Graal: Graal is not bundled with some certificates roots
After switching for testing purposes JDK from OpenJDK 8 to GraalVM RC-1 I was unable to either download certain artifacts from Sonatype nor publish my own artifacts to Sonatype Nexus via SBT. After some investigation I found out that:
- when I switch back to OpenJDK 8 I am able to download/publish artifacts
- when I switch to GraalVM RC-1 downloaded from GitHub it fail
To confirm that it was a JVM issue and not a SBT setup used those instructions: https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html
With Graal I got _exactly_ the same exception for oss.sonatype.org, while with OpenJDK 8 things work as expected.
Issue was not immediate as most (almost all) of my dependencies I have already cached locally. Only after I wanted to fetch a new snapshot issue became visible during download, though it also appeared earlier, when I tried to publish a new artifact (I haven't immediately connected this issue to change of my JVM).
Is it a issue of GitHub OpenJDK-based version vs version available on Oracle's site? (I haven't tested that version.) I am concerned since I wanted to use GraalVM on a Docker image for CI and failing artifacts download would be a serious issue.
I use Arch Linux, and for switching JDKs I use build in archlinux-java script that handles setting up JAVA_HOME and changing global symlinks to JDK installation directories.
MateuszKubuszok
All 6 comments
This sounds like a case of missing certificates in our OpenJDK build (/cc @gilles-duboscq )
You should be able to test this by trying with GraalVM from OTN. If that works, try copying jre/lib/security/cacerts from OTN GraalVM to GitHub GraalVM.
dougxc
on 25 Apr 2018
@MateuszKubuszok can you please post the exception showing the Sonatype failure.
dougxc
on 25 Apr 2018
This is a known issue with OpenJDK's cacerts bundle. Unfortunately at the moment we can not distribute a better bundle in the community edition. I also noticed the issue with https://oss.sonatype.org.
The OpenJDK 8 version you are testing with probably comes from your distribution and probably use your distribution's cacerts bundle. As @dougxc advised, you can replace jre/lib/security/cacerts with a more complete file (e.g., the one found in your distribution's OpenJDK 8).
The bug tracking the addition of the remaining root certificates to OpenJDK is tracked as JDK-8193447.
gilles-duboscq
on 25 Apr 2018
Please re-open if you think this is still an issue we can do something about.
dougxc
on 25 Apr 2018
In case someone had the same error (and maybe needed a one-liner for docker image:
ORACLE_JRE_URL='http://download.oracle.com/otn-pub/java/jdk/8u171-b11/512cd62ec5174c3487ac17c61aaa89e8/jdk-8u171-linux-x64.tar.gz'
curl -jkL -H "Cookie: oraclelicense=accept-securebackup-cookie" $ORACLE_JRE_URL | tar -zxvf - --directory $GRAALVM_HOME --wildcards "*/jre/lib/security/cacerts" --strip-components 1
See https://github.com/oracle/graal/issues/493#issuecomment-447582907
neomatrix369
on 15 Dec 2018
Related issues
oroppas
路
3Comments
igor-ramazanov
路
3Comments
janostgren
路
3Comments
schneidersteve
路
3Comments
sxend
路
3Comments
Most helpful comment
In case someone had the same error (and maybe needed a one-liner for docker image: