scala sbt and corporate proxy - SunCertPathBuilderException

16
votes

When I try to use SBT some files cannot be downloaded with the following error:

Server access Error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target url=https://repo1.maven.org/maven2/org/scala-sbt/sbt/1.0.0-M4/sbt-1.0.0-M4.jar

I have followed some advice on Stack Overflow and imported the corporate proxy SSL certificate with the java keytool as described in: SSL certificate problem in a web service proxy

It does not seems to affect the SBT tool. Does it look in a different keystore? Any ideas?

If I paste the URL on the browser the file downloads.

I get this error when simply running the SBT tool I have installed. When I try to create a SBT project on IntelliJ Idea and update it, it gives me the same error with different URLs. Same thing when trying to use the lightbend activator.

6
javascalasslsbt

6 Answers

13
votes

So this happens when you are behind a proxy and we need the proxy server certificate to be added to the java truststore 

cp $JAVA_HOME/jre/lib/security/cacerts <some accessible dir>/
# Get the certificate of the proxy server and store it in a file-proxy.pem
keytool -keystore cacerts -import -file proxy.pem -alias my_proxy
# Now we can invoke sbt with following config
sbt  "-Djavax.net.ssl.trustStore=/path/to/included/proxycert/cacerts" compile
4
votes

If I recall correctly, SBT indirectly uses an old version of apache commons httpclient (3.1) which doesn't respect the java system properties for specifying truststores by default.

I can think of three potential solutions:

  1. Use a proxy repository like artifactory so SBT can only has to connect to the proxy and the proxy can take care of https outwards via the corporate proxy.

  2. Install the corporate issuing certificate into the default truststore for the JVM (usually %JDK_HOME%/jre/lib/security/cacerts). You would have to do this each time you run a new JRE.

  3. Try using coursier. It's a plugin for SBT which provides a different way of fetching dependencies that does not go through apache httpclient. It uses an http library which I think should respect the java system properties for truststore. It's also much faster.

4
votes

This solved the problem:

Add -Djavax.net.ssl.trustStore="C:\Program Files\Java\jre1.8.0_121\lib\security\cacerts" to the sbt config file (sbtconfig).

If using IntelliJ Idea, click on "SBT Settings" -> JVM Options -> VM Parameters and add the same line.

The path is the path to the cacerts file that resides on the JDK path -> lib -> security.

It is necessary to import the proxy certificate with the keystore tool, as described in: SSL certificate problem in a web service proxy

1
votes

This error can also happen if you use an outdated Java version. I've got this error using Java version 1.8.0_45-b14. Updating to Java version 11.0.2+7 (2018-10-16) solved it for me.

Just for reference, the full error message I got was:

[error] typesafe-ivy-releases: unable to get resource for com.geirsson#sbt-scalafmt;1.6.0-RC4: res=https://repo.typesafe.com/typesafe/ivy-releases/com.geirsson/sbt-scalafmt/1.6.0-RC4/jars/sbt-scalafmt.jar: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Switching to the newer Java version solved it instantly.

0
votes

On MacOS, I solved it by running the sbt command with sudo.

0
votes

Assuming you are under windows, which is of course configured correctly you can instead:

  1. Download the certificate. Right-Click -> Install Certificate -> Local Machine -> Automatically.
  2. Update C:\Program Files (x86)\sbt\conf\sbtconfig.txt
-Djavax.net.ssl.trustStore=C:\\Windows\\win.ini
-Djavax.net.ssl.trustStoreType=Windows-ROOT

Then is you use IntelliJ, you can add these parameters into the "VM parameter" of your sbt project settings.