search

SpencerPark / IJava

A Jupyter kernel for executing Java code.
MIT License
1.09k stars 212 forks source link

gradlew fails to download gradle due to an SSLException on jdk-11 on ubuntu 18.04 #19

Open LeonCloudEndure opened 6 years ago

LeonCloudEndure commented 6 years ago

`./gradlew installKernel Downloading https://services.gradle.org/distributions/gradle-4.2.1-bin.zip

Exception in thread "main" javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at java.base/sun.security.ssl.Alerts.getSSLException(Alerts.java:214) at java.base/sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1974) at java.base/sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1926) at java.base/sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1909) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1436) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567) at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1581) at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1509) at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:245) at org.gradle.wrapper.Download.downloadInternal(Download.java:66) at org.gradle.wrapper.Download.download(Download.java:51) at org.gradle.wrapper.Install$1.call(Install.java:62) at org.gradle.wrapper.Install$1.call(Install.java:48) at org.gradle.wrapper.ExclusiveFileAccessManager.access(ExclusiveFileAccessManager.java:69) at org.gradle.wrapper.Install.createDist(Install.java:48) at org.gradle.wrapper.WrapperExecutor.execute(WrapperExecutor.java:107) at org.gradle.wrapper.GradleWrapperMain.main(GradleWrapperMain.java:61) Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at java.base/sun.security.validator.PKIXValidator.(PKIXValidator.java:89) at java.base/sun.security.validator.Validator.getInstance(Validator.java:181) at java.base/sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:330) at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:180) at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:192) at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:133) at java.base/sun.security.ssl.ClientHandshaker.checkServerCerts(ClientHandshaker.java:1947) at java.base/sun.security.ssl.ClientHandshaker.certificateStatus(ClientHandshaker.java:1798) at java.base/sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:276) at java.base/sun.security.ssl.Handshaker.processLoop(Handshaker.java:1098) at java.base/sun.security.ssl.Handshaker.processRecord(Handshaker.java:1026) at java.base/sun.security.ssl.SSLSocketImpl.processInputRecord(SSLSocketImpl.java:1137) at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1074) at java.base/sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973) at java.base/sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1402) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1429) ... 14 more Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) at java.base/java.security.cert.PKIXParameters.(PKIXParameters.java:120) at java.base/java.security.cert.PKIXBuilderParameters.(PKIXBuilderParameters.java:104) at java.base/sun.security.validator.PKIXValidator.(PKIXValidator.java:86) ... 29 more `

SpencerPark commented 6 years ago

This looks like an issue with the openjdk installation. I feel like I've seen similar things around certificates and openjdk while learning about getting all the docker stuff setup for the Binder repo.

Potentially related is docker-library/openjdk#145. See also https://github.com/mikaelhg/broken-docker-jdk9-cacerts for a more detailed explanation and some potential fixes (please let me know if you try any that work for you). That repository I linked also explicitly mentions Ubuntu 18.04 and says that the problem exists from >=jdk9.

I would like to leave this open even if you find a workaround that works in case others come across the problem. Thanks for the report!

```
P.S. For multi-line code blocks, use an opening and closing triple backtick each on their own line
or indent the whole block with 4 spaces. :)
```
LeonCloudEndure commented 6 years ago

That is a crazy coincidence, I usually don't work with java at all. But the two last tasks in my Work, and here are all related to the exact same thing :P

Anyway this workaround worked perfectly: /usr/bin/printf '\xfe\xed\xfe\xed\x00\x00\x00\x02\x00\x00\x00\x00\xe2\x68\x6e\x45\xfb\x43\xdf\xa4\xd9\x92\xdd\x41\xce\xb6\xb2\x1c\x63\x30\xd7\x92' > /etc/ssl/certs/java/cacerts /var/lib/dpkg/info/ca-certificates-java.postinst configure

But this workaround is bad for anything that is not a test machine since it overwrites the cacerts file. From what I understand from the second link and from my limited knowledge on the cacerts file, all you need to change is for the relevant code to either run with: -Djavax.net.ssl.trustStorePassword=changeit or inside the code itself do: System.setProperty("javax.net.ssl.trustStorePassword", "changeit"); at the very beginning. This should work for both old and new java versions.

SpencerPark commented 6 years ago

Yes it is not the nicest workaround. I believe what is going on now is just waiting for a version bump in the debian package as it is only a problem on openjdk for linux x64 (https://bugs.java.com/view_bug.do?bug_id=8189357). There was a pretty quick EOL for java 9 and we are on 10 currently but it looks like 11 is the planned long term support release (along with 8 as it was before jigsaw). I've had luck with 10 so far which maybe I should include in the readme in case users are only installing a newer jdk to try the project.

Thanks for the update!

LeonCloudEndure commented 6 years ago

I really think you should add -Djavax.net.ssl.trustStorePassword=changeit to the build since it should still solve the issue, and if changeit is set to a var that a user can change it will also allow people with custom java stores to be able to work with IJava as well. If I will have time I will try to check this option and submit a fix.

LeonCloudEndure commented 6 years ago

A quick fix I did (I assume that is not the proper way to do it, so I am just showing this as a proof of concept, or another potential workaround)

git diff
diff --git a/gradlew b/gradlew
old mode 100644
new mode 100755
index cccdd3d..0ff933c
--- a/gradlew
+++ b/gradlew
@@ -28,7 +28,7 @@ APP_NAME="Gradle"
 APP_BASE_NAME=`basename "$0"`

 # Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
-DEFAULT_JVM_OPTS=""
+DEFAULT_JVM_OPTS="-Djavax.net.ssl.trustStorePassword=changeit"

 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD="maximum"

Right now it fails due to a new issue (maybe its something temporary) but it fails with the previous workaround as well so its unrelated:

./gradlew installKernel
Starting a Gradle Daemon, 1 incompatible Daemon could not be reused, use --status for details

FAILURE: Build failed with an exception.

* Where:
Build file '/home/ubuntu/IJava/build.gradle' line: 4

* What went wrong:
Error resolving plugin [id: 'com.github.hierynomus.license', version: '0.14.0']
> Could not resolve all dependencies for configuration 'detachedConfiguration1'.
   > Could not determine artifacts for com.github.hierynomus.license:com.github.hierynomus.license.gradle.plugin:0.14.0
      > Could not get resource 'https://plugins.gradle.org/m2/com/github/hierynomus/license/com.github.hierynomus.license.gradle.plugin/0.14.0/com.github.hierynomus.license.gradle.plugin-0.14.0.jar'.
         > Could not HEAD 'https://plugins.gradle.org/m2/com/github/hierynomus/license/com.github.hierynomus.license.gradle.plugin/0.14.0/com.github.hierynomus.license.gradle.plugin-0.14.0.jar'.
            > Read timed out

* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights.

* Get more help at https://help.gradle.org

BUILD FAILED in 40s
HelderGualberto commented 6 years ago

I solved this problem by switching the operating system to Ubuntu 18.10. If you'r in a container just change the dockerfile to: FROM ubuntu:18.10 Ubuntu 18.04 seems like have a problem with java certificates just like said in https://stackoverflow.com/questions/6784463/error-trustanchors-parameter-must-be-non-empty/25188331#25188331