I am trying to install native-image for my GraalVM in Windows environment. In cmd, I used the below command,
gu install native-image
But it shows this error,
Downloading: Release index file from oca.opensource.oracle.com
Error: Error reading component list: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
As the error states your environment from which gu is estabilishing a secure connection to the remote repository cannot verify the certification path of the repository. In other words your JVM does not trust oca.opensource.oracle.com.
The $JAVA_HOME/lib/security/cacerts file contains the collection of trusted CA used by JVM when running gu. Apparently this file in your JDK is missing the certificate chain of your repository.
Adding new trusted certificate
Download oca.opensource.oracle.com repository's root certificate.
Open $JAVA_HOME/lib/security/cacerts file in elevated mode with e.g. KeyStore Explorer or modify it with keytool. Default password is changeit.
Add new trusted CA from 1.
Save and close.
Useful sources
SSL and cert keystore
Difference Between a Java Keystore and a Truststore
In our organization the issue was in the man-in-the-middle SSL firewall product as mentioned by prunge.
Related
I have a spring batch application configured with docker-compose.yml. To run the project there is a run.sh file and it spinup several containers. DB container gets up and running without issues. But the container which runs the spring application fails with the below error.
Could not resolve all artifacts for configuration ':classpath'.
> Could not download spring-boot-gradle-plugin-2.5.4.jar (org.springframework.boot:spring-boot-gradle-plugin:2.5.4)
> Could not get resource 'https://plugins.gradle.org/m2/org/springframework/boot/spring-boot-gradle-plugin/2.5.4/spring-boot-gradle-plugin-2.5.4.jar'.
> Could not GET 'https://plugins.gradle.org/m2/org/springframework/boot/spring-boot-gradle-plugin/2.5.4/spring-boot-gradle-plugin-2.5.4.jar'.
> The server may not support the client's requested TLS protocol versions: (TLSv1.2, TLSv1.3). You may need to configure the client to allow other protocols to be used. See: https://docs.gradle.org/7.2/userguide/build_environment.html#gradle_system_properties
> PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> Could not download sonarqube-gradle-plugin-3.3.jar (org.sonarsource.scanner.gradle:sonarqube-gradle-plugin:3.3)
> Could not get resource 'https://plugins.gradle.org/m2/org/sonarsource/scanner/gradle/sonarqube-gradle-plugin/3.3/sonarqube-gradle-plugin-3.3.jar'.
> Could not GET 'https://plugins.gradle.org/m2/org/sonarsource/scanner/gradle/sonarqube-gradle-plugin/3.3/sonarqube-gradle-plugin-3.3.jar'.
`
But I can download those jar files from my local machine. So jars are residing in those locations. I think this container can't access the internet to download these files. There's no way to use a terminal inside the container to execute a ping command since it is exiting right after giving this error. (But I pinged google.com in DB container and it worked.So this problem is only for that particular container)
There was a workaround to add this rootProject.buildFileName = 'build.gradle.kts' in settings.gradle. But then it says Task 'bootRun' not found in root project '*'. So I think no use in this workaround and what I want to solve is the network connection issue of the container.
Issue was with this part of the error msg: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
To fix, you have to download the certificate of https://plugins.gradle.org/ and add that to cacerts file of the jdk (refer this link to see how to install the certificate)
Since I had this problem inside a container I manually replaced the cacerts file inside the container with the local cacerts file (which already contains the certificate of gradle.org).
So this whole problem is with the jdk image which was used to create the container.
How to remove self signed certificates from ssl certificate on Mac? I am using macOS Mojave 10.14.6. Some time back, as per the given project instructions I have added a certificate. Now I did not remember those steps, but because of that maven central is using the certificate from custom trust store instead from certification authority. Because of this I am getting the below error when I run ./mvnw, can any one help me how can I figure out that self signed certificate and remove it so that maven starts using from certification authority instead from custom trust store?
$ ./mvnw
Exception in thread "main" javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I am experiencing problems executing Vagrant commands behind a corporate proxy server and self-signed CA certificates. I have configured environment variables HTTP_PROXY, HTTPS_PROXY, and HTTP_NO_PROXY variables.
I have a Java key store containing all of the corporate certificates. I have used the -exportcert option of the keytool command with numerous options. I have utilized the openssl command also with numerous options and placed the resulting files in multiple locations within the embedded Ruby directories within the Vagrant installation without any success.
I have read a lot of sites containing information about configuring Ruby and curl but have not had any success in getting Vagrant commands to work. All of the posts I have located focus on Ruby and curl options that I do not understand how to utilize with Vagrant which includes Ruby as an embedded component of Vagrant.
Please provide instructions on how to correctly export certificates from the Java key store and optionally convert them and place the resulting files so that Vagrant will successfully be able to communicate through the corporate proxy to the internet.
Vagrant 1.9.5 on Windows 7
Vagrant installation directory C:\Apps\Vagrant\
C:\WorkArea> vagrant plugin install vagrant.proxyconf
ERROR: SSL verification error at depth 3: self signed certificate in certificate chain (19)
ERROR: Root certificate is not trusted (/C=US/O=xxx xxx/OU=xxx xxx Certification Authority/CN=xxx xxx Root Certification Authority 01 G2)
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (https://api.rubygems.org/specs.4.8.gz)
C:\WorkArea> vagrant up
Bringing machine 'default' up with 'virtualbox' provider...
==> default: Box 'puppetlabs/ubuntu-16.04-64-puppet' could not be found. Attempting to find and install...
default: Box Provider: virtualbox
default: Box Version: >= 0
The box 'puppetlabs/ubuntu-16.04-64-puppet' could not be found or
could not be accessed in the remote catalog. If this is a private
box on HashiCorp's Atlas, please verify you're logged in via
`vagrant login`. Also, please double-check the name. The expanded
URL and error message are shown below:
URL: ["https://atlas.hashicorp.com/puppetlabs/ubuntu-16.04-64-puppet"]
Error: SSL certificate problem: self signed certificate in certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
You don't explain what steps you have taken to try to fix the issue, but it would appear that you are not placing your root certificates in the correct location.
Go to the directory where you installed Vagrant, find the file embedded\cacert.pem, and then append the contents of your corporate certificates to the file. Save it and retry the operation. If you properly exported your root CA certificates then they should be read by Vagrant and allow the connection.
If you are still unable to make it work by combining the files, try running vagrant with SSL_CERT_FILE=/path/to/your/certs.pem in the environment. This will allow you to validate that you have properly exported your corporate certificates.
When try to connect to update sites under help->Install New Software I get:
Unable to read repository at https://dl.google.com/eclipse/plugin/4.4/content.xml.
Unable to read repository at https://dl.google.com/eclipse/plugin/4.4/content.xml.
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I have tried to import the certificate into the truststore as well as set it in the sts.ini file but to no avail.
Any help greatly appreciated!
I encountered a similar issue while trying to add templates to STS (3.6.2). The issue was my organization's usage of an SSL inspection tool that presents its certificate instead of the real one (GitHub.com).
The solution was to export the SSL inspection's certificate (using IE for example) and add it to the cacerts file. Use this article for the procedure.
Then update the sts.ini file and add the following lines:
-Djavax.net.ssl.trustStore=C:\Program Files\Java\jdk1.7.0_07\jre\lib\security\cacerts
-Djava.net.ssl.trustStorePassword=changeit
Finally - restart STS.
I am trying to install ros-hydro-genmsg, but encountered the following error.
---> Attempting to fetch 0.4.23-0.tar.gz from https://github.com/ros-gbp/genmsg-release/archive/release/hydro/genmsg/
DEBUG: Fetching distfile failed: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
When I manually go to that link in whatever browser, the file is downloaded immediately. When trying to download it through macports, it does not accept the certificate? I have put both "DigiCert High Assurance EV Root CA > SSL" and "GTE CyberTrust Global Root > SSL" to Always trust like suggested elsewhere, but that did not work either.