My company has installed a bunch of new security stuff on my machine that I don't understand (zscalar, appgate sdp, other stuff), but it's blocked most of the internet. I need to use a .pem file that includes some certificate info that lets me through the firewalls or whatever. (it's over my head what's happening)
One thing that has broken is the SBT / JVM stuff. When I try to use SBT to compile a fat jar, it fails with the following error:
[error] Server access Error: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target url=https://repo1.maven.org/maven2/org/glassfish/javax.el/
I use SDKMan to manage java versions, and I use sbt assembly to package up fat jars (some projects use sbt 0.13, some use 1.3). Laptops are macbooks (one old, one new).
I tried following the instructions here, but it makes no difference. Same error before & after.
# myRootCA.pem is in ~/.myCert/
cd ~/.myCert
cp $JAVA_HOME/jre/lib/security/cacerts ~/.myCert/
keytool -keystore cacerts -import -file myRootCA.pem -alias myProxy
# tried before & after restarting machine; no difference
cd <scala repo>
sbt "-Djavax.net.ssl.trustStore=~/.myCert/cacerts" assembly
So my questions are:
sbtopts file somewhere (in individual repo's or /usr/local/etc/ or elsewhere) so I don't need an unwieldy addition to all my sbt commandsThanks in advance.
What worked for me and resolved both points 1 & 2 was to just modify the cacerts file directly instead of copying it, modifying it, and pointing to the copy. Now SBT works fine with no additional arguments.
keytool -importcert -file myRootCA.pem -alias myRootCA -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass 'changeit'
I think if I need to back it out, this would work.
keytool -delete -alias myRootCA -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass 'changeit'
I don't know if this is the best idea, but it works, so I'll go with it for now.