codeql
codeql copied to clipboard
github
Error downloading packs with corporate certificate in chain
When I try to run codeql pack download ... I get the following error.
> codeql pack download codeql/javascript-queries
Package specifications to check for download: codeql/javascript-queries
A fatal error occurred: Could not create access credentials for codeql/javascript-queries.
(eventual cause: SunCertPathBuilderException "unable to find valid certification path to requested target")
This is on a computer that has a self signed certificate in the chain. For most of the tools I use there's a way to include these certificates with an environment variable or enable it to pick up the configuration with the certificate installed. I can't figure out a way to do that in this case though.
A lot of the examples online are specific to fixing this issue for JRE/JDK which I don't have, I'm just running the codeql mac os binary.
Thanks,
Thank you for your question. The codeql mac os binary is a jar file, so most Java solutions should work. codeql ships with its own jre that is located at codeql/tools/osx64/java.
It looks like you are running codeql on your local machine (ie- not in code scanning or on a CI system). Is that correct? I will ask internally if anyone has solved this problem in the past.
Can you try adding your self-signed certificate to the JVM's cert store? Here are some instructions. https://www.baeldung.com/jvm-certificate-store-errors
You can get more info on what precisely is going wrong by enabling SSL debug logging: https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/ReadDebug.html
Sorry for the slow reply.
Thank you for your question. The codeql mac os binary is a jar file, so most Java solutions should work. codeql ships with its own jre that is located at
codeql/tools/osx64/java.It looks like you are running codeql on your local machine (ie- not in code scanning or on a CI system). Is that correct? I will ask internally if anyone has solved this problem in the past.
Yes I'm running it locally.
Can you try adding your self-signed certificate to the JVM's cert store? Here are some instructions. https://www.baeldung.com/jvm-certificate-store-errors
You can get more info on what precisely is going wrong by enabling SSL debug logging: https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/ReadDebug.html
I tried to do this before but since I don't have any Java tooling installed I don't have a $JAVA_HOME env variable and therefore no keystore with that value so I'm not sure how I would add the certificate for it.
You can try setting JAVA_HOME to ....../codeql/tools/osx64/java. And note that you will need to re-add the cert each time you upgrade your codeql versions.
Facing same issue with Windows Local machine. Here I am trying to install/download cpp/queries packages.
codeql pack download codeql/cpp-queries
Package installation location: C:\Users\shravan.codeql\packages A fatal error occurred: Could not create access credentials for codeql/cpp-queries. (eventual cause: SunCertPathBuilderException "unable to find valid certification path to requested target")
Can anyone please help me on this?
There's not much more I can suggest other than going through the steps above. Please confirm to me that you've tried them.
echo | openssl s_client -showcerts -servername ghcr.io -connect ghcr.io:443 > ghcr-certificates.pem
keytool -import -alias ghcr -keystore "<codeql-home>/codeql/tools/osx64/java/lib/security/cacerts" -file ghcr-certificates.pem
I have the same problem but on Windows on one machine at a customer. I tried to use the keytool as mentioned above to import the pem file but the error persists.
Is there a way to download and install these packages manually?
@proitcon, this is an old issue. Can you please open a new one and someone on our team can help you? Include the error messages and things you have tried already.