@jwedel: do you have https_proxy (not just http_proxy) env variable set up ?

@sdedic Yes, I have both vars set up. It's always necessary to get all the systems like Maven und npm running.

Any updates on this issue?@jwedel did you manage to go through with this?

Thank you for alerting me again. No, no real progress: I wasn't able to reproduce the error.
Contrary to the reporter, I don't think it is a matter of bad certificate, since (IMHO) sun.security.validator.ValidatorException, CertPathValidatorException or SSLHandshakeException would be thrown and from a different class - the report indicates the error was thrown from java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:184), so the connect itself failed, not a SSL handshake.

Anyway, if you (still) suffer from the error I can prepare a patch to disable certificate verification to test in your environment. I would like to have a confirmation + description of the environment which causes this before I introduce "security hole" option :)

RUN gu install native-image here throws this error.

Error: Error downloading component catalog from https://www.graalvm.org/component-catalog/graal-updater-component-catalog.properties: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.
Please check your connection and proxy settings. If your machine is behind a proxy, environment variables (http_proxy, https_proxy, ...) must be set appropriately.

I guess that's what you mean by environment?
```
FROM oracle/graalvm-ce:19.2.0 as graalvm
COPY . /home/app/rms-backend

ENV https_proxy=http://proxy.organization.com:8080
ENV http_proxy=http://proxy.organization.com:8080

RUN gu install native-image

WORKDIR /home/app/rms-backend

RUN native-image --no-server -cp target/rms-backend-*.jar

FROM frolvlad/alpine-glibc
EXPOSE 8080
COPY --from=graalvm /home/app/rms-backend .
ENTRYPOINT ["./rms-backend"]

@razrcallahan Note that your exception is different than the one in the original report: ValidatorException vs. UnknownHostException. Your case is definitely caused by SSL layer.
Could you possibly inspect what is actually being received from the network ? gu should run on "it's" GraalVM (assume 19.2.0 in this case) and that VM can actually contains certificates to verify the cert chain for www.graalvm.org (actually I've tried through a http proxy few minutes ago).

Could you run something like openssl s_client -connect www.graalvm.org:443 -servername www.graalvm.org -proxy yourProxyAddress:port to get the certificate presented to your machine ?

It is my organisation's self signed certificate.

```
Certificate chain
0 s:/CN=www.graalvm.org
i:/C=DK/ST=Copenhagen/L=Ballerup/O=COMPANYNAME
Department/CN=bc.company.local/[email protected]
-----BEGIN CERTIFICATE-----

CERTIFICATE HERE

-----END CERTIFICATE-----
1 s:/C=DK/ST=Copenhagen/L=Ballerup/O=COMPANYNAME/OU=IT Department/CN=bc.company.local/[email protected]
i:/DC=local/DC=company/CN=SCA06BA1-SHA256
-----BEGIN CERTIFICATE-----

CERTIFICATE HERE

-----END CERTIFICATE-----

Server certificate
subject=/CN=www.graalvm.org

issuer=/C=DK/ST=Copenhagen/L=Ballerup/O=COMPANYNAME/OU=IT Department/CN=bc.company.local/[email protected]

No client certificate CA names sent
Peer signing digest: SHA512

Server Temp Key: ECDH, P-256, 256 bits

SSL handshake has read 2500 bytes and written 439 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 45A2864DB044F8AFDF0C36999D9F2693CAC6E7B0C5458D947B9081429DCFF543
Session-ID-ctx:
Master-Key: AE5D38126754F5477EE953886E12AAE428ED00715F29CE489F6FF58731CBC2BC3F7E296D83D1BFB4FEF18D9D5BC9003B
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1568207595
Timeout : 300 (sec)

Verify return code: 20 (unable to get local issuer certificate)

I have also manually copied all the self signed certificates /etc/pki/ca-trust/source/anchors/ and ran update-ca-trust ..

Still has the same issue.

Note that Java does not use OS' native trust store. You would need to import the certificate into your java installation's keystore (jre/lib/security/cacerts) see https://docs.oracle.com/javase/tutorial/security/toolsign/rstep2.html

Ok I updated the Java keystore as well .. still no luck. There should be a way bypass certificate checks I strongly feel.

```
Step 9/16 : RUN $JAVA_HOME/bin/keytool -importcert -file /etc/pki/CA/certs/bc.company.local.crt -keystore $JAVA_HOME/jre/lib/security/cacerts -alias "bc.company.local" -keypass changeit -storepass changeit -noprompt
---> Running in ed7cc2b9d79b
Certificate was added to keystore
Removing intermediate container ed7cc2b9d79b
---> 24f0c4266974
Step 10/16 : RUN gu install native-image
---> Running in 6832067615ab
Downloading: Component catalog from www.graalvm.org
Error: Error downloading component catalog from https://www.graalvm.org/component-catalog/graal-updater-component-catalog.properties: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: u
nable to find valid certification path to requested target.
Please check your connection and proxy settings. If your machine is behind a proxy, environment variables (http_proxy, https_proxy, ...) must be set appropriately.

Here is the full trace:

```
Downloading: Component catalog (source: https://www.graalvm.org/component-catalog/graal-updater-component-catalog.properties)

Error: Error downloading component catalog from https://www.graalvm.org/component-catalog/graal-updater-component-catalog.properties: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.
Please check your connection and proxy settings. If your machine is behind a proxy, environment variables (http_proxy, https_proxy, ...) must be set appropriately.
org.graalvm.component.installer.FailedOperationException: Error downloading component catalog from https://www.graalvm.org/component-catalog/graal-updater-component-catalog.properties: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.
Please check your connection and proxy settings. If your machine is behind a proxy, environment variables (http_proxy, https_proxy, ...) must be set appropriately.
at org.graalvm.component.installer.Environment$1.failure(Environment.java:313)
at org.graalvm.component.installer.ce.WebCatalog.getStorage(WebCatalog.java:116)
at org.graalvm.component.installer.remote.MergeStorage.listComponentIDs(MergeStorage.java:65)
at org.graalvm.component.installer.model.CatalogContents.getComponentIDs(CatalogContents.java:209)
at org.graalvm.component.installer.model.CatalogContents.findAbbreviatedId(CatalogContents.java:219)
at org.graalvm.component.installer.model.CatalogContents.doLoadComponents(CatalogContents.java:256)
at org.graalvm.component.installer.model.CatalogContents.findComponent(CatalogContents.java:165)
at org.graalvm.component.installer.remote.CatalogIterable$It.next(CatalogIterable.java:136)
at org.graalvm.component.installer.remote.CatalogIterable$It.next(CatalogIterable.java:110)
at org.graalvm.component.installer.commands.InstallCommand.prepareInstallation(InstallCommand.java:199)
at org.graalvm.component.installer.commands.InstallCommand.executeStep(InstallCommand.java:259)
at org.graalvm.component.installer.commands.InstallCommand.execute(InstallCommand.java:148)
at org.graalvm.component.installer.ComponentInstaller.processCommand(ComponentInstaller.java:280)

at org.graalvm.component.installer.ComponentInstaller.run(ComponentInstaller.java:406)
at org.graalvm.component.installer.ComponentInstaller.main(ComponentInstaller.java:440)

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:162)
at org.graalvm.component.installer.remote.ProxyConnectionFactory$Connector.runWithContext(ProxyConnectionFactory.java:310)
at org.graalvm.component.installer.remote.ProxyConnectionFactory$Connector.run(ProxyConnectionFactory.java:268)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
at com.oracle.svm.core.thread.JavaThreads.threadStartRoutine(JavaThreads.java:460)
at com.oracle.svm.core.posix.thread.PosixJavaThreads.pthreadStartRoutine(PosixJavaThreads.java:193)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:262)

at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:237)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
... 19 more

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
... 25 more

Regarding the certificates: our proxy breaks the certificate chain and inserts a corporate certificate to analyze encrypted traffic.

I am not entirely positive that dropping certificate checks is compliant with security requirements of the project; so I am trying to find out something less insecure

FWIW, I've tried the suggestion above:

keytool  -importcert -storepass 'changeit'  -v -alias kubuntu -file /tmp/kubuntu.pem -keystore jre/lib/security/cacerts

And - except a hostname check, the operation succeeded (I used a totally random certificate with a non-matching CN).

So if the corporate proxy actually signs the certificates as in @razrcallahan case, it should be sufficient to import the issuer certificate to the cacerts of the JVM. If the proxy just presents its own certificate on the connection (the same certificate for all hosts), support in GU is needed - @jwedel, is that your case ? Can you check the connections certificate (see the openssl command above) ?

@sdedic Hi, sorry, I was on vacation. Here's the ouput:

$ openssl s_client -connect www.graalvm.org:443 -servername www.graalvm.org -proxy localhost:8888
CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = www.graalvm.org
verify return:1
---
Certificate chain
 0 s:/CN=www.graalvm.org
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFVDCCBDygAwIBAgISA+R1eUA8jtJ4xxtRewrygKy+MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA4MjkxMDM0MjFaFw0x
OTExMjcxMDM0MjFaMBoxGDAWBgNVBAMTD3d3dy5ncmFhbHZtLm9yZzCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKvHGwztxgH46qmzzwgXT6LLfDTEZhLm
7/OYF3nJZe5mTB+akn0z7gf6LhVi97TzH9VPLrFnqElCv+PMmrcwRsJo9SipZGlv
TEtkJMnc7UafpB/C72820LxpJ7ji1hhwQCy09e6P9w2MbgOS513WPry7yVsoEKBa
9jf14Z4VI3JujmkBCaSMpMnX2wUBkEhLkCCMOHoKYHR5GCYwjmALF7kkoIDfPxQA
0wnnNEc1Y3xU0qCd4VfRyxPTPDAkl47qNACfzGwMavdUvF5g3EYxwgne2cPjYx6P
HMWQkOjahr598cMfGoZpmwvgsgxHCMiSWStmL/qhOKEvEGX2l/0WhzMCAwEAAaOC
AmIwggJeMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUY04VhVZapJQCwhZCpKWXmjgC
V5cwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEE
YzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQu
b3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQu
b3JnLzAaBgNVHREEEzARgg93d3cuZ3JhYWx2bS5vcmcwTAYDVR0gBEUwQzAIBgZn
gQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5s
ZXRzZW5jcnlwdC5vcmcwggECBgorBgEEAdZ5AgQCBIHzBIHwAO4AdQDiaUuuJujp
QAnohhu2O4PUPuf+dIj7pI8okwGd3fHb/gAAAWzdJ7BrAAAEAwBGMEQCIEJU4QXW
JqFYF1kzs0hlhC/bNBRHS6aHAQdfGS3aud85AiBpWQOpl6g8PHPGNn2pFf7WsRaz
8rhQF6WM0/u0VSv0YgB1ACk8UZZUyDlluqpQ/FgH1Ldvv1h6KXLcpMMM9OVFR/R4
AAABbN0nsG8AAAQDAEYwRAIgTc07yAqGHjku3Su0VFzAYb10LUMa6BNn92IQ1rLC
rGkCIDjcqoQz7qFz5YG0MiH3QnAwI63Wv97v950yLRqROjdRMA0GCSqGSIb3DQEB
CwUAA4IBAQCNzKyQtnEVeuXBXsP2EEztV6ojeDZ1Gh8GI0fjBClxNoJgQ1zbHFzq
1DM/3SUD6A30/R+8UlRjwli+Jxe0/+aL5ASGtS9DjaqfjbsqwM/+BBRTULTB5O9o
SkZwoBWjWCNi9t0xJPR0JdKqN0by7ot9s3XjSy5JwlQ4RZpvmMj+ZOdfJ+HT/m0O
o+2lGx/vqDXhgvlJ1H8kP6wOHjd90EP5Xy+gS0LPTi/qIYRkYiMSkEbYU4SH4f3u
8Bej0BjgZtbgcliISqgyFSp69uRNZcI6Mj7AWzzRGmZff22QPmnCvmqVn9clyiOJ
hA7C7ty8CYhbqcXTowmuaImMJmwkEQjA
-----END CERTIFICATE-----
subject=/CN=www.graalvm.org
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3245 bytes and written 450 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: FECC2BFAB5E356ED3817411C4BDD2DC3DA305B0B053898877BF510A475D1461C
    Session-ID-ctx:
    Master-Key: 158A117080ED0F9E15123F57E0775A6E770ECD32D242673032F3E752C0229AAA82E78B84ACFE7F042273A329331724C1
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 1f 26 1b 35 8d 13 9b cd-1e 30 c0 04 5d f3 e4 37   .&.5.....0..]..7
    0010 - 34 e0 d9 97 38 29 d5 63-73 fb 30 3e 28 a9 f4 00   4...8).cs.0>(...
    0020 - 44 21 a1 90 fd 30 44 db-0a f8 0b f2 82 5a f9 aa   D!...0D......Z..
    0030 - ae a2 84 ec a4 ff 33 10-35 00 15 f5 ab b6 df da   ......3.5.......
    0040 - ee 5f c5 5a 82 90 1b 87-d2 75 b3 44 2b 30 d4 21   ._.Z.....u.D+0.!
    0050 - 9d 0f c5 c0 fb db 45 22-2c a6 c3 d8 6f 55 57 fa   ......E",...oUW.
    0060 - 4d 40 8c 3a 9c 3b ab 78-4a bd 1b c1 58 f3 c1 e1   M@.:.;.xJ...X...
    0070 - 5a e2 de 36 66 12 f9 33-6b 48 6a 45 6c 8a 81 8b   Z..6f..3kHjEl...
    0080 - ef 99 5c a5 92 8f 55 7d-b1 bf a7 84 e9 87 aa 64   ..\...U}.......d
    0090 - 5b e8 5a c4 5d c6 ce 55-1a 56 0a 75 5e 41 5b 02   [.Z.]..U.V.u^A[.
    00a0 - dc 37 64 59 04 0e c5 c7-4c fe cd f1 33 63 e2 35   .7dY....L...3c.5
    00b0 - b5 82 9e e3 d7 ea 4b ce-37 4a 1b fd dc d4 f5 60   ......K.7J.....`

    Start Time: 1569241754
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---

Apologies, I've got confused or miunderstood something: the certificate from the openssl you've pasted, the one presented when using the proxy as in the openssl command is the correct (graalvm.org) one - so should pass HostNameVerifier without any problem. Does not seem that the used proxy changed anyhting.

Note that the exception in your original report was different thing:

java.net.UnknownHostException: github.com
        at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:184)

@sdedic Yes. I noted that :) But what does it tell us? As I stated before, I could easily run wget to download the file.

But what does it tell us?

It tells us that

Downloading: Component catalog (source: https://www.graalvm.org/component-catalog/graal- updater-component-catalog.properties)
Receiving 106 kB: Done.

succeeded, including certificate check and hostname verification (correct ?), while

Downloading: Component native-image: Native Image (source: https://github.com/oracle/graal/releases/download/vm-19.1.1/native-image-installable-svm-linux-amd64-19.1.1.jar)
I/O error occured: github.com
java.net.UnknownHostException: github.com

failed (I think) before during connect and before any data was even received from the connection to verify.

Maybe wget is good debugging tool ;) so let's try

wget -d https://www.graalvm.org/component-catalog/graal- updater-component-catalog.properties
wget -d https://github.com/oracle/graal/releases/download/vm-19.1.1/native-image-installable-svm-linux-amd64-19.1.1.jar

and compare the results. Wget prints a lot of what is doing / receiving from the network. Note: before posting, pls. review/delete local file paths and mandle interna, DNS names, not to leak information you wouldn't like to be public.

My output (from github.com URL) looks like (also using a proxy):

wget -d https://github.com/oracle/graal/releases/download/vm-19.1.1/native-image-installable-svm-linux-amd64-19.1.1.jar
DEBUG output created by Wget 1.20.1 on linux-gnu.

Reading HSTS entries from ~/.wget-hsts
URI encoding = 'ISO-8859-1'
converted 'https://github.com/oracle/graal/releases/download/vm-19.1.1/native-image-installable-svm-linux-amd64-19.1.1.jar' (ISO-8859-1) -> 'https://github.com/oracle/graal/releases/download/vm-19.1.1/native-image-installable-svm-linux-amd64-19.1.1.jar' (UTF-8)
URI encoding = 'ISO-8859-1'
Converted file name 'native-image-installable-svm-linux-amd64-19.1.1.jar' (UTF-8) -> 'native-image-installable-svm-linux-amd64-19.1.1.jar' (ISO-8859-1)
--2019-10-02 10:36:04--  https://github.com/oracle/graal/releases/download/vm-19.1.1/native-image-installable-svm-linux-amd64-19.1.1.jar
Resolving @proxy@ (@proxy)... a.b.c.d
Caching @proxy@ => a.b.c.d
Connecting to @proxy@ (@proxy@)|a.b.c.d|:80... connected.
Created socket 3.
Releasing 0x000055ffee799270 (new refcount 1).

---request begin---
CONNECT github.com:443 HTTP/1.1
User-Agent: Wget/1.20.1 (linux-gnu)
Host: github.com:443

---request end---
proxy responded with: [HTTP/1.0 200 Connection established

]
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x000055ffee79b970
certificate:
  subject: CN=github.com,O=GitHub\\, Inc.,L=San Francisco,ST=California,C=US,serialNumber=5157550,jurisdictionST=Delaware,jurisdictionC=US,businessCategory=Private Organization
  issuer:  CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US
X509 certificate successfully verified and matches host github.com

The interesting thing is that my machine does not resolve github.com hostname at all ;)

$ wget -d https://www.graalvm.org/component-catalog/graal-updater-component-catalog
.properties
DEBUG output created by Wget 1.19.4 on linux-gnu.

Reading HSTS entries from /home/nifty/.wget-hsts
Will not apply HSTS. The HSTS database must be a regular and non-world-writable file.
ERROR: could not open HSTS store at '/home/nifty/.wget-hsts'. HSTS will be disabled.
URI encoding = ‘UTF-8’
URI encoding = ‘UTF-8’
Converted file name 'graal-updater-component-catalog.properties' (UTF-8) -> 'graal-updater-component-catalog.properties' (UTF-8)
--2019-10-02 16:00:14--  https://www.graalvm.org/component-catalog/graal-updater-component-catalog.properties
Resolving localhost (localhost)... 127.0.0.1
Caching localhost => 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:8888... connected.
Created socket 5.
Releasing 0x00007fffd5742e90 (new refcount 1).

---request begin---
CONNECT www.graalvm.org:443 HTTP/1.1
User-Agent: Wget/1.19.4 (linux-gnu)
Host: www.graalvm.org:443

---request end---
proxy responded with: [HTTP/1.1 200 Connection established

]
Initiating SSL handshake.
Handshake successful; connected socket 5 to SSL handle 0x00007fffd5743920
certificate:
  subject: CN=www.graalvm.org
  issuer:  CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
X509 certificate successfully verified and matches host www.graalvm.org

---request begin---
GET /component-catalog/graal-updater-component-catalog.properties HTTP/1.1
User-Agent: Wget/1.19.4 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: www.graalvm.org
Connection: Keep-Alive
Proxy-Connection: Keep-Alive

---request end---
Proxy request sent, awaiting response...
---response begin---
HTTP/1.1 200 OK
Server: GitHub.com
Content-Type: application/octet-stream
Last-Modified: Wed, 02 Oct 2019 09:25:55 GMT
ETag: "5d946d23-1e8cd"
Access-Control-Allow-Origin: *
Expires: Wed, 02 Oct 2019 09:37:04 GMT
Cache-Control: max-age=600
X-Proxy-Cache: MISS
X-GitHub-Request-Id: E1A0:3012:695D3:8EFF0:5D946D67
Content-Length: 125133
Accept-Ranges: bytes
Date: Wed, 02 Oct 2019 14:00:14 GMT
Via: 1.1 varnish
Age: 569
Connection: keep-alive
X-Served-By: cache-hhn4072-HHN
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1570024815.550997,VS0,VE1
Vary: Accept-Encoding
X-Fastly-Request-ID: ffabd3efc8bb14746fef5787a124a9e859c246d0

---response end---
200 OK
Registered socket 5 for persistent reuse.
Length: 125133 (122K) [application/octet-stream]
Saving to: ‘graal-updater-component-catalog.properties’

graal-updater-component-catal 100%[=================================================>] 122.20K   729KB/s    in 0.2s

2019-10-02 16:00:14 (729 KB/s) - ‘graal-updater-component-catalog.properties’ saved [125133/125133]

and

wget -d https://github.com/oracle/graal/releases/download/vm-19.1.1/native-image-installable-svm-linux-amd64-19.1.1.jar
DEBUG output created by Wget 1.19.4 on linux-gnu.

Reading HSTS entries from /home/nifty/.wget-hsts
Will not apply HSTS. The HSTS database must be a regular and non-world-writable file.
ERROR: could not open HSTS store at '/home/nifty/.wget-hsts'. HSTS will be disabled.
URI encoding = ‘UTF-8’
URI encoding = ‘UTF-8’
Converted file name 'native-image-installable-svm-linux-amd64-19.1.1.jar' (UTF-8) -> 'native-image-installable-svm-linux-amd64-19.1.1.jar' (UTF-8)
--2019-10-02 16:01:12--  https://github.com/oracle/graal/releases/download/vm-19.1.1/native-image-installable-svm-linux-amd64-19.1.1.jar
Resolving localhost (localhost)... 127.0.0.1
Caching localhost => 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:8888... connected.
Created socket 5.
Releasing 0x00007fffc387e0a0 (new refcount 1).

---request begin---
CONNECT github.com:443 HTTP/1.1
User-Agent: Wget/1.19.4 (linux-gnu)
Host: github.com:443

---request end---
proxy responded with: [HTTP/1.1 200 Connection established

]
Initiating SSL handshake.
Handshake successful; connected socket 5 to SSL handle 0x00007fffc387eb30
certificate:
  subject: CN=github.com,O=GitHub\\, Inc.,L=San Francisco,ST=California,C=US,serialNumber=5157550,jurisdictionST=Delaware,jurisdictionC=US,businessCategory=Private Organization
  issuer:  CN=DigiCert SHA2 Extended Validation Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US
X509 certificate successfully verified and matches host github.com

---request begin---
GET /oracle/graal/releases/download/vm-19.1.1/native-image-installable-svm-linux-amd64-19.1.1.jar HTTP/1.1
User-Agent: Wget/1.19.4 (linux-gnu)
Accept: */*
Accept-Encoding: identity
Host: github.com
Connection: Keep-Alive
Proxy-Connection: Keep-Alive

---request end---
Proxy request sent, awaiting response...
---response begin---
HTTP/1.1 302 Found
Date: Wed, 02 Oct 2019 14:01:13 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Server: GitHub.com
Status: 302 Found
Vary: X-PJAX
Location: https://github-production-release-asset-2e65be.s3.amazonaws.com/49662222/a85c3680-a590-11e9-8cc4-01d59e8271c8?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20191002%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20191002T140113Z&X-Amz-Expires=300&X-Amz-Signature=7f0960308df77552a208e4891b29e1a774e1193c35d90b9f5ffbb980edf78e75&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Dnative-image-installable-svm-linux-amd64-19.1.1.jar&response-content-type=application%2Foctet-stream
Cache-Control: no-cache
Set-Cookie: has_recent_activity=1; path=/; expires=Wed, 02 Oct 2019 15:01:13 -0000
Set-Cookie: logged_in=no; domain=.github.com; path=/; expires=Sun, 02 Oct 2039 14:01:13 -0000; secure; HttpOnly
Set-Cookie: _gh_sess=QTFZaGRWQW82QW1UM3RsM0JFbWJENGJ6eUkvdDZSTFFmdWpRRkE0M2xSU1hMclNxVVRPVDRGVVU5Y2JmUG9FcGsyZnBGc0dhczRJbjF1ZW92N0V1c2RYUklOa3Z2bytMbkp2M1d6Vkx0YWtZODMyQTVTYktSNHlJd00wc0Z5TytMRnJ6Z2RETnFBYVloM0dES2kvWTF3PT0tLUxUQkxsemhsVXZNanhiY1dOdFJEalE9PQ%3D%3D--d74ccfa81f0cdc2f3f609da4b9cb403e8c1c70fd; path=/; secure; HttpOnly
X-Request-Id: 28cf1619-ddce-41c5-b524-f9be1bc34545
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Expect-CT: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"
Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com wss://live.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com; manifest-src 'self'; media-src 'none'; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com
Vary: Accept-Encoding
X-GitHub-Request-Id: A89A:10BF:E6DDD1:15ACE86:5D94ADA9

---response end---
302 Found

Stored cookie github.com -1 (ANY) / <permanent> <insecure> [expiry 2019-10-02 17:01:13] has_recent_activity 1
cdm: 1

Stored cookie github.com -1 (ANY) / <permanent> <secure> [expiry 2039-10-02 15:01:13] logged_in no

Stored cookie github.com -1 (ANY) / <session> <secure> [expiry none] _gh_sess QTFZaGRWQW82QW1UM3RsM0JFbWJENGJ6eUkvdDZSTFFmdWpRRkE0M2xSU1hMclNxVVRPVDRGVVU5Y2JmUG9FcGsyZnBGc0dhczRJbjF1ZW92N0V1c2RYUklOa3Z2bytMbkp2M1d6Vkx0YWtZODMyQTVTYktSNHlJd00wc0Z5TytMRnJ6Z2RETnFBYVloM0dES2kvWTF3PT0tLUxUQkxsemhsVXZNanhiY1dOdFJEalE9PQ%3D%3D--d74ccfa81f0cdc2f3f609da4b9cb403e8c1c70fd
Registered socket 5 for persistent reuse.
URI content encoding = ‘utf-8’
Location: https://github-production-release-asset-2e65be.s3.amazonaws.com/49662222/a85c3680-a590-11e9-8cc4-01d59e8271c8?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20191002%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20191002T140113Z&X-Amz-Expires=300&X-Amz-Signature=7f0960308df77552a208e4891b29e1a774e1193c35d90b9f5ffbb980edf78e75&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Dnative-image-installable-svm-linux-amd64-19.1.1.jar&response-content-type=application%2Foctet-stream [following]
Skipping 512 bytes of body: [<html><body>You are being <a href="https://github-production-release-asset-2e65be.s3.amazonaws.com/49662222/a85c3680-a590-11e9-8cc4-01d59e8271c8?X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20191002%2Fus-east-1%2Fs3%2Faws4_request&amp;X-Amz-Date=20191002T140113Z&amp;X-Amz-Expires=300&amp;X-Amz-Signature=7f0960308df77552a208e4891b29e1a774e1193c35d90b9f5ffbb980edf78e75&amp;X-Amz-SignedHeaders=host&amp;actor_id=0&amp;response-content-disposition=attachment%3B%20filename%3DnativeSkipping 129 bytes of body: [-image-installable-svm-linux-amd64-19.1.1.jar&amp;response-content-type=application%2Foctet-stream">redirected</a>.</body></html>] done.
URI content encoding = None
URI encoding = ‘UTF-8’
Converted file name 'native-image-installable-svm-linux-amd64-19.1.1.jar' (UTF-8) -> 'native-image-installable-svm-linux-amd64-19.1.1.jar' (UTF-8)
--2019-10-02 16:01:13--  https://github-production-release-asset-2e65be.s3.amazonaws.com/49662222/a85c3680-a590-11e9-8cc4-01d59e8271c8?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20191002%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20191002T140113Z&X-Amz-Expires=300&X-Amz-Signature=7f0960308df77552a208e4891b29e1a774e1193c35d90b9f5ffbb980edf78e75&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Dnative-image-installable-svm-linux-amd64-19.1.1.jar&response-content-type=application%2Foctet-stream
Found localhost in host_name_addresses_map (0x7fffc387e0a0)
Connecting to localhost (localhost)|127.0.0.1|:8888... connected.
Created socket 6.
Releasing 0x00007fffc387e0a0 (new refcount 1).

---request begin---
CONNECT github-production-release-asset-2e65be.s3.amazonaws.com:443 HTTP/1.1
User-Agent: Wget/1.19.4 (linux-gnu)
Host: github-production-release-asset-2e65be.s3.amazonaws.com:443

---request end---
proxy responded with: [HTTP/1.1 200 Connection established

]
Initiating SSL handshake.
Handshake successful; connected socket 6 to SSL handle 0x00007fffc3880c00
certificate:
  subject: CN=*.s3.amazonaws.com,O=Amazon.com Inc.,L=Seattle,ST=Washington,C=US
  issuer:  emailAddress=***corporate proxy follows here ***
ERROR: cannot verify github-production-release-asset-2e65be.s3.amazonaws.com's certificate, issued by ‘***corporate proxy follows here ***’:
  Self-signed certificate encountered.
To connect to github-production-release-asset-2e65be.s3.amazonaws.com insecurely, use `--no-check-certificate'.
Closed 6/SSL 0x00007fffc3880c00

Great; so for www.graalvm.org:443, your proxy serves correct certificate (CN=www.graalvm.org); for github.com:443 also (issuer: CN=DigiCert SHA2 Extended Validation Server CA), but for Amazon (github-production-release-asset-2e65be.s3.amazonaws.com:443) does not.

Apparently the proxy is able to resolve github.com (returned 200).

Is gu still failing with the same UnknownHostException ? Silly queston: is your machine able to resolve github.com ? See AbstractPlainSocketImpl.java:184, which (?) throws the exception. As a supplemental test, put for a while an entry for github.com to your /etc/hosts.

Is gu still failing with the same UnknownHostException ?

Yes and No. Same Exception, ither host: Caused by: java.net.UnknownHostException: www.graalvm.org.

Silly queston: is your machine able to resolve github.com ?

Yes. I'm writing this text on my machine on github. And as I mentioned, I can use wget. I can also resolve www.graalvm.org.

As a supplemental test, put for a while an entry for github.com to your /etc/hosts.

I added graalvm.org to my hosts, but still got the same exception.

@jwedel the GraalVM Updater intentionally does not support an option to disable certificate or hostname verification, for security reasons. You can add your proxy’s certificate to the GraalVM default security trust store or just download the files locally and use GraalVM Updater with the local files. Please see details in the documentation:
https://www.graalvm.org/docs/reference-manual/install-components/

Had the exact same issue, on linux. Seems the binary gu does not use the java cacerts-keystore? Was able to run gu and download packages using graal-java:

cd $GRAALVM_HOME
java -classpath "lib/graalvm/launcher-common.jar:lib/installer/installer.jar" org.graalvm.component.installer.ComponentInstaller install native-image

(java is graalvm/bin/java)

@sodasmile see preceding comment; security reasons. You can simplify your commandline with --jvm switch, should cause gu to run on regular Java (GraalVM) runtime.