Closed merose closed 2 years ago
Weird, it should "just work". The yamcs.org domains use "Let's Encrypt" certificates, which are quite common.
Maybe the Let's Encrypt Root CA is not trusted in your java's cacerts file (?).
For example on a blank AdoptOpenJDK 11 install, I can see an entry "letsencryptisrgx1" when doing keytool -list -cacerts -storepass changeit
. Fingerprint corresponds with what I see in the browser dialog.
We're also using a version of OpenJDK. (I'm not that familiar with different flavors of Java. We have to use versions that are OK'd at an enterprise level. It's possible that the build includes a restricted CA list. I have no way of knowing.)
$ java -version
openjdk version "11.0.11" 2021-04-20
OpenJDK Runtime Environment AdoptOpenJDK-11.0.11+9 (build 11.0.11+9)
OpenJDK 64-Bit Server VM AdoptOpenJDK-11.0.11+9 (build 11.0.11+9, mixed mode)
$
And that version does not include the Let's Encrypt CA.
$ keytool -list -cacerts -storepass changeit | grep -i letsencrypt
$
Now that I understand the issue, I've worked around it. But maybe some info in the documentation about how to handle this situation would be helpful. Perhaps a link to the certificate file, to make it easy to find, for example.
Thanks for the response!
Added this in a new file with general development instructions, linked from main README: https://github.com/yamcs/yamcs-studio/blob/master/docs/development.md
When trying to do the "headless build" as suggested by the README file, I got a PKIX error about the yamcs.org SSL certificate. I worked around the problem like this:
openssl x509 -in cert.pem -out cert.der -outform DER
to convert.)cp $JAVA_HOME/lib/security/cacerts .
keytool -import -alias yamcs -keystore ./cacerts -file cert.der
mvn -Djavax.net.ssl.trustStore=./cacerts -Djavax.net.ssl.trustStorePassword="changeit" package -Dtycho.localArtifacts=ignore
It would be useful to include either these steps or some other information about how to handle the yamcs.org certificate, in order to avoid build errors.
(Of course, it could be a problem with my setup, in which case please let me know what I should have done instead.)