bazel icon indicating copy to clipboard operation
bazel copied to clipboard
verified publisher icon bazelbuild

Issue with SSL certificate verification while fetching repositories

Open Ryan-Boustany opened this issue 1 year ago • 4 comments

Hey I am trying to run a command bazelisk build :all in on of my librarys. I am running into this error:

Any help would be greatly appreciated :)

WARNING: Download from https://mirror.bazel.build/github.com/bazelbuild/rules_java/archive/166a046a27e118d578127759b413ee0b06aca3cd.tar.gz failed: class javax.net.ssl.SSLHandshakeException PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target WARNING: Download from https://github.com/bazelbuild/rules_java/archive/166a046a27e118d578127759b413ee0b06aca3cd.tar.gz failed: class javax.net.ssl.SSLHandshakeException PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target ERROR: An error occurred during the fetch of repository 'rules_java': java.io.IOException: Error downloading [https://mirror.bazel.build/github.com/bazelbuild/rules_java/archive/166a046a27e118d578127759b413ee0b06aca3cd.tar.gz, https://github.com/bazelbuild/rules_java/archive/166a046a27e118d578127759b413ee0b06aca3cd.tar.gz] to /private/var/tmp/_bazel_boustry/287eb8ada5cb1ef597fcf96f64786701/external/rules_java/166a046a27e118d578127759b413ee0b06aca3cd.tar.gz: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target ERROR: Skipping ':all': while parsing ':all': no such package '@rules_java//java': java.io.IOException: Error downloading [https://mirror.bazel.build/github.com/bazelbuild/rules_java/archive/166a046a27e118d578127759b413ee0b06aca3cd.tar.gz, https://github.com/bazelbuild/rules_java/archive/166a046a27e118d578127759b413ee0b06aca3cd.tar.gz] to /private/var/tmp/_bazel_boustry/287eb8ada5cb1ef597fcf96f64786701/external/rules_java/166a046a27e118d578127759b413ee0b06aca3cd.tar.gz: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target WARNING: Target pattern parsing failed. ERROR: while parsing ':all': no such package '@rules_java//java': java.io.IOException: Error downloading [https://mirror.bazel.build/github.com/bazelbuild/rules_java/archive/166a046a27e118d578127759b413ee0b06aca3cd.tar.gz, https://github.com/bazelbuild/rules_java/archive/166a046a27e118d578127759b413ee0b06aca3cd.tar.gz] to /private/var/tmp/_bazel_boustry/287eb8ada5cb1ef597fcf96f64786701/external/rules_java/166a046a27e118d578127759b413ee0b06aca3cd.tar.gz: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Ryan-Boustany avatar Oct 16 '24 04:10 Ryan-Boustany

@hvadehra

iancha1992 avatar Oct 16 '24 17:10 iancha1992

This does not look like an issue with rules_java, but with Bazel being unable to download it due to SSL errors. This is likely an issue with your local JDK / cacerts. You could try running your bazel commands like so:

bazel --host_jvm_args="-Djavax.net.debug=ssl" build //foo:bar

and see if the output give you some useful info.

Aside: the version of rules_java you're fetching is ancient and unsupported at this point. Please consider upgrading :)

hvadehra avatar Oct 17 '24 07:10 hvadehra

Hey @hvadehra , thank you for the Advice!

Seems to be a ssl verification issue with certificate. Do you have any advice on how to disable ssl verification when running a build.

Ryan-Boustany avatar Oct 18 '24 01:10 Ryan-Boustany

Thanks for confirming. Since this is not rules_java specific, I'm going to reword the title and move this to the Bazel repo for the OSS team to provide better guidance.

Preemptively, what are your bazel & jdk verions?

I ask because the most probable cause for this failure mode is that you're using a very old Bazel installation with certificates that have since been revoked. Upgrading to newer versions should generally make the issue go away.

If for some reason that is not an option for you, see https://stackoverflow.com/questions/9619030 for possible mitigations.

If those are also not feasible in your setup, see https://stackoverflow.com/questions/4663147 for a (not recommended) workaround (the flag in question will need to be passed to Bazel via the --host_jvm_args flag as in my previous comment).

hvadehra avatar Oct 18 '24 06:10 hvadehra

Thanks sounds good @hvadehra. I am using Bazelisk however and my project requires version 2.2.0. How/where can I add my -Dcom.sun.net.ssl.checkRevocation=false flag to install things correctly.

For context I am trying to follow this older Updating to a new version of libphonenumber instructions here: https://github.com/Ryan-Boustany/intl-tel-input/blob/v17.0.21/.github/CONTRIBUTING.md to try and update that library.

Any advice would be greatly appreciated. :)

Ryan-Boustany avatar Oct 20 '24 23:10 Ryan-Boustany