Could not install Gradle distribution from ‘https://services.gradle.org/distributions/gradle-6.5-all.zip’

Hi,
I am building Elasticsearch on Red Hat 8 on z System (s390x) following the procedure Building Elasticsearch ( https://github.com/linux-on-ibm-z/docs/wiki/Building-Elasticsearch ), on step 6) Build, considering we have a corporate proxy,
When I ran following gradlew command:
./gradlew :distribution:archives:oss-linux-s390x-tar:assemble --parallel
I got the error:
"Downloading https://services.gradle.org/distributions/gradle-6.5-all.zip

Exception in thread “main” java.io.IOException: Downloading from https://services.gradle.org/distributions/gradle-6.5-all.zip failed: timeout

"
Then I changed to specifying our sorporate proxy:
./gradlew -Dhttps.proxyHost=proxy.xxxxxxxx.net -Dhttps.proxyPort=8080 :distribution:archives:oss-linux-s390x-tar:assemble --parallel
and I got the error:
[pni0ekn@vmlnx1-2 elasticsearch]$ ./gradlew -Dhttps.proxyHost=proxy.belwired.net -Dhttps.proxyPort=8080 :distribution:archives:oss-linux-s390x-tar:assemble --parallel
Picked up JAVA_TOOL_OPTIONS: -Dfile.encoding=UTF8
Downloading https://services.gradle.org/distributions/gradle-6.5-all.zip

Exception in thread “main” javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:325)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:268)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:263)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:645)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:464)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:360)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:445)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:423)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1475)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1381)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:441)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:412)
at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:171)
at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1600)
at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1528)
at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:224)
at org.gradle.wrapper.Download.downloadInternal(Download.java:83)
at org.gradle.wrapper.Download.download(Download.java:66)
at org.gradle.wrapper.Install$1.call(Install.java:68)
at org.gradle.wrapper.Install$1.call(Install.java:48)
at org.gradle.wrapper.ExclusiveFileAccessManager.access(ExclusiveFileAccessManager.java:69)
at org.gradle.wrapper.Install.createDist(Install.java:48)
at org.gradle.wrapper.WrapperExecutor.execute(WrapperExecutor.java:107)
at org.gradle.wrapper.GradleWrapperMain.main(GradleWrapperMain.java:63)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:629)
… 24 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
… 29 more

How can I solved this error, considering that the server where I am installing Elasticsearch is behind a corporate proxy?

Thanks
Jose Munoz

Corporate proxies are essentially an allowed MitM attack. The request is encrypted, but the company wants to decrypt it and make sure that there’s nothing bad in it before allowing you to have it. The proxy is terminating the SSL connection with services.gradle.org, then re-encrypting it with a self-signed certificate. This should fail in all other cases except this one where you are willing to trust the MitM (basically because you have to in order to access these from the company network).

Your company should be providing the certificate that they use to re-encrypt proxy traffic. This needs to be in your trust store as a trusted certificate (cacerts). It likely is for your browser, but maybe not your Java installation. This requirement is true for anything using Java and not specific to Gradle.

Alternatively, it is common for companies to run an artifact repository (such as Artifactory or Nexus) which can proxy these dependencies independently and with a valid certificate, not require any changes on your side other than specifying the alternate distribution URL.

Hi James,
Thanks for your reply.
I do not know how easy could be to get from my organization the certificate used to re-encrypt the proxy traffic. Is there a way to bypass this certificate process like we have with the command curl using the option -k or wget using the option --no-check-certificate?
If I use Your second alternative, how can I apply to my case.?
Jose

If your organization is doing this, you can get that certificate from literally any HTTPS request you make through the proxy. The certificate chain shown in your browser will contain that certificate and you can always export it from there (if you don’t want to mess with openssl) and then import it to your Java trust store. Adding another certificate you trust is the way to bypass the normal trusted certificate process.

That’s just not necessarily common knowledge and larger organizations with more than a few developers would generally need to put this on some sort of IT help page to not be dealing with this sort of support request non-stop.

You wouldn’t do this as an individual. This would generally fall to the part of the organization that is running the development tools, which could include an artifact repository.

I would hope whoever is responsible for the network architecture is also responsible for making sure that they have solutions for normal development use cases.

Hi James,
I downloaded the certificate from the browser, following this procedure:

  1. In the browser I opened the URL https://services.gradle.org/ and from there I downloaded the certificate as ds10pi2.cer
  2. I import the certificate onto the jvm truststore cacerts with this command
    keytool -importcert -trustcacerts -alias “ds10pi2” -keystore /usr/lib/jvm/jdk-14.0.2+12/lib/security/cacerts -file /tmp/ds10pi2.cer
  3. I executed the command gradlew
    ./gradlew -Dhttps.proxyHost=proxy.xxxxxxxx.net -Dhttps.proxyPort=8080 -Djavax.net.ssl.trustStore=$JAVA_HOME/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=changeit :distribution:archives:oss-linux-s390x-tar:assemble --parallel
    where JAVA_HOME=/usr/lib/jvm/jdk-14.0.2+12
    from the beginning I have the same errors:
    Picked up JAVA_TOOL_OPTIONS: -Dfile.encoding=UTF8
    Downloading https://services.gradle.org/distributions/gradle-6.5-all.zip

Exception in thread “main” javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

  1. I verified if the added cert is on the truststore
    keytool -list -keystore /usr/lib/jvm/jdk-14.0.2+12/lib/security/cacerts

I do not know how to solve this issue. Any another idea.

Jose

Double-check the certificate that you downloaded. There should be a chain, but you don’t want the certificate issued for the domain itself. There would normally be a self-signed root certificate that is used to sign certificates generated for the domain visited. The certificate for the domain can change on virtually every request, but the signer should be consistent.

I’ve had to deal with this sort of proxy setup for almost a decade, but I no longer have a real world example to demonstrate with. The organization recently decided to stop doing this and transparently proxy HTTPS.

Hi James,
I cannot see any root certificate for gradle domain and for proxy.
I think the problem is with authentication in our proxy server, I must white listing this URL:
https://downloads.gradle-dn.com/

Because when I testing with wget I got a warning errors pointing to downloads.gradle-dn.com

Here is the results of the testing with wget:
wget https://services.gradle.org/distributions/gradle-6.5-all.zip --no-check-certificate


Connecting to proxy… connected.
WARNING: The certificate of ‘services.gradle.org’ is not trusted.
WARNING: The certificate of ‘services.gradle.org’ hasn’t got a known issuer.
Proxy request sent, awaiting response… 301 Moved Permanently
Location: https://downloads.gradle-dn.com/distributions/gradle-6.5-all.zip [following]

Connecting to proxy … connected.
WARNING: The certificate of ‘downloads.gradle-dn.com’ is not trusted.
WARNING: The certificate of ‘downloads.gradle-dn.com’ hasn’t got a known issuer.
Proxy request sent, awaiting response… 200 OK
Length: 145767155 (139M) [application/zip]
Saving to: ‘gradle-6.5-all.zip’

gradle-6.5-all.zip 100%[========================================================================================>] 139.01M 756 B/s in 54s

Can you check the warning errrors
I can download with wget, but is failing the gradlew command.

Hi James,
Could you please check in your browser if you can see the CA cert when you access to https://services.gradle.org/distributions/gradle-6.5-all.zip.
I cannot see any CA Cert of our Proxy.
Another way to get the CA certificate from our proxy.
Do you know anoterh forums where can I request support for gradlew.
Thanks,

Yes, I have full chains (root, intermediate, server) in both cases. The gradle.org certificate has a SAN of *.gradle.org, so it’s good for services.gradle.org as well.

Are you saying that you don’t see anything but a single self-signed certificate when accessing these domains through your proxy?

Hi James,
Related with those certs, only I can see our proxy cert and under it the gradle cert, but using my own computer and internet, now I can see those six certificates. I can download and later to copy and import onto my Job linux server. Could you please tell which of the six (6) certificates I need to download and import onto the java keystore cacerts.? in addition do I need our proxy CA certificate, do I need to create a CA ceret for my linux server.?

I ran with a gradlew with -Djavax.net.debug=all and these are the results. Can you look at.
javax.net.ssl|DEBUG|01|main|2020-09-01 08:16:27.077 CEST|SSLContextImpl.java:993|keyStore is : /usr/lib/jvm/jdk-14.0.2+12/lib/security/cacerts
javax.net.ssl|DEBUG|01|main|2020-09-01 08:16:27.077 CEST|SSLContextImpl.java:994|keyStore type is : pkcs12
javax.net.ssl|DEBUG|01|main|2020-09-01 08:16:27.077 CEST|SSLContextImpl.java:996|keyStore provider is :
javax.net.ssl|ALL|01|main|2020-09-01 08:16:27.080 CEST|SSLContextImpl.java:1031|init keystore
javax.net.ssl|DEBUG|01|main|2020-09-01 08:16:27.122 CEST|SSLContextImpl.java:1054|init keymanager of type SunX509
javax.net.ssl|ALL|01|main|2020-09-01 08:16:27.123 CEST|SSLContextImpl.java:115|trigger seeding of SecureRandom
javax.net.ssl|ALL|01|main|2020-09-01 08:16:27.124 CEST|SSLContextImpl.java:119|done seeding of SecureRandom
javax.net.ssl|WARNING|01|main|2020-09-01 08:16:27.197 CEST|SignatureScheme.java:295|Signature algorithm, ed25519, is not supported by the underlying providers
javax.net.ssl|WARNING|01|main|2020-09-01 08:16:27.197 CEST|SignatureScheme.java:295|Signature algorithm, ed448, is not supported by the underlying providers

Hi James,
I imported all the 6 gradle certificates plus the cert of our proxy onto $JAVA_HOME/lib/security/cacerts and I got the errors:
javax.net.ssl|DEBUG|01|main|2020-09-01 10:38:14.110 CEST|SSLContextImpl.java:993|keyStore is : /usr/lib/jvm/jdk-14.0.2+12/lib/security/cacerts
javax.net.ssl|DEBUG|01|main|2020-09-01 10:38:14.110 CEST|SSLContextImpl.java:994|keyStore type is : pkcs12
javax.net.ssl|DEBUG|01|main|2020-09-01 10:38:14.110 CEST|SSLContextImpl.java:996|keyStore provider is :
javax.net.ssl|ALL|01|main|2020-09-01 10:38:14.111 CEST|SSLContextImpl.java:1031|init keystore
javax.net.ssl|DEBUG|01|main|2020-09-01 10:38:14.149 CEST|SSLContextImpl.java:1054|init keymanager of type SunX509
javax.net.ssl|ALL|01|main|2020-09-01 10:38:14.150 CEST|SSLContextImpl.java:115|trigger seeding of SecureRandom
javax.net.ssl|ALL|01|main|2020-09-01 10:38:14.151 CEST|SSLContextImpl.java:119|done seeding of SecureRandom
javax.net.ssl|WARNING|01|main|2020-09-01 10:38:14.398 CEST|SignatureScheme.java:295|Signature algorithm, ed25519, is not supported by the underlying providers
javax.net.ssl|WARNING|01|main|2020-09-01 10:38:14.400 CEST|SignatureScheme.java:295|Signature algorithm, ed448, is not supported by the underlying providers

You don’t need to add any of those certificates. The root certificate is from a well-known trusted certificate authority and is already present in the trust stores used by your browser and included in Java’s cacerts. This certificate chain would already be trusted, but your proxy is stepping into the middle and interfering.

You’re saying you have a two certificate chain? Good, that’s what you’re supposed to have. The Gradle cert isn’t really a Gradle certificate. It’s the imposter certificate that your proxy is generating. It’s signed by the proxy certificate above it in the chain. That proxy certificate is the self-signed root certificate you need to be exporting on its own and importing into cacerts. You don’t want a chain here, just the self-signed root certificate for the proxy.

And to clarify, in this context, the root certificate is the self-signed certificate at the top of the chain. There is zero expectation of 3 certificates here. Just the two, the self-signed root for the proxy and the server certificate is it. When you look at different requests in the browser, the server certificate should be different each time, but the proxy self-signed root should be the same.

Earlier in the thread, I was asking you to verify that you only got the self-signed root, not the server certificate. The server certificate is not the one you want. If there’s only 2, you want the top one, not the bottom one.

Hi James,
Good news, when I installed additional the proxy certificate it ran fine, now I have another problem that I know hoe to solve, white listing in our proxy this URL “https://jcenter.bintray.com/”.
Thanks a lot for your help.

The next errors and I know how to solve it:

Task :buildSrc:compileMinimumRuntimeJava FAILED

FAILURE: Build failed with an exception.

  • What went wrong:
    Execution failed for task ‘:buildSrc:compileMinimumRuntimeJava’.

Could not resolve all files for configuration ‘:buildSrc:minimumRuntimeCompileClasspath’.
Could not resolve junit:junit:4.12.
Required by:
project :buildSrc
Could not resolve junit:junit:4.12.
Could not get resource ‘https://jcenter.bintray.com/junit/junit/4.12/junit-4.12.pom’.
Could not GET ‘https://jcenter.bintray.com/junit/junit/4.12/junit-4.12.pom’. Received status code 407 from server: Proxy Authentication Required

I will keep you updated.
Jose

1 Like