Gradle build fails due to sun.security.validator.ValidatorException despite installing certificates

Question

I'm trying to run lenskit-hello according to their instructions. When I run ./gradlew build, I receive the error

(base) Briennas-MBP:lenskit-hello-master briennakh$ ./gradlew build
:compileJava

FAILURE: Build failed with an exception.

* What went wrong:
Could not resolve all dependencies for configuration ':compileClasspath'.
> Could not resolve org.lenskit:lenskit-all:3.0-M3.
  Required by:
      :lenskit-hello-master 4.50.57 AM:unspecified
   > Could not resolve org.lenskit:lenskit-all:3.0-M3.
      > Could not get resource 'https://repo1.maven.org/maven2/org/lenskit/lenskit-all/3.0-M3/lenskit-all-3.0-M3.pom'.
         > Could not GET 'https://repo1.maven.org/maven2/org/lenskit/lenskit-all/3.0-M3/lenskit-all-3.0-M3.pom'.
            > sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
   > Could not resolve org.lenskit:lenskit-all:3.0-M3.
      > Could not get resource 'https://jcenter.bintray.com/org/lenskit/lenskit-all/3.0-M3/lenskit-all-3.0-M3.pom'.
         > Could not GET 'https://jcenter.bintray.com/org/lenskit/lenskit-all/3.0-M3/lenskit-all-3.0-M3.pom'.
            > sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output.

BUILD FAILED

Total time: 4.009 secs

I am using Java 1.8.0_241 (and only that one is installed) on MacOS Mojave 10.14.6. I've installed the most recent security updates, then restarted my computer. I have attempted this on my regular wifi and on my phone's hotspot.

I followed instructions in the accepted answer here, downloading the security certificates from both https://repo1.maven.org/maven2/org/lenskit/lenskit-all/3.0-M2/lenskit-all-3.0-M2.pom and https://oss.sonatype.org/content/repositories/snapshots/org/lenskit/lenskit-all/3.0-M2/lenskit-all-3.0-M2.pom and adding them to the keystore via the following command (only showing one of two):

keytool -import -alias maven -file /Users/briennakh/Downloads/maven.cer -keystore 
/Library/Java/JavaVirtualMachines/jdk1.8.0_241.jdk/Contents/Home/jre/lib/security/cacerts

Then if I check

keytool -list -keystore /Library/Java/JavaVirtualMachines/jdk1.8.0_241.jdk/Contents/Home/jre/lib/security/cacerts | grep maven

it shows that my certificate has been added, maven, Mar 17, 2020, trustedCertEntry, yet I'm still getting the same error when running ./gradlew build?

I also checked openssl x509 -in /Users/briennakh/Downloads/maven.pem -text to make sure that the certificate looks all right.

Just to confirm, are you sure that `JAVA_HOME` environment variable correctly points to `/Library/Java/JavaVirtualMachines/jdk1.8.0_241.jdk`? — Michał Krzywański, Mar 17 '20 at 12:40
It points to `/Library/Java/JavaVirtualMachines/jdk1.8.0_241.jdk/Contents/Home` @michalk — brienna, Mar 17 '20 at 12:40
I set this with `echo export "JAVA_HOME=\$(/usr/libexec/java_home)" >> ~/.bash_profile`. — brienna, Mar 17 '20 at 13:06

Martin Zeitler · Answer 1 · 2020-03-19T20:02:12.937

8

That SSL certificate is not self-signed to begin with, therefore it does not require manual adding. Try re-installing Java or set an alternate install location as $JAVA_HOME, with a default cacerts file. Something seems to be broken, as it should not reject the certificate for repo1.maven.org. ls -la $JAVA_HOME/jre/lib/security/cacerts says cacerts should have about 114757 bytes. If you're behind a firewall, you might need to configure a proxy for Gradle.

This should attempt an SSL session (not through Java):

$ openssl s_client -connect repo1.maven.org:443

This project also uses a rather outdated version of Gradle, eg:

distributionUrl=https\://services.gradle.org/distributions/gradle-5.6.4-all.zip

edited Mar 19 '20 at 20:02

answered Mar 19 '20 at 18:04

Martin Zeitler

1
19
155
216

I have tried uninstalling and reinstalling Java, wiping my computer and reinstalling the OS. I have tried on my wifi, my school's wifi, my phone's hotspot. When I open that SSL session, I see these lines among other lines: `Verification error: unable to get local issuer certificate` and `Verify return code: 20 (unable to get local issuer certificate)` -- is this normal? – brienna Mar 22 '20 at 03:20
I followed the steps in http://movingpackets.net/2015/03/18/telling-openssl-about-your-root-certificates/ and got that openssl command to return ok by specifying `-CAfile`, so I exported the CAfile to SSL_CERT_FILE. But the problem still is there with java – brienna Mar 22 '20 at 05:23
`$JAVA_HOME/jre/lib/security/cacerts` should be the same as passing `-CAfile`. Try `keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts | grep DigiCert` to see if that keystore works and knows about DigiCert, which is the issuer of the certificate in question. – Martin Zeitler Mar 23 '20 at 13:15
`openssl s_client -CAfile $JAVA_HOME/jre/lib/security/cacerts -connect repo1.maven.org:443` would _eventually_ connect with `openssl`, but still use the Java keystore (assuming it can read the format). This would be the CA certificate required to validate the chain: [DigiCertSHA2SecureServerCA.crt](http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt) – Martin Zeitler Mar 23 '20 at 13:27

score 1 · Answer 2 · answered Dec 16 '22 at 22:20

1

Setting my project Gradle JDK version to that used by JAVA_HOME solved it

answered Dec 16 '22 at 22:20

Chris Sprague

3,158
33
24

Gradle build fails due to sun.security.validator.ValidatorException despite installing certificates

2 Answers2

Linked