testforstephen
commented
2 years ago Added this to the wiki. https://github.com/redhat-developer/vscode-java/wiki/Use-proper-cacerts-to-import-Java-projects
Open testforstephen opened 2 years ago
testforstephen
commented
2 years ago Added this to the wiki. https://github.com/redhat-developer/vscode-java/wiki/Use-proper-cacerts-to-import-Java-projects
shawnweeks
commented
2 years ago I'm running into a situation where adding the vmargs isn't sufficient to make the error go away. I'm using the 1.4.0 version of plugin on a Red Hat 7 system using the Remote SSH plugin. I've checked via ps and the trustStore parameters are added to the java command. I've copied a known good version of cacerts into the extensions jre/lib/security directory but no change. I've even used jshell included with the built in jre to do a simple http request and that works fine too against the https url that's failing in the PROBLEM section. Exact same errors from the wiki and I'm not sure where else to troubleshoot. I've tried adding -Djavax.net.debug=all to java.jdt.ls.vmargs and nothing shows up in any of the logs, it's almost like a completely separate process is used for generating those alerts and it's breaking the plugin.
mdgilene
commented
1 year ago I'm running into a situation where adding the vmargs isn't sufficient to make the error go away. I'm using the 1.4.0 version of plugin on a Red Hat 7 system using the Remote SSH plugin. I've checked via ps and the trustStore parameters are added to the java command. I've copied a known good version of cacerts into the extensions jre/lib/security directory but no change. I've even used jshell included with the built in jre to do a simple http request and that works fine too against the https url that's failing in the PROBLEM section. Exact same errors from the wiki and I'm not sure where else to troubleshoot. I've tried adding -Djavax.net.debug=all to java.jdt.ls.vmargs and nothing shows up in any of the logs, it's almost like a completely separate process is used for generating those alerts and it's breaking the plugin.
I am running into the exact same issue on nearly an identical setup. Nothing I seem to do seems to give the project importer the correct cacerts configuration. I've even tried setting _JAVA_OPTIONS globally with no luck. Can anyone comment on whether there was a resolution here?
shawnweeks
commented
1 year ago @mdgilene for me the issue didn't go away until I started updating ca certs for the entire OS using update-ca-trust. I was never able to get cacerts picked up by the underlying JVM ran by VSCode.
NewtonChutney
commented
9 months ago I am running into the exact same issue on nearly an identical setup. Nothing I seem to do seems to give the project importer the correct cacerts configuration. I've even tried setting
_JAVA_OPTIONSglobally with no luck. Can anyone comment on whether there was a resolution here?
I am facing the same issue on my work pc..
the issue didn't go away until I started updating ca certs for the entire OS using
update-ca-trust. I was never able to get cacerts picked up by the underlying JVM ran by VSCode.
But I don't think that's an issue in my case.. I tried this command from https://www.redhat.com/sysadmin/configure-ca-trust-list and I saw the cert properly configured..
openssl s_client -connect example.com:443
mariogalic
commented
1 week ago I'm running into a situation where adding the vmargs isn't sufficient to make the error go away. I'm using the 1.4.0 version of plugin on a Red Hat 7 system using the Remote SSH plugin. I've checked via ps and the trustStore parameters are added to the java command. I've copied a known good version of cacerts into the extensions jre/lib/security directory but no change. I've even used jshell included with the built in jre to do a simple http request and that works fine too against the https url that's failing in the PROBLEM section. Exact same errors from the wiki and I'm not sure where else to troubleshoot. I've tried adding -Djavax.net.debug=all to java.jdt.ls.vmargs and nothing shows up in any of the logs, it's almost like a completely separate process is used for generating those alerts and it's breaking the plugin.
Same problem here on version 1.31.0. Nothing works. Right certificates are definitely in the keystore.
mariogalic
commented
6 days ago I'm running into a situation where adding the vmargs isn't sufficient to make the error go away. I'm using the 1.4.0 version of plugin on a Red Hat 7 system using the Remote SSH plugin. I've checked via ps and the trustStore parameters are added to the java command. I've copied a known good version of cacerts into the extensions jre/lib/security directory but no change. I've even used jshell included with the built in jre to do a simple http request and that works fine too against the https url that's failing in the PROBLEM section. Exact same errors from the wiki and I'm not sure where else to troubleshoot. I've tried adding -Djavax.net.debug=all to java.jdt.ls.vmargs and nothing shows up in any of the logs, it's almost like a completely separate process is used for generating those alerts and it's breaking the plugin.
Same problem here on version 1.31.0. Nothing works. Right certificates are definitely in the keystore.
I was able to resolve this. Event though right certificates were in the truststore the error was cached from previous failed attempts and vscode would output the following error on import instead of PKIX path error:
This failure was cached in the local repository and resolution is not reattempted until the update interval...
has elapsed or updates are forced...Hence vscode would actually not re-try to import the dependencies. After purging local repository ~/.m2/repository/ and Java: Clean Java Language Server Workspace it forced vscode to redownload the dependences and it indeed picked up the custom imported certificates successfully.
For some enterprise users, they use custom certificates to override the JDK‘s own cacerts (
<JAVA_HOME>/lib/security/cacerts), so using the JDK on their machine can build and run their Java application well.Starting with 1.2.0, Java extension will use an embedded JRE 17 to launch Java extension and import user's Java projects. If user's Maven projects use dependencies from a custom Nexus HTTPS server, Java extension will probably throw PKIX errors.
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target and 'parent.relativePath' points at wrong local POMTo mitigate it, users have two approaches to add their custom cert to the JRE runtime.
Use keytool to import the custom cert to the existing cacerts of the embedded JRE.
Usually, the location of the embedded JRE cacerts is like
.../.vscode/extensions/redhat.java-1.2.0/jre/17.0.1-macosx-x86_64/lib/security/cacerts. And you have to update it again if a new redhat.java extension is released.(Recommended) Use jvm arguments to specify a custom truststore and password.
Go to user setting
"java.jdt.ls.vmargs", and append"-Djavax.net.ssl.trustStore=custompath/cacerts -Djavax.net.ssl.trustStorePassword=changeit"to it.Pls note that, the solution above is just used to solve the certs for project importing. If users want to run or debug their application with a custom cert, they must either add
-Djavax.net.ssl.trustStoreand-Djavax.net.ssl.trustStorePasswordtojava.debug.settings.vmArgs, or override<JAVA_HOME>/lib/security/cacertsof the installed JDK with their custom certs.