Gradle build fails in offline server

Dhanapal · February 6, 2023, 1:34pm

I have a high security banking application. With gradle 6.1 and JDK 1.8, We are able to build spring boot micro services . This works fine with Internet access. When we try to build it in docker container in offline server. We are getting this error.

Error 1:

Could not HEAD 'https://plugins.gradle.org/m2/org/springframework/boot/spring-boot-buildpack-platform/2.6.1/spring-boot-buildpack-platform-2.6.1.pom’.
plugins.gradle.org: Temporary failure in name resolution

Error 2:

Could not HEAD 'https://jcenter.bintray.com/org/springframework/boot/spring-boot-loader-tools/2.6.1/spring-boot-loader-tools-2.6.1.pom’.
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Please let me know how to fix this issue and get it working in offline node.

Thanks
Dhanapal

Vampire · February 6, 2023, 5:15pm

If your build environment is offline there, how do you get your dependencies?
Do you have some mirror that should be used?
Or where do / should they come from?

Dhanapal · February 8, 2023, 2:57pm

Created docker image and ran the build steps while online and connected to the internet. The build got successful. Hope this downloaded all required dependencies in gradle cache. Committed this image and pushed this to my build server. But the build did not succeed while offline.

Alternatively,we are planning to white list the below URLs behind proxy.

*.npmjs.org
*.gradle.org
*.apache.org
*.mvnrepository.com

Please let me know of your comments.

Vampire · February 8, 2023, 5:54pm

Add the --offline switch to the Gradle invocation and it will probably work, as then the cache dependencies will be used and no up-to-date checking for dynamic versions or similar will be done. So unless some task implementation needs something online it should hopefully work.

Btw. what should *.mvnrepository.com be useful for?
There are no repositories, that site is just an index site, indexing other repositories.

Dhanapal · February 13, 2023, 8:12am

Attaching the build.gradle and console output for reference. It is failing to build the Springboot project. Our server is behind proxy and so we included in gradle.properties.

Build.gradle

plugins {
id ‘org.springframework.boot’ version ‘2.6.2’
id ‘io.spring.dependency-management’ version ‘1.0.11.RELEASE’
id ‘java’
}

group = ‘com.upp.authServices’
//version = ‘0.0.1-SNAPSHOT’
sourceCompatibility = ‘1.8’

ext[‘h2.version’] = ‘1.4.197’

ext {
set(‘springCloudVersion’, “2020.0.4”)
}

repositories {

mavenCentral()
flatDir{
dirs ‘/var/jenkins_home/workspace/sb_auth/libs’
}
}

dependencies {
// compile fileTree(dir: ‘libs’, include: [‘*.jar’])
//compile project(‘:lib_authservices’)
compile (‘org.springframework.boot:spring-boot-starter-web’) {
exclude group: ‘org.springframework.boot’, module: ‘spring-boot-starter-logging’
}
testImplementation ‘org.springframework.boot:spring-boot-starter-test’
compile group: ‘org.postgresql’, name: ‘postgresql’, version: ‘42.3.3’
}

task copyRuntimeLibs(type: Copy) {
into “libs”
from configurations.runtime
}

Errors

A problem occurred configuring root project ‘sb_authservices’.

Could not resolve all artifacts for configuration ‘:classpath’.
Could not resolve org.springframework.boot:spring-boot-buildpack-platform:2.6.2.
Required by:
project : > org.springframework.boot:org.springframework.boot.gradle.plugin:2.6.2 > org.springframework.boot:spring-boot-gradle-plugin:2.6.2
Could not resolve org.springframework.boot:spring-boot-buildpack-platform:2.6.2.
Could not get resource ‘https://plugins.gradle.org/m2/org/springframework/boot/spring-boot-buildpack-platform/2.6.2/spring-boot-buildpack-platform-2.6.2.pom’.
Could not GET ‘https://jcenter.bintray.com/org/springframework/boot/spring-boot-buildpack-platform/2.6.2/spring-boot-buildpack-platform-2.6.2.pom’.
> PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Vampire · February 13, 2023, 8:55am

The error means that Gradle cannot open the HTTPS connection, because of some certificate issue. This usually means you use a very old or broken Java installation and you are not using the --offline switch.

Dhanapal · March 12, 2023, 10:45am

We are able to build the project in -offline mode. But in Online mode, cert issue is not resolving, after fixing JDK Installation. We tried to use openjdk1.0 and run gradle build in the CI server which is Connected Internet via PROXY server. gradle fails to download the pom used by Plugins. In the server, I have tried to download this file via CURL and Wget but it did not work.

curl -o test.pom https://jcenter.bintray.com/org/springframework/boot/spring-boot-buildpack-platform/3.0.4/spring-boot-buildpack-platform-3.0.3.pom
curl: (60) Peer’s certificate issuer has been marked as not trusted by the user.

As per the admin/firewall team,this file/URL is accessible via browser?

Which SSL certificate it is expecting to connect with jcenter??.. Shall we use gradlepluginPortal() to resolve this dependency ?. as mentioned in this link, JCenter Shutdown Impact on Gradle Builds.

Please recommend,how i can fix this cert issue in online mode.

Vampire · March 12, 2023, 5:11pm

But in Online mode, cert issue is not resolving, after fixing JDK Installation.

Well, then you either did not fix the installation, or maybe you use a bad proxy, or there is a man-in-the-middle attack, or any other of the possible reasons. Impossible to guess from here. You might want to set the system property javax.net.debug to all to get very detailed logging about HTTPS connection procedure, used certificates and so on. Maybe that will help you to figure out the problem.

We tried to use openjdk1.0

No idea what that should be, actually.

In the server, I have tried to download this file via CURL and Wget but it did not work.

curl -o test.pom https://jcenter.bintray.com/org/springframework/boot/spring-boot-buildpack-platform/3.0.4/spring-boot-buildpack-platform-3.0.3.pom
curl: (60) Peer’s certificate issuer has been marked as not trusted by the user.

Well, if even curl cannot download the file, why do you think it is a Gradle problem?
Even more a hint it is a different problem not related to Gradle.
Make your IT make the curl work and maybe they fixed it then for Gradle too.
Here, your curl command works fine.
Besides that it returns 404 not found as you mixed 3.0.4 and 3.0.3 in the URL. But with twice the same version in the URL it downloads just fine here.

Shall we use gradlepluginPortal() to resolve this dependency ?

The Gradle Plugin Portal does not have this dependency, so it would just send a redirect to JCenter.
JCenter would then forward the request to Maven Central as JCenter also does not have that dependency itself.
You could try to add Maven Central as repository before JCenter or Gradle Plugin Portal.
Actually I would recommend not using JCenter at all explicitly due to its quirks unless you really need something from it and always prefix it with Maven Central so get things from Maven Central directly even if JCenter is down again.
So for plugin repositories I’d define “Maven Central” first and “Gradle Plugin Portal” second as long as the Gradle Plugin Portal redirects to JCenter for missing dependencies.
This way things on Maven Central are fetched from Maven Central directly, everything else is got from Gradle Plugin Portal which redirects to JCenter for thing it does not have itself which should only be the things actually available on JCenter as Maven Central ones were fetched directly already.

as mentioned in this link, JCenter Shutdown Impact on Gradle Builds.

There is not really an Impact, as JCenter was not and will not be shutdown.
It was just set to read-only and regularly has outages as it always had.

Dhanapal · March 13, 2023, 5:13am

Thanks for the quick reply .

Apologies for the mistake

We tried to use openjdk1.8 (OpenJDK 8 Linux 64-bit) then
did the build.
Executed the following Curl commend.

curl https://jcenter.bintray.com/org/springframework/boot/spring-boot-buildpack-platform/3.0.3/spring-boot-buildpack-platform-3.0.3.pom --verbose

NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)
Peer’s certificate issuer has been marked as not trusted by the user.
Closing connection 0
curl: (60) Peer’s certificate issuer has been marked as not trusted by the user.
More details here: curl - SSL CA Certificates

Agreed, this is not a gradle problem.

for plugin repositories, shall we add “Maven Central” in settings.gradle?. We have only mavencentral() for dependencies in build.grdle

Vampire · March 13, 2023, 11:22am

for plugin repositories, shall we add “Maven Central” in settings.gradle?. We have only mavencentral() for dependencies in build.grdle

As I said, the Gradle Plugin Portal will redirect to JCenter for dependencies it does not have itself, and JCenter forwards to Maven Central for dependencies it does not have.
So as long as JCenter does not have one of its regular outages, just having the Gradle Plugin Portal is fine.
Having Maven Central before Gradle Plugin Portal in the list of plugin repositories, makes it more robust against JCenter outages if actually just things are used that are available on Gradle Plugin Portal itself or on Maven Central.
Whether you add it or not is up to you.