0

I'm trying to get the example running in the official spring boot documentation here: https://spring.io/guides/gs/spring-boot/#initial

I cd to my gitprojects folder and do

$ git clone https://github.com/spring-guides/gs-spring-boot.git

Cloning into 'gs-spring-boot'... remote: Enumerating objects: 1348, done. remote: Total 1348 (delta 0), reused 0 (delta 0), pack-reused 1348 Receiving objects: 100% (1348/1348), 776.07 KiB | 3.48 MiB/s, done. Resolving deltas: 100% (894/894), done.

I then 

cd gs-spring-boot/complete

I then

$ ./gradlew bootRun

Downloading https://services.gradle.org/distributions/gradle-5.6.3-bin.zip

Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

If the simplest possible official example doesn't work, how are we to get real (difficult) ones to work?

user3217883
  • 1,216
  • 4
  • 38
  • 65
  • Update CA certs on your build machine first – rkosegi Mar 04 '20 at 20:48
  • Devil's in the details. Can you elaborate please? – user3217883 Mar 04 '20 at 20:49
  • what java version do you have? You may see this issue if you are using Self-Signed certificate or a certificate that is issued by an internal Certificate Authority or if your clients (e.g. browser, java) are outdated. The trust is handled by having root and intermediate (may not be required if using the default JVM security setting) certificates of your SSL certificate on a trusted keystore. – Toerktumlare Mar 04 '20 at 20:50
  • So your build is trying to fetch artifacts from remote store via https, but your client (gradle in this case) is not able to verify that server you're connecting is trusted . Usually this is because your local CA trust database is old. – rkosegi Mar 04 '20 at 20:53
  • $ java -version java version "1.8.0_211" Java(TM) SE Runtime Environment (build 1.8.0_211-b12) Java HotSpot(TM) 64-Bit Server VM (build 25.211-b12, mixed mode) – user3217883 Mar 04 '20 at 20:56
  • I updated my Trusted Root Certification Authority certs using the STL method described here: http://woshub.com/updating-trusted-root-certificates-in-windows-10/ but same error. – user3217883 Mar 04 '20 at 21:36

1 Answers1

0

jvm uses it's truststore to check whether the host is trusted or not. The jvm truststore is located in $JAVA_HOME/jre/lib/security/cacerts. You can list the root certificates located there with 

keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts

after you are prompted for pass input changeit the gradle distributions page https://services.gradle.org/distributions/ has as Root CA Baltimore CyberTrust Rootyou could check it with browser. So you have to check whether this certificate is located in the jvm truststore. If not, then you have to update your jvm or add this certiicate to truststore of your existing jvm. Additional infos: keytool

Sergej Masljukow
  • 485
  • 3
  • 8
  • where exactly is Baltimore CyberTrust Root cert located? I see lots of files at the url you provided. – user3217883 Mar 04 '20 at 22:52
  • I see this in my cacerts: Alias name: baltimorecybertrustca [jdk] Creation date: Aug 25, 2016 Entry type: trustedCertEntry Owner: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE Serial number: 20000b9 Valid from: Fri May 12 12:46:00 MDT 2000 until: Mon May 12 17:59:00 MDT 2025 – user3217883 Mar 04 '20 at 22:57
  • so it would seem I already have it and is still valid – user3217883 Mar 04 '20 at 22:58
  • you coult try to activate debug output in gradle (I don't know how, but think it should be possilbe) just to find out from which url exactly you receive the exception listed above. And by the way, I tried out the spring project you mentioned and it works fine (download, compile and run), so there is no general issue with it. – Sergej Masljukow Mar 05 '20 at 06:34
  • I am behind a corporate proxy server. I've read that proxy servers change the certs. I also noticed that there are certs in the windows certmgr that are not in the java cacerts. I'm researching how to export those and import them into cacerts. – user3217883 Mar 05 '20 at 21:16