Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Graal is not bundled with some certificates roots #378

Closed
MateuszKubuszok opened this issue Apr 24, 2018 · 6 comments

Comments

4 participants
@MateuszKubuszok
Copy link

commented Apr 24, 2018

After switching for testing purposes JDK from OpenJDK 8 to GraalVM RC-1 I was unable to either download certain artifacts from Sonatype nor publish my own artifacts to Sonatype Nexus via SBT. After some investigation I found out that:

  • when I switch back to OpenJDK 8 I am able to download/publish artifacts
  • when I switch to GraalVM RC-1 downloaded from GitHub it fail

To confirm that it was a JVM issue and not a SBT setup used those instructions: https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html

With Graal I got exactly the same exception for oss.sonatype.org, while with OpenJDK 8 things work as expected.

Issue was not immediate as most (almost all) of my dependencies I have already cached locally. Only after I wanted to fetch a new snapshot issue became visible during download, though it also appeared earlier, when I tried to publish a new artifact (I haven't immediately connected this issue to change of my JVM).

Is it a issue of GitHub OpenJDK-based version vs version available on Oracle's site? (I haven't tested that version.) I am concerned since I wanted to use GraalVM on a Docker image for CI and failing artifacts download would be a serious issue.

I use Arch Linux, and for switching JDKs I use build in archlinux-java script that handles setting up JAVA_HOME and changing global symlinks to JDK installation directories.

@dougxc

This comment has been minimized.

Copy link
Member

commented Apr 25, 2018

This sounds like a case of missing certificates in our OpenJDK build (/cc @gilles-duboscq )
You should be able to test this by trying with GraalVM from OTN. If that works, try copying jre/lib/security/cacerts from OTN GraalVM to GitHub GraalVM.

@dougxc

This comment has been minimized.

Copy link
Member

commented Apr 25, 2018

@MateuszKubuszok can you please post the exception showing the Sonatype failure.

@gilles-duboscq

This comment has been minimized.

Copy link
Member

commented Apr 25, 2018

This is a known issue with OpenJDK's cacerts bundle. Unfortunately at the moment we can not distribute a better bundle in the community edition. I also noticed the issue with https://oss.sonatype.org.

The OpenJDK 8 version you are testing with probably comes from your distribution and probably use your distribution's cacerts bundle. As @dougxc advised, you can replace jre/lib/security/cacerts with a more complete file (e.g., the one found in your distribution's OpenJDK 8).

The bug tracking the addition of the remaining root certificates to OpenJDK is tracked as JDK-8193447.

@dougxc

This comment has been minimized.

Copy link
Member

commented Apr 25, 2018

Please re-open if you think this is still an issue we can do something about.

@MateuszKubuszok

This comment has been minimized.

Copy link
Author

commented May 22, 2018

In case someone had the same error (and maybe needed a one-liner for docker image:

ORACLE_JRE_URL='http://download.oracle.com/otn-pub/java/jdk/8u171-b11/512cd62ec5174c3487ac17c61aaa89e8/jdk-8u171-linux-x64.tar.gz'
curl -jkL -H "Cookie: oraclelicense=accept-securebackup-cookie" $ORACLE_JRE_URL | tar -zxvf - --directory $GRAALVM_HOME --wildcards "*/jre/lib/security/cacerts" --strip-components 1

jstriebel added a commit to scalableminds/dockerfiles that referenced this issue Jun 12, 2018

@neomatrix369

This comment has been minimized.

Copy link

commented Dec 15, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.