前言


前两天IT部发了封邮件,将gitlab由HTTP改为了HTTPS,正好要去Jenkins构建部署上线包,将原有的克隆链接由HTTP改为了HTTPS,然后点击构建,没想到的是,构建直接就报错了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Fetching changes from the remote Git repository
ERROR: Error fetching remote repo 'origin'
hudson.plugins.git.GitException: Failed to fetch from https://xxx@gitlab.xxx.com/xxx
at hudson.plugins.git.GitSCM.fetchFrom(GitSCM.java:899)
at hudson.plugins.git.GitSCM.retrieveChanges(GitSCM.java:1114)
at hudson.plugins.git.GitSCM.checkout(GitSCM.java:1145)
at org.jenkinsci.plugins.workflow.steps.scm.SCMStep.checkout(SCMStep.java:124)
at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:93)
at org.jenkinsci.plugins.workflow.steps.scm.SCMStep$StepExecutionImpl.run(SCMStep.java:80)
at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution.lambda$start$0(SynchronousNonBlockingStepExecution.java:47)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: hudson.plugins.git.GitException: Command "git fetch --tags --force --progress -- https://xxx@gitlab.xxx.com/xxx+refs/heads/*:refs/remotes/origin/*" returned status code 128:
stdout:
stderr: fatal: unable to access 'https://gitlab.xxx.com/xxx/': SSL connect error

看到这个报错returned status code 128: SSL connect error我就很郁闷了,就改为了HTTPS链接,怎么就能报SSL错误了。

解决方案


详细查阅了各类资料,发现Git克隆的步骤,简单描述就是Git通过curl命令去下载代码库。不清楚curl命令的请移步至curl的百度百科

1
2
3
4
5
6
7
8
9
10
11
[root@localhost ~]# curl -v https://xxx@gitlab.xxx.com/xxx.git
* About to connect() to gitlab.xxx.com port 443 (#0)
* Trying xxx.xxx.xxx.xxx... connected
* Connected to gitlab.xxx.com (xxx.xxx.xxx.xxx) port 443 (#0)
* Initializing NSS with certpath: /etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS error -12190
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error

在curl本人克隆代码库的HTTPS连接后,发现根源所在了,是由于NSS error -12190这个错误导致curl抛出了SSL连接错误从而由Jenkins抛出,看来问题根源在这里。

继续查找NSS error -12190错误的解决办法,终于在stackoverflow找到了有关于这个问题的丁点解释:

The reason you failed:

Some old/vulnerable NSS is used for SSL within cURL library when you go to some url, so it’s rejected. So within this machine you have chance to fail to run cURL related commands such as pycurl.

The solution:

IMO the NSS is bundle with CentOS 7.0 VM, so you can update NSS libraries as following.

1
yum update nss nss-util nspr 

即当访问某些URL时,cURL库中的SSL使用了一些较旧/易受攻击的NSS,因此将其拒绝。IMO NSS与CentOS 7.0 VM捆绑在一起,因此可以按上述方式更新NSS库。在更新curl与nss后,再次克隆成功,到此问题解决。

查阅了各大博客网站,经过整理,总结如下(一般来说遇到这种问题直接看第三种解决方案即可):

1、重新配置Git账户。

2、更新构建机器上的Git版本(使用安装命令也可更新Git)。

1
yum -y install git

3、更新curl与nss。

1
2
yum update curl
yum update nss nss-util nspr