Ubuntu image java ssl certs broken

[HariSekhon]

Looks like the java ssl certs are broken on image: Ubuntu, as Maven gets this error:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target -> [Help 1]

Here is the public build:

https://ci.appveyor.com/project/HariSekhon/devops-bash-tools/branch/master

Fuller output:

/usr/bin/mvn
Picked up JAVA_TOOL_OPTIONS: -Dfile.encoding=UTF8
Apache Maven 3.6.0
Maven home: /usr/share/maven
Java version: 9.0.4, vendor: Oracle Corporation, runtime: /usr/lib/jvm/java-9-openjdk-amd64
Default locale: en_US, platform encoding: UTF8
OS name: "linux", version: "5.4.0-1085-azure", arch: "amd64", family: "unix"
Validating ./templates/pom.xml
Picked up JAVA_TOOL_OPTIONS: -Dfile.encoding=UTF8
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by com.google.inject.internal.cglib.core.$ReflectUtils$1 (file:/usr/share/maven/lib/guice.jar) to method java.lang.ClassLoader.defineClass(java.lang.String,byte[],int,int,java.security.ProtectionDomain)
WARNING: Please consider reporting this to the maintainers of com.google.inject.internal.cglib.core.$ReflectUtils$1
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
[INFO] Scanning for projects...
[INFO] 
[INFO] --------------------< com.linkedin.harisekhon:NAME >--------------------
[INFO] Building [% NAME %] 0.1
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] Downloading from central: https://repo.maven.apache.org/maven2/org/jacoco/jacoco-maven-plugin/0.7.7.201606060606/jacoco-maven-plugin-0.7.7.201606060606.pom
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  1.049 s
[INFO] Finished at: 2022-08-03T20:43:36Z
[INFO] ------------------------------------------------------------------------
[ERROR] Plugin org.jacoco:jacoco-maven-plugin:0.7.7.201606060606 or one of its dependencies could not be resolved: Failed to read artifact descriptor for org.jacoco:jacoco-maven-plugin:jar:0.7.7.201606060606: Could not transfer artifact org.jacoco:jacoco-maven-plugin:pom:0.7.7.201606060606 from/to central (https://repo.maven.apache.org/maven2): sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/PluginResolutionException
Makefile:283: recipe for target 'test' failed
make: *** [test] Error 1
Command exited with code 2

[FeodorFitsner]

Have you tried using more recent Java version?

[HariSekhon]

No this repo doesn't install Java, it uses the one bundled in the image, which implies that the image itself is broken and needs fixing.

[FeodorFitsner]

I'm not saying you are installing (have to install) Java - the image includes a bunch of JDKs pre-installed. It's just JDK 9 is the oldest on the image and could have some root certs missing. Try building with at least JDK 15 by adding this to your appveyor.yml:

stack: jdk 15

[HariSekhon]

Tried that and it solved it, thanks!

So the next question is why does the Ubuntu image have a default JDK so old that it breaks on SSL validation?

Should the Ubuntu image be updated to use a current JDK so this workaround isn't needed?

[FeodorFitsner]

Will look into that. There are other components that might depend on JDK 9 and even JDK 8.