javascalajvmssl-certificatesbt

Security is Blocking SBT & JVM - How to Import SSL Certificates via .pem File


My company has installed a bunch of new security stuff on my machine that I don't understand (zscalar, appgate sdp, other stuff), but it's blocked most of the internet. I need to use a .pem file that includes some certificate info that lets me through the firewalls or whatever. (it's over my head what's happening)

One thing that has broken is the SBT / JVM stuff. When I try to use SBT to compile a fat jar, it fails with the following error:

[error] Server access Error: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target url=https://repo1.maven.org/maven2/org/glassfish/javax.el/

I use SDKMan to manage java versions, and I use sbt assembly to package up fat jars (some projects use sbt 0.13, some use 1.3). Laptops are macbooks (one old, one new).

I tried following the instructions here, but it makes no difference. Same error before & after.

# myRootCA.pem is in ~/.myCert/
cd ~/.myCert
cp $JAVA_HOME/jre/lib/security/cacerts ~/.myCert/
keytool -keystore cacerts -import -file myRootCA.pem -alias myProxy

# tried before & after restarting machine; no difference
cd <scala repo>
sbt  "-Djavax.net.ssl.trustStore=~/.myCert/cacerts" assembly

So my questions are:

  1. How do I get that .pem file of CA certificates into the JVM in a way that let's me use SBT
  2. Can I get that into an sbtopts file somewhere (in individual repo's or /usr/local/etc/ or elsewhere) so I don't need an unwieldy addition to all my sbt commands

Thanks in advance.


Solution

  • What worked for me and resolved both points 1 & 2 was to just modify the cacerts file directly instead of copying it, modifying it, and pointing to the copy. Now SBT works fine with no additional arguments.

    keytool -importcert -file myRootCA.pem -alias myRootCA -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass 'changeit'
    

    I think if I need to back it out, this would work.

    keytool -delete -alias myRootCA -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass 'changeit'
    

    I don't know if this is the best idea, but it works, so I'll go with it for now.