scala sbt and corporate proxy - SunCertPathBuilderException

Question

When I try to use SBT some files cannot be downloaded with the following error:

Server access Error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target url=https://repo1.maven.org/maven2/org/scala-sbt/sbt/1.0.0-M4/sbt-1.0.0-M4.jar

I have followed some advice on Stack Overflow and imported the corporate proxy SSL certificate with the java keytool as described in: SSL certificate problem in a web service proxy

It does not seems to affect the SBT tool. Does it look in a different keystore? Any ideas?

If I paste the URL on the browser the file downloads.

I get this error when simply running the SBT tool I have installed. When I try to create a SBT project on IntelliJ Idea and update it, it gives me the same error with different URLs. Same thing when trying to use the lightbend activator.

Answer 1

So this happens when you are behind a proxy and we need the proxy server certificate to be added to the java truststore

cp $JAVA_HOME/jre/lib/security/cacerts <some accessible dir>/
# Get the certificate of the proxy server and store it in a file-proxy.pem
keytool -keystore cacerts -import -file proxy.pem -alias my_proxy
# Now we can invoke sbt with following config
sbt  "-Djavax.net.ssl.trustStore=/path/to/included/proxycert/cacerts" compile

Answer 2

If I recall correctly, SBT indirectly uses an old version of apache commons httpclient (3.1) which doesn't respect the java system properties for specifying truststores by default.

I can think of three potential solutions:

1. Use a proxy repository like artifactory so SBT can only has to connect to the proxy and the proxy can take care of https outwards via the corporate proxy.

2. Install the corporate issuing certificate into the default truststore for the JVM (usually %JDK_HOME%/jre/lib/security/cacerts). You would have to do this each time you run a new JRE.

3. Try using coursier. It's a plugin for SBT which provides a different way of fetching dependencies that does not go through apache httpclient. It uses an http library which I think should respect the java system properties for truststore. It's also much faster.

Answer 3

This solved the problem:

Add -Djavax.net.ssl.trustStore="C:\Program Files\Java\jre1.8.0_121\lib\security\cacerts" to the sbt config file (sbtconfig).

If using IntelliJ Idea, click on "SBT Settings" -> JVM Options -> VM Parameters and add the same line.

The path is the path to the cacerts file that resides on the JDK path -> lib -> security.

It is necessary to import the proxy certificate with the keystore tool, as described in: SSL certificate problem in a web service proxy

Answer 4

Assuming you are under windows, which is of course configured correctly you can instead:

1. Download the certificate. Right-Click -> Install Certificate -> Local Machine -> Automatically.
2. Update C:\Program Files (x86)\sbt\conf\sbtconfig.txt

-Djavax.net.ssl.trustStore=C:\\Windows\\win.ini
-Djavax.net.ssl.trustStoreType=Windows-ROOT

Then if you use IntelliJ, you can add these parameters into the "VM parameter" of your sbt project settings.

Answer 5

This error can also happen if you use an outdated Java version. I've got this error using Java version 1.8.0_45-b14. Updating to Java version 11.0.2+7 (2018-10-16) solved it for me.

Just for reference, the full error message I got was:

[error] typesafe-ivy-releases: unable to get resource for com.geirsson#sbt-scalafmt;1.6.0-RC4: res=https://repo.typesafe.com/typesafe/ivy-releases/com.geirsson/sbt-scalafmt/1.6.0-RC4/jars/sbt-scalafmt.jar: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Switching to the newer Java version solved it instantly.

Answer 6

In my case it was the wrong content of SBT_OPTS environmental variable

Answer 7

1. Download certificates for the URLs for which it is failing.

   1.1. Copy the URL and paste it in the browser.

   1.2. Beside the address bar on the browser there is a lock symbol, click on it.

   1.3 Click on "Connection is sure"

   1.4 Click on "Certificate is valid"

   1.5 Click on Details in the tab

   1.6 Export the certificate in Base64 format

2. Goto to the following location (change as per you own JDK version):

cd /Library/Java/JavaVirtualMachines/jdk-17.0.5.jdk/Contents/Home/lib/security/

3. Make cacerts writable

sudo chmod -R 777 /Library/Java/JavaVirtualMachines/jdk-17.0.5.jdk/Contents/Home/lib/security/cacerts

4. Use the following command to install certificates

keytool -importcert -file /Users/IN45599512/Downloads/_.jfrog.io.cer  -trustcacerts -keystore "/Library/Java/JavaVirtualMachines/jdk-17.0.5.jdk/Contents/Home/lib/security/cacerts"
    
keytool -importcert -file /Users/IN45599512/Downloads/ repo1.maven.org.cer  -trustcacerts -keystore "/Library/Java/JavaVirtualMachines/jdk-17.0.5.jdk/Contents/Home/lib/security/cacerts"

If prompted for password, use “changeit”

5. Changing Permissions for cacerts again back

sudo chmod -R 644 /Library/Java/JavaVirtualMachines/jdk-17.0.5.jdk/Contents/Home/lib/security/cacerts

Answer 8

On MacOS, I solved it by running the sbt command with sudo.