Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Graal is not bundled with some certificates roots #378

Closed
MateuszKubuszok opened this issue Apr 24, 2018 · 6 comments
Closed

Graal is not bundled with some certificates roots #378

MateuszKubuszok opened this issue Apr 24, 2018 · 6 comments
Assignees

Comments

@MateuszKubuszok
Copy link

@MateuszKubuszok MateuszKubuszok commented Apr 24, 2018

After switching for testing purposes JDK from OpenJDK 8 to GraalVM RC-1 I was unable to either download certain artifacts from Sonatype nor publish my own artifacts to Sonatype Nexus via SBT. After some investigation I found out that:

  • when I switch back to OpenJDK 8 I am able to download/publish artifacts
  • when I switch to GraalVM RC-1 downloaded from GitHub it fail

To confirm that it was a JVM issue and not a SBT setup used those instructions: https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html

With Graal I got exactly the same exception for oss.sonatype.org, while with OpenJDK 8 things work as expected.

Issue was not immediate as most (almost all) of my dependencies I have already cached locally. Only after I wanted to fetch a new snapshot issue became visible during download, though it also appeared earlier, when I tried to publish a new artifact (I haven't immediately connected this issue to change of my JVM).

Is it a issue of GitHub OpenJDK-based version vs version available on Oracle's site? (I haven't tested that version.) I am concerned since I wanted to use GraalVM on a Docker image for CI and failing artifacts download would be a serious issue.

I use Arch Linux, and for switching JDKs I use build in archlinux-java script that handles setting up JAVA_HOME and changing global symlinks to JDK installation directories.

@dougxc
Copy link
Member

@dougxc dougxc commented Apr 25, 2018

This sounds like a case of missing certificates in our OpenJDK build (/cc @gilles-duboscq )
You should be able to test this by trying with GraalVM from OTN. If that works, try copying jre/lib/security/cacerts from OTN GraalVM to GitHub GraalVM.

@dougxc
Copy link
Member

@dougxc dougxc commented Apr 25, 2018

@MateuszKubuszok can you please post the exception showing the Sonatype failure.

@gilles-duboscq
Copy link
Member

@gilles-duboscq gilles-duboscq commented Apr 25, 2018

This is a known issue with OpenJDK's cacerts bundle. Unfortunately at the moment we can not distribute a better bundle in the community edition. I also noticed the issue with https://oss.sonatype.org.

The OpenJDK 8 version you are testing with probably comes from your distribution and probably use your distribution's cacerts bundle. As @dougxc advised, you can replace jre/lib/security/cacerts with a more complete file (e.g., the one found in your distribution's OpenJDK 8).

The bug tracking the addition of the remaining root certificates to OpenJDK is tracked as JDK-8193447.

@dougxc
Copy link
Member

@dougxc dougxc commented Apr 25, 2018

Please re-open if you think this is still an issue we can do something about.

@MateuszKubuszok
Copy link
Author

@MateuszKubuszok MateuszKubuszok commented May 22, 2018

In case someone had the same error (and maybe needed a one-liner for docker image:

ORACLE_JRE_URL='http://download.oracle.com/otn-pub/java/jdk/8u171-b11/512cd62ec5174c3487ac17c61aaa89e8/jdk-8u171-linux-x64.tar.gz'
curl -jkL -H "Cookie: oraclelicense=accept-securebackup-cookie" $ORACLE_JRE_URL | tar -zxvf - --directory $GRAALVM_HOME --wildcards "*/jre/lib/security/cacerts" --strip-components 1

jstriebel added a commit to scalableminds/dockerfiles that referenced this issue Jun 12, 2018
@neomatrix369
Copy link
Contributor

@neomatrix369 neomatrix369 commented Dec 15, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants