Should add information about how to handle yamcs.org certificate while building

[merose]

When trying to do the "headless build" as suggested by the README file, I got a PKIX error about the yamcs.org SSL certificate. I worked around the problem like this:

1. In a browser, navigate to https://dl.yamcs.org/p2/platform/202203021001/site.xml, the URL specified in the Maven build error.
2. Click the lock icon in the browser location bar, and do whatever browser-specific actions you need to do to go to the certificate and export it.
3. Convert the exported certificate to .der form, if necessary. (Firefox exported the certificate as a .pem file for me. I used openssl x509 -in cert.pem -out cert.der -outform DER to convert.)
4. Copy cacerts from the Java installation to a new file, such as (note that your path might have /jre in it as well, depending on your Java installation): cp $JAVA_HOME/lib/security/cacerts .
5. Import the yamcs.org certificate, in .der form, into that copy (the default password is "changeit"): keytool -import -alias yamcs -keystore ./cacerts -file cert.der
6. Run the Maven build, specifying the new certificate keystore: mvn -Djavax.net.ssl.trustStore=./cacerts -Djavax.net.ssl.trustStorePassword="changeit" package -Dtycho.localArtifacts=ignore

It would be useful to include either these steps or some other information about how to handle the yamcs.org certificate, in order to avoid build errors.

(Of course, it could be a problem with my setup, in which case please let me know what I should have done instead.)

[fqqb]

Weird, it should "just work". The yamcs.org domains use "Let's Encrypt" certificates, which are quite common.

Maybe the Let's Encrypt Root CA is not trusted in your java's cacerts file (?). For example on a blank AdoptOpenJDK 11 install, I can see an entry "letsencryptisrgx1" when doing keytool -list -cacerts -storepass changeit. Fingerprint corresponds with what I see in the browser dialog.

[merose]

We're also using a version of OpenJDK. (I'm not that familiar with different flavors of Java. We have to use versions that are OK'd at an enterprise level. It's possible that the build includes a restricted CA list. I have no way of knowing.)

$ java -version
openjdk version "11.0.11" 2021-04-20
OpenJDK Runtime Environment AdoptOpenJDK-11.0.11+9 (build 11.0.11+9)
OpenJDK 64-Bit Server VM AdoptOpenJDK-11.0.11+9 (build 11.0.11+9, mixed mode)
$

And that version does not include the Let's Encrypt CA.

$ keytool -list -cacerts -storepass changeit | grep -i letsencrypt
$

Now that I understand the issue, I've worked around it. But maybe some info in the documentation about how to handle this situation would be helpful. Perhaps a link to the certificate file, to make it easy to find, for example.

Thanks for the response!

[fqqb]

Added this in a new file with general development instructions, linked from main README: https://github.com/yamcs/yamcs-studio/blob/master/docs/development.md