CodeGPT icon indicating copy to clipboard operation
CodeGPT copied to clipboard

Published 20 hours ago verified publisher icon carlrobertoh

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Open Marcel176 opened this issue 1 year ago • 4 comments

What happened?

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Relevant log output or stack trace

No response

Steps to reproduce

No response

CodeGPT version

2.0.6

Operating System

None

Marcel176 avatar Sep 02 '23 11:09 Marcel176

I'm having the same, while behind a resigning proxy. Is there a way to have the plugin trust some certificates ?

Here is my logs:

javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:378)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:316)
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
	at java.base/sun.security.ssl.CertificateStatus$CertificateStatusAbsence.absent(CertificateStatus.java:362)
	at java.base/sun.security.ssl.ServerKeyExchange$ServerKeyExchangeConsumer.consume(ServerKeyExchange.java:112)
	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458)
	at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201)
	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1510)
	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1425)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
	at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.kt:379)
	at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:337)
	at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:209)
	at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.kt:226)
	at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:106)
	at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.kt:74)
	at okhttp3.internal.connection.RealCall.initExchange$okhttp(RealCall.kt:255)
	at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:32)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
	at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:95)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
	at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
	at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:76)
	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
	at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:201)
	at okhttp3.internal.connection.RealCall$AsyncCall.run(RealCall.kt:517)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
	at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
	at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
	at java.base/sun.security.validator.Validator.validate(Validator.java:264)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
	... 31 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148)
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129)
	at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
	... 36 more
2024-02-15 15:28:55,993 [  42897] SEVERE - #ee.carlrobert.codegpt.toolwindow.chat.ToolWindowCompletionResponseEventListener - IntelliJ IDEA 2023.3.3  Build #IU-233.14015.106
2024-02-15 15:28:55,993 [  42897] SEVERE - #ee.carlrobert.codegpt.toolwindow.chat.ToolWindowCompletionResponseEventListener - JDK: 17.0.9; VM: OpenJDK 64-Bit Server VM; Vendor: JetBrains s.r.o.
2024-02-15 15:28:55,993 [  42897] SEVERE - #ee.carlrobert.codegpt.toolwindow.chat.ToolWindowCompletionResponseEventListener - OS: Mac OS X
2024-02-15 15:28:55,994 [  42898] SEVERE - #ee.carlrobert.codegpt.toolwindow.chat.ToolWindowCompletionResponseEventListener - Plugin to blame: CodeGPT version: 2.2.12

mborgraeve avatar Feb 15 '24 20:02 mborgraeve

I've got a surprising finding. I;m on linux with llm under own certificate. Certificate is set under /etc/ssl/certs/* as described https://www.jetbrains.com/help/idea/ssl-certificates.html#technical_details. Error occurs with bundled JBR https://www.jetbrains.com/help/idea/switching-boot-jdk.html and after I choose extrnal openjdk21 CodeGPT works like a charm. Have no idea why.

Here are a few comments regarding approaches mentioned #480:

  • certificate in Intellij (File -> Tools -> Server Certificates) I don't think it works because CodeGPT just opens OkHttp client without obtaining these certs from any Idea's facility. However, if idea runs under external jdk it obtains system wide certs just fine.
  • re keytool, when we import a cert into keytool we provide a password, if we do, shouldn't we pass the same password to idea? How do we do that and where? I don't think it works.

mkhludnev avatar Oct 02 '24 11:10 mkhludnev

Hi Mikhail,

IntelliJ has its own JRE, so the certificate must be added to the correct location. Have you tried the following? - https://github.com/carlrobertoh/CodeGPT/issues/480#issuecomment-2317153421

carlrobertoh avatar Oct 03 '24 09:10 carlrobertoh

Thanks @carlrobertoh as I wrote, for some reason IntelliJ's own JRE ignores linux certs at /etc/ssl/certs/* and manually installed openjdk finds it fine. It's just worth to know mitigation measure for Linux users. I'll look further into JBR (how it's called)

mkhludnev avatar Oct 03 '24 12:10 mkhludnev