Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Bazel does not honor custom CA certificates

See original GitHub issue

Description of the problem:

When I try to use Bazel in an environment with TLS only working with custom CA certificates, it does not work (e.g. download dependencies).

One of the errors is:

ERROR: An error occurred during the fetch of repository 'zlib':
   java.io.IOException: Error downloading [https://zlib.net/zlib-1.2.11.tar.gz] to /home/abergmei/.cache/bazel/_bazel_user/a05519119102d261558210037d2dc4c6/external/zlib/zlib-1.2.11.tar.gz: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Bugs: what’s the simplest, easiest way to reproduce this bug? Please provide a minimal example if possible.

Have a non-rooted CA, which intercepts all HTTPS calls in your network.

What operating system are you running Bazel on?

Ubuntu 18.04

What’s the output of `bazel info release`?

release 1.2.1

Have you found anything relevant by searching the web?

Any other information, logs, or outputs that you want to share?

Tried executing via JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64 bazelisk build --host_javabase '@local_jdk//:jdk' //mytarget but the error persists. Not sure though, that it really uses my local JDK.

Is there any way of forcing the bundled JDK to use a certs database outside of Bazel?

Issue Analytics

State:
Created 4 years ago
Reactions:3
Comments:6 (1 by maintainers)

Top GitHub Comments

3reactions

mcarpentercommented, Mar 12, 2021

Similar issue is #5741.

That issue contains a clean workaround that is still valid for Ubuntu 20 and Bazel 4.0.0. That is, in your .bazelrc add:

startup --host_jvm_args=-Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts \
        --host_jvm_args=-Djavax.net.ssl.trustStorePassword=changeit

2reactions

jgallucci32commented, Mar 8, 2021

Same problem on RHEL7. Guess there aren’t too many of us on the internet using Bazel behind an SSL gateway. We typically symlink cacerts to the one which is updated with ca-certificates on Red Hat images with our custom SSL certs.

Top Results From Across the Web

Bazel Remote Cache not working with certificates/TLS

A few more x509 basics: CA certificates are usually self-signed, because as the root of trust clients don't care how they're signed. The...

Command-Line Reference | Bazel

The anticipatory scheduler may only honor up to priority 4. If set to a negative value, then Bazel does not perform a system...

Release 0.16.0, bazel remote cache, SSL access failure

In case I failed to make it clear, the self-signed cert is installed in my client's local CA. It works with a minimal...

Know more about all the SSL certificates that are supported by ...

Salesforce trusts only root certificate authority (CA) certificates, with few ... Salesforce will not honor requests to add intermediate certificates to its ...

CentOS certificate check fails behind proxy

This is a workaround solution for bazel build 'cacerts' issues, I feel. In my case, I did as below, bazel **--host_jvm_args="-Djavax.net.ssl ...