Unable to build a Java project due to certificates

vmaier3000 · November 14, 2023, 10:19pm

I have been able to build Java project for years but recently I can no longer build anyone of them.
(see below for the actual error)

My coworkers are able to build the same projects with the same files. So obviously I suspected the Java certificates. I got a file from one of my coworkers that can build the projects and copied them in 3 locations where different versions of Java are located but that did not help.
Any ideas please?

And the error message:

C:\build\prod\Java\SampleProject>gradlew build -x test
Downloading https://services.gradle.org/distributions/gradle-6.3-bin.zip

Exception in thread "main" javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:128)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:259)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:642)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:461)

Vampire · November 15, 2023, 1:51pm

This most often happens when you use a JVM that is corrupt or has trusted certificates missing.
You should try to build using a different / freshly installed JDK.

djKianoosh · November 17, 2023, 4:45pm

If your company runs something like ZScaler, which intercepts SSL traffic and presents its own certificate, you may also run into this issue.

There’s a couple of approaches to solve this. One, add those CA certs to your Java cacerts. Or, if your sysadmins have already added those certs to your system’s root certificates, then you can tell gradle/java to trust the root certs. Gradle apparently does this from 8.3, but there is a workaround for earlier versions: https://github.com/gradle/gradle/pull/25106

I have this in my ~/.gradle/gradle.properties on my mac:

systemProp.javax.net.ssl.trustStore=/dev/null
systemProp.javax.net.ssl.trustStoreType=KeychainStore
systemProp.java.security.KeyStore=KeychainStore

Here’s the same thing for Windows:

systemProp.javax.net.ssl.trustStore=NUL
systemProp.javax.net.ssl.trustStoreType=Windows-ROOT

vmaier3000 · November 21, 2023, 3:59am

Thank you for the suggestion, I will try to do that!