 17.1 (IBM Open XL C/C++ for AIX 17.1.0) and how to fix the following 12 errors.
If you’ve encountered any other errors, feel free to share your comments with or without a solution.
1. Change cc to ibm-clang
First you need to change all the related cc to ibm-clang in the the global Makefile. for example:
[2023-09-11T08:21:54.269Z] Error occurred for request GET /artifactory/api/system/version HTTP/1.1: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. [2023-09-11T08:21:54.282Z] Error occurred for request PUT /artifactory/generic-int-den/my-project/hotfix/1.2.0.HF5/3/pj120_bin_opt_SunOS_3792bcf.tar.Z;build.timestamp=1694418199972;build.name=hotfix%2F1.2.0.HF5;build.number=3 HTTP/1.1: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. [2023-09-11T08:21:54.284Z] [consumer_0] An exception occurred during execution: [2023-09-11T08:21:54.284Z] java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target [2023-09-11T08:21:54.284Z] at org.jfrog.build.extractor.clientConfiguration.util.spec.SpecDeploymentConsumer.consumerRun(SpecDeploymentConsumer.java:44) [2023-09-11T08:21:54.284Z] at org.jfrog.build.extractor.producerConsumer.ConsumerRunnableBase.run(ConsumerRunnableBase.java:11) [2023-09-11T08:21:54.284Z] at java.lang.Thread.run(Thread.java:745) [2023-09-11T08:21:54.285Z] Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
16:42:47 Caused by: hudson.plugins.git.GitException: Command "git init /disk1/agent/workspace/e_feature-aix-ci-build" returned status code 255: 16:42:47 stdout: 16:42:47 stderr: exec(): 0509-036 Cannot load program git because of the following errors: 16:42:47 0509-150 Dependent module /usr/lib/libiconv.a(libiconv.so.2) could not be loaded. 16:42:47 0509-152 Member libiconv.so.2 is not found in archive 16:42:47 16:42:47 at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:2734) 16:42:47 at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:2660) 16:42:47 at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommandIn(CliGitAPIImpl.java:2656) 16:42:47 at org.jenkinsci.plugins.gitclient.CliGitAPIImpl.launchCommand(CliGitAPIImpl.java:1981) 16:42:47 at org.jenkinsci.plugins.gitclient.CliGitAPIImpl$5.execute(CliGitAPIImpl.java:1047)
为团队提供具有新的非技术技能的人员,以填补深刻的技能差距。根据 《提高 IT 技能 2022》报告,IT 需要七种关键技能:流程和框架技能、人员技能、技术技能、自动化技能、领导技能、数字技能、业务技能和高级认知技能。不幸的是,大多数 IT 经理首先追求的是技术技能,而忽视了“软技能” —— 这可能是阻碍 DevOps 在组织中进一步发展的最大因素。
整个团队以及单个 DevOps 成员的技能发展。近年来,每个人都面临着考验(新冠等流行病、不确定的经济形势),并使越来越多的 IT 专业人员不确定自己的技能,并感到需要进一步的培训和发展。与此同时,根据《2022 年 IT 技能提升》报告,接受调查的 IT 组织中只有 52% 制定了正式的技能提升计划。这实际上导致全球 IT 团队面临的最大挑战是缺乏技能。
Recently my CI pipeline suddenly does not work on AIX 7.1 with error Caused by: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath..
Click to see more details about the failure log.
22:13:30 Executing command: /bin/sh -c git log --pretty=format:%s -1 22:13:36 [consumer_0] Deploying artifact: https://artifactory.company.com/artifactory/generic-int-den/myproject/PRs/PR-880/1/myproject_bin_rel_AIX_5797b20.tar.Z 22:13:36 Error occurred for request GET /artifactory/api/system/version HTTP/1.1: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 22:13:36 java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US is not trusted; internal cause is: 22:13:36 java.security.cert.CertPathValidatorException: Certificate chaining error. 22:13:36 Error occurred for request PUT /artifactory/generic-int-den/myproject/PRs/PR-880/1/cpplinter_bin_rel_AIX_5797b20.tar.Z;build.timestamp=1693273923987;build.name=PR-880;build.number=1 HTTP/1.1: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 22:13:36 java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US is not trusted; internal cause is: 22:13:36 java.security.cert.CertPathValidatorException: Certificate chaining error. 22:13:36 [consumer_0] An exception occurred during execution: 22:13:36 java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 22:13:36 java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US is not trusted; internal cause is: 22:13:36 java.security.cert.CertPathValidatorException: Certificate chaining error 22:13:36 at org.jfrog.build.extractor.clientConfiguration.util.spec.SpecDeploymentConsumer.consumerRun(SpecDeploymentConsumer.java:44) 22:13:36 at org.jfrog.build.extractor.producerConsumer.ConsumerRunnableBase.run(ConsumerRunnableBase.java:11) 22:13:36 at java.lang.Thread.run(Thread.java:785) 22:13:36 Caused by: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 22:13:36 java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US is not trusted; internal cause is: 22:13:36 java.security.cert.CertPathValidatorException: Certificate chaining error 22:13:36 at com.ibm.jsse2.j.a(j.java:3) 22:13:36 at com.ibm.jsse2.as.a(as.java:213) 22:13:36 at com.ibm.jsse2.C.a(C.java:339) 22:13:36 at com.ibm.jsse2.C.a(C.java:248) 22:13:36 at com.ibm.jsse2.D.a(D.java:291) 22:13:36 at com.ibm.jsse2.D.a(D.java:217) 22:13:36 at com.ibm.jsse2.C.r(C.java:373) 22:13:36 at com.ibm.jsse2.C.a(C.java:352) 22:13:36 at com.ibm.jsse2.as.a(as.java:752) 22:13:36 at com.ibm.jsse2.as.i(as.java:338) 22:13:36 at com.ibm.jsse2.as.a(as.java:711) 22:13:36 at com.ibm.jsse2.as.startHandshake(as.java:454) 22:13:36 at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436) 22:13:36 at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384) 22:13:36 at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) 22:13:36 at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376) 22:13:36 at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393) 22:13:36 at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) 22:13:36 at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186) 22:13:36 at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) 22:13:36 at org.apache.http.impl.execchain.ServiceUnavailableRetryExec.execute(ServiceUnavailableRetryExec.java:85) 22:13:36 at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) 22:13:36 at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) 22:13:36 at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) 22:13:36 at org.jfrog.build.client.PreemptiveHttpClient.execute(PreemptiveHttpClient.java:76) 22:13:36 at org.jfrog.build.client.PreemptiveHttpClient.execute(PreemptiveHttpClient.java:64) 22:13:36 at org.jfrog.build.client.JFrogHttpClient.sendRequest(JFrogHttpClient.java:133) 22:13:36 at org.jfrog.build.extractor.clientConfiguration.client.JFrogService.execute(JFrogService.java:112) 22:13:36 at org.jfrog.build.extractor.clientConfiguration.client.artifactory.services.Upload.execute(Upload.java:77) 22:13:36 at org.jfrog.build.extractor.clientConfiguration.client.artifactory.ArtifactoryManager.upload(ArtifactoryManager.java:267) 22:13:36 at org.jfrog.build.extractor.clientConfiguration.client.artifactory.ArtifactoryManager.upload(ArtifactoryManager.java:262) 22:13:36 at org.jfrog.build.extractor.clientConfiguration.util.spec.SpecDeploymentConsumer.consumerRun(SpecDeploymentConsumer.java:39) 22:13:36 ... 2 more 22:13:36 Caused by: com.ibm.jsse2.util.h: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 22:13:36 java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US is not trusted; internal cause is: 22:13:36 java.security.cert.CertPathValidatorException: Certificate chaining error 22:13:36 at com.ibm.jsse2.util.f.a(f.java:107) 22:13:36 at com.ibm.jsse2.util.f.b(f.java:143) 22:13:36 at com.ibm.jsse2.util.e.a(e.java:6) 22:13:36 at com.ibm.jsse2.aA.a(aA.java:99) 22:13:36 at com.ibm.jsse2.aA.a(aA.java:112) 22:13:36 at com.ibm.jsse2.aA.checkServerTrusted(aA.java:28) 22:13:36 at com.ibm.jsse2.D.a(D.java:588) 22:13:36 ... 29 more 22:13:36 Caused by: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 22:13:36 java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US is not trusted; internal cause is: 22:13:36 java.security.cert.CertPathValidatorException: Certificate chaining error 22:13:36 at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:422) 22:13:36 at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) 22:13:36 at com.ibm.jsse2.util.f.a(f.java:120) 22:13:36 ... 35 more 22:13:36 Caused by: java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US is not trusted; internal cause is: 22:13:36 java.security.cert.CertPathValidatorException: Certificate chaining error 22:13:36 at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:111) 22:13:36 at com.ibm.security.cert.PKIXCertPathValidatorImpl.engineValidate(PKIXCertPathValidatorImpl.java:199) 22:13:36 at com.ibm.security.cert.PKIXCertPathBuilderImpl.myValidator(PKIXCertPathBuilderImpl.java:749) 22:13:36 at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:661) 22:13:36 at com.ibm.security.cert.PKIXCertPathBuilderImpl.buildCertPath(PKIXCertPathBuilderImpl.java:607) 22:13:36 at com.ibm.security.cert.PKIXCertPathBuilderImpl.engineBuild(PKIXCertPathBuilderImpl.java:368) 22:13:36 ... 37 more 22:13:36 Caused by: java.security.cert.CertPathValidatorException: Certificate chaining error 22:13:36 at com.ibm.security.cert.CertPathUtil.findIssuer(CertPathUtil.java:316) 22:13:36 at com.ibm.security.cert.BasicChecker.<init>(BasicChecker.java:108) 22:13:36 ... 42 more 22:13:36
I have tried to download certificate.pem from my Artifactory and run this command, but the issue still there on my AIX 7.3.
It investing it can not reproduce on my Windows, Linux and AIX 7.3 build machines.
What’s the different between them? the only different is Java runtime. On my problematic AIX 7.1 build machine, I used a shared runtime which is a link to path /tools/AIX-7.1/Java8_64-8.0.0.401/usr/java8_64/bin/java
bash-5.0$ /tools/AIX-7.1/Java8_64-8.0.0.401/usr/java8_64/bin/java -version java version "1.8.0" Java(TM) SE Runtime Environment (build pap6480sr4fp1-20170215_01(SR4 FP1)) IBM J9 VM (build 2.8, JRE 1.8.0 AIX ppc64-64 Compressed References 20170209_336038 (JIT enabled, AOT enabled) J9VM - R28_20170209_0201_B336038 JIT - tr.r14.java.green_20170125_131456 GC - R28_20170209_0201_B336038_CMPRSS J9CL - 20170209_336038) JCL - 20170215_01 based on Oracle jdk8u121-b13
And I have anther Java runtime installed my that machine which is /usr/java8_64/bin/java
bash-5.0$ /usr/java8_64/bin/java -version java version "1.8.0_241" Java(TM) SE Runtime Environment (build 8.0.6.5 - pap6480sr6fp5-20200111_02(SR6 FP5)) IBM J9 VM (build 2.9, JRE 1.8.0 AIX ppc64-64-Bit Compressed References 20200108_436782 (JIT enabled, AOT enabled) OpenJ9 - 7d1059c OMR - d059105 IBM - c8aee39) JCL - 20200110_01 based on Oracle jdk8u241-b07
Actually the versions of these two java versions are different. I just changed configuration of JavaPath from /tools/AIX-7.1/Java8_64-8.0.0.401/usr/java8_64/bin/java to /usr/java8_64/bin/java in the Jenkins node and disconnect then launch agent again, it works.
I don’t why it works, I don’t know much about Java certificate, if you know the reason please leave comments and let me know. Thank you.
Options: --builder string Override the configured builder instance -f, --file stringArray Build definition file --load Shorthand for"--set=*.output=type=docker" --metadata-file string Write build result metadata to the file --no-cache Do not use cache when building the image --print Print the options without building --progress string Set type of progress output ("auto", "plain", "tty"). Use plain to show container output (default "auto") --provenance string Shorthand for"--set=*.attest=type=provenance" --pull Always attempt to pull all referenced images --push Shorthand for"--set=*.output=type=registry" --sbom string Shorthand for"--set=*.attest=type=sbom" --set stringArray Override target value (e.g., "targetpattern.key=value")