Bazel fails to download file with error "PKIX path building failed."

[endobson]

Description of the problem / feature request / question:

I cannot get bazel to download busybox.

I have the following rule in my workspace:

http_file(
    name = "busybox",
    executable = True,
    sha256 = "b51b9328eb4e60748912e1c1867954a5cf7e9d5294781cae59ce225ed110523c",
    urls = ["http://busybox.net/downloads/binaries/1.27.1-i686/busybox"],
)

When I fetch I get the following:

% bazel fetch  @busybox//:file
____Failed to connect to https://busybox.net/downloads/binaries/1.27.1-i686/busybox trying again in 100ms
____Failed to connect to https://busybox.net/downloads/binaries/1.27.1-i686/busybox trying again in 200ms
____Failed to connect to https://busybox.net/downloads/binaries/1.27.1-i686/busybox trying again in 400ms
____Failed to connect to https://busybox.net/downloads/binaries/1.27.1-i686/busybox trying again in 800ms
____Failed to connect to https://busybox.net/downloads/binaries/1.27.1-i686/busybox trying again in 1,600ms
____Failed to connect to https://busybox.net/downloads/binaries/1.27.1-i686/busybox trying again in 3,200ms
____Failed to connect to https://busybox.net/downloads/binaries/1.27.1-i686/busybox trying again in 6,400ms
____Error connecting to https://busybox.net/downloads/binaries/1.27.1-i686/busybox: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
ERROR: no such package '@busybox//': Error downloading [http://busybox.net/downloads/binaries/1.27.1-i686/busybox] to /private/var/tmp/_bazel_endobson/e36ff165f90c34e5ec103dfa2b4ef8e1/external/busybox/busybox: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

Yet wget is able to download the file fine and the sha256 is the same as is in the rule.

Environment info

• Operating System:
  OS X 10.11.6 (15G31)

• Bazel version (output of bazel info release):
  0.6.1

Have you found anything relevant by searching the web?

It looks like this is a common error if the certificate is bad. But if that is the issue then it means that bazel is not using my system's trust store as Chrome and wget seem to be able to do.

[endobson]

I have forced bazel to use the System java's trust store with the following startup flags:

--host_jvm_args=-Djavax.net.ssl.trustStore='/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/cacerts'
--host_jvm_args=-Djavax.net.ssl.trustStorePassword='changeit'

And it successfully fetches the file.

Haven't debugged what bazel is using instead of those. But maybe a built in one?

[endobson]

So debugged it and it is confusing OS x stuff, not a bazel issue. But hopefully this will help a future person who runs into this.

So OS X has two ways of installing java. The one that is in 'System Preferences' is the JavaAppletPlugin and is (I believe) just the JRE. You can also install the JDK which is stored under "/Library/Java/JavaVirtualMachines". /usr/bin/java uses the jdk, and I believe that is how bazel is getting its 'java'.

This is updated by downloading from oracle. And the truststore that java uses by default is baked into the jdk. Thus if you are running with an older JDK you may not have as many root certificates in your truststore and run into this issue. The solution is to update your JDK and hopefully the certificate that you need to trust is signed by one of the newer root certificates.

[mdsheraj123]

#5741

This has the solution. For me in windows, after installing the top level certificate in C:\Program Files\Android\Android Studio1\jre\lib\security\cacerts it was

bazel --host_jvm_args=-Djavax.net.ssl.trustStore="C:\Program Files\Android\Android Studio1\jre\lib\security\cacerts" --host_jvm_args=-Djavax.net.ssl.trustStorePassword=changeit build <...your build commands>