So I spent hours today beating my head against a wall and cursing JRE, so a pretty normally day for me.

I had to connect our TeamCity server to the GitLab server, the GitLab server uses a SSL cert that was generate from the AD Domain CA, so is trusted by all the domain machines. Our TC server is on the domain as well and when connecting to the https site it comes up as green.

However when connecting to git through TeamCity it is running inside JRE which for some reason doesn’t use the machine trusts, it has it’s own cert store you need to add the cert too.

Here’s the error i was facing:

List remote refs failed: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

To test the trust from JRE you need to run this

java SSLPoke git.mycompany.local 443

Where git.mycompany.local is your gitlab server

You can get the sslpoke class here

if its untrusted you will see an error here.

You can use your web browser to export the public key.

Most docs tell me that you can export your root CA public cert, but this didn’t work for me, I actually had to export the specific cert for this site.

Then use this command line to import the cert into JRE and restart TeamCity.

C:\TeamCity\jre\bin>C:\TeamCity\jre\bin\keytool.exe -importcert -trustcacerts -file C:\MyGitLabSSLCert.cer -alias MyGitLabSSLCert -keystore “C:\TeamCity\jre\lib\security\cacerts”

After this we are in business!