Graal is not bundled with some certificates roots

[MateuszKubuszok]

After switching for testing purposes JDK from OpenJDK 8 to GraalVM RC-1 I was unable to either download certain artifacts from Sonatype nor publish my own artifacts to Sonatype Nexus via SBT. After some investigation I found out that:

• when I switch back to OpenJDK 8 I am able to download/publish artifacts
• when I switch to GraalVM RC-1 downloaded from GitHub it fail

To confirm that it was a JVM issue and not a SBT setup used those instructions: https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html

With Graal I got exactly the same exception for oss.sonatype.org, while with OpenJDK 8 things work as expected.

Issue was not immediate as most (almost all) of my dependencies I have already cached locally. Only after I wanted to fetch a new snapshot issue became visible during download, though it also appeared earlier, when I tried to publish a new artifact (I haven't immediately connected this issue to change of my JVM).

Is it a issue of GitHub OpenJDK-based version vs version available on Oracle's site? (I haven't tested that version.) I am concerned since I wanted to use GraalVM on a Docker image for CI and failing artifacts download would be a serious issue.

I use Arch Linux, and for switching JDKs I use build in archlinux-java script that handles setting up JAVA_HOME and changing global symlinks to JDK installation directories.

[dougxc]

This sounds like a case of missing certificates in our OpenJDK build (/cc @gilles-duboscq )
You should be able to test this by trying with GraalVM from OTN. If that works, try copying jre/lib/security/cacerts from OTN GraalVM to GitHub GraalVM.

[dougxc]

@MateuszKubuszok can you please post the exception showing the Sonatype failure.

[gilles-duboscq]

This is a known issue with OpenJDK's cacerts bundle. Unfortunately at the moment we can not distribute a better bundle in the community edition. I also noticed the issue with https://oss.sonatype.org.

The OpenJDK 8 version you are testing with probably comes from your distribution and probably use your distribution's cacerts bundle. As @dougxc advised, you can replace jre/lib/security/cacerts with a more complete file (e.g., the one found in your distribution's OpenJDK 8).

The bug tracking the addition of the remaining root certificates to OpenJDK is tracked as JDK-8193447.

[dougxc]

Please re-open if you think this is still an issue we can do something about.

[MateuszKubuszok]

In case someone had the same error (and maybe needed a one-liner for docker image:

ORACLE_JRE_URL='http://download.oracle.com/otn-pub/java/jdk/8u171-b11/512cd62ec5174c3487ac17c61aaa89e8/jdk-8u171-linux-x64.tar.gz'
curl -jkL -H "Cookie: oraclelicense=accept-securebackup-cookie" $ORACLE_JRE_URL | tar -zxvf - --directory $GRAALVM_HOME --wildcards "*/jre/lib/security/cacerts" --strip-components 1

[neomatrix369]

See #493 (comment)