Skip to content

Embedded JDK ignores system cacerts #5741

Open
Open
Embedded JDK ignores system cacerts#5741
Labels
P2We'll consider working on this in future. (Assignee optional)team-OSSIssues for the Bazel OSS team: installation, release processBazel packaging, websitetype: feature request
@kivoli

Description

@kivoli
kivoli
opened on Aug 2, 2018

Description of the problem / feature request:

Before Bazel 0.16 at least the Debian packages depended on the system jdk.

Depends: google-jdk | java8-sdk-headless | java8-jdk | java8-sdk | oracle-java8-installer, g++, zlib1g-dev, bash-completion

Bazel 0.16 apparently embeds the JDK which fundamentally changes the behaviour at least in regards to cacerts. The custom CA certificates that have been added to the system certificate store are of course missing in the embedded JDK’s cacerts:

ERROR: /project/BUILD:13:1: no such package '@some_stuff//': Error cloning repository: https://gitlab.example.com/example/some_stuff.git: Secure connection to https://gitlab.example.com/example/some_stuff.git could not be stablished because of SSL problems caused by https://gitlab.example.com/example/some_stuff.git: Secure connection to https://gitlab.example.com/example/some_stuff.git could not be stablished because of SSL problems caused by sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target caused by PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target caused by unable to find valid certification path to requested target and referenced by '//some_other_stuff:some_files'

Bugs: what's the simplest, easiest way to reproduce this bug? Please provide a minimal example if possible.

Set up a Vagrant box with Debian Stretch and install Bazel 0.16 from the APT repository (http://storage.googleapis.com/bazel-apt stable jdk1.8). Also install the CACert root CA

apt install ca-certificates
cd /usr/local/share/ca-certificates
wget http://www.cacert.org/certs/root.crt
update-ca-certificates

In a folder of your choosing, create

# WORKSPACE:
workspace(name = "test_case")
git_repository(
  name = 'cacert',
  remote = 'https://git.cacert.org/cacert.git',
  tag = 'v0.0.1',
)

and

# BUILD
load("@bazel_tools//tools/build_defs/pkg:pkg.bzl", "pkg_tar")
pkg_tar(
  name = "test_case",
  srcs = ["@cacert//:some_files"],
)

Note: This has nothing to do with CACert but they are the only public site I know that uses a certificate from CA that’s not in most default certificate bundles.

Now try to “build” the package.

bazel build //:all
Starting local Bazel server and connecting to it...
ERROR: /tmp/testcase/BUILD:3:1: no such package '@cacert//': Error cloning repository: https://git.cacert.org/cacert.git: Secure connection to https://git.cacert.org/cacert.git could not be stablished because of SSL problems caused by https://git.cacert.org/cacert.git: Secure connection to https://git.cacert.org/cacert.git could not be stablished because of SSL problems caused by sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target caused by PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target caused by unable to find valid certification path to requested target and referenced by '//:test_case'
ERROR: Analysis of target '//:test_case' failed; build aborted: no such package '@cacert//': Error cloning repository: https://git.cacert.org/cacert.git: Secure connection to https://git.cacert.org/cacert.git could not be stablished because of SSL problems caused by https://git.cacert.org/cacert.git: Secure connection to https://git.cacert.org/cacert.git could not be stablished because of SSL problems caused by sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target caused by PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target caused by unable to find valid certification path to requested target
INFO: Elapsed time: 1.811s
INFO: 0 processes.
FAILED: Build did NOT complete successfully (5 packages loaded)

If you use Bazel 0.15 instead the error message will be different:

bazel build //:all
Starting local Bazel server and connecting to it...
........
ERROR: /mnt/containers/testcase/BUILD:3:1: no such package '@cacert//': Invalid Git repository URI: Invalid remote: origin and referenced by '//:test_case'
ERROR: Analysis of target '//:test_case' failed; build aborted: no such package '@cacert//': Invalid Git repository URI: Invalid remote: origin
INFO: Elapsed time: 1.873s
INFO: 0 processes.
FAILED: Build did NOT complete successfully (5 packages loaded)

Note: If the CACert CA is not installed in the system the error message will be the same as with 0.16.

What operating system are you running Bazel on?

Debian 8 Stretch

What's the output of bazel info release?

release 0.16.0
# old:
release 0.15.0

What's the output of git remote get-url origin ; git rev-parse master ; git rev-parse HEAD ?

N/A

Have you found anything relevant by searching the web?

!3915 tells me how to override the path to cacerts but it would be better if Bazel just uses the system’s cacerts instead. Personally I think this is a regression breaking backwards compatibility.

Any other information, logs, or outputs that you want to share?

0.16 definitely brings its own cacerts while 0.15 does not even have the jdk folder.

# 0.16
find ~/.cache/bazel -name cacerts
/home/vagrant/.cache/bazel/_bazel_vagrant/install/c25ea2c3043bcba07b93dde10595066c/_embedded_binaries/embedded_tools/jdk/lib/security/cacerts
ls /home/vagrant/.cache/bazel/_bazel_vagrant/install/c25ea2c3043bcba07b93dde10595066c/_embedded_binaries/embedded_tools
jdk  platforms  src  third_party  tools  WORKSPACE
# 0.15
ls /home/vagrant/.cache/bazel/_bazel_vagrant/install/ce085f519b017357185750fe457b4648/_embedded_binaries/embedded_tools/
platforms/   src/         third_party/ tools/       WORKSPACE

Metadata

Metadata

Assignees

No one assigned

    Labels

    P2We'll consider working on this in future. (Assignee optional)team-OSSIssues for the Bazel OSS team: installation, release processBazel packaging, websitetype: feature request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions