scala sbt and corporate proxy - SunCertPathBuilderException

java scala ssl sbt

21,971

Solution 1

So this happens when you are behind a proxy and we need the proxy server certificate to be added to the java truststore

cp $JAVA_HOME/jre/lib/security/cacerts <some accessible dir>/
# Get the certificate of the proxy server and store it in a file-proxy.pem
keytool -keystore cacerts -import -file proxy.pem -alias my_proxy
# Now we can invoke sbt with following config
sbt  "-Djavax.net.ssl.trustStore=/path/to/included/proxycert/cacerts" compile

Solution 2

If I recall correctly, SBT indirectly uses an old version of apache commons httpclient (3.1) which doesn't respect the java system properties for specifying truststores by default.

I can think of three potential solutions:

Use a proxy repository like artifactory so SBT can only has to connect to the proxy and the proxy can take care of https outwards via the corporate proxy.
Install the corporate issuing certificate into the default truststore for the JVM (usually %JDK_HOME%/jre/lib/security/cacerts). You would have to do this each time you run a new JRE.
Try using coursier. It's a plugin for SBT which provides a different way of fetching dependencies that does not go through apache httpclient. It uses an http library which I think should respect the java system properties for truststore. It's also much faster.

Solution 3

This solved the problem:

Add -Djavax.net.ssl.trustStore="C:\Program Files\Java\jre1.8.0_121\lib\security\cacerts" to the sbt config file (sbtconfig).

If using IntelliJ Idea, click on "SBT Settings" -> JVM Options -> VM Parameters and add the same line.

The path is the path to the cacerts file that resides on the JDK path -> lib -> security.

It is necessary to import the proxy certificate with the keystore tool, as described in: SSL certificate problem in a web service proxy

Solution 4

This error can also happen if you use an outdated Java version. I've got this error using Java version 1.8.0_45-b14. Updating to Java version 11.0.2+7 (2018-10-16) solved it for me.

Just for reference, the full error message I got was:

[error] typesafe-ivy-releases: unable to get resource for com.geirsson#sbt-scalafmt;1.6.0-RC4: res=https://repo.typesafe.com/typesafe/ivy-releases/com.geirsson/sbt-scalafmt/1.6.0-RC4/jars/sbt-scalafmt.jar: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Switching to the newer Java version solved it instantly.

View more solutions

21,971

Author by

Thiago Sayão

Updated on November 04, 2021

Comments

Thiago Sayão over 2 years

When I try to use SBT some files cannot be downloaded with the following error:

Server access Error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target url=https://repo1.maven.org/maven2/org/scala-sbt/sbt/1.0.0-M4/sbt-1.0.0-M4.jar

I have followed some advice on Stack Overflow and imported the corporate proxy SSL certificate with the java keytool as described in: SSL certificate problem in a web service proxy

It does not seems to affect the SBT tool. Does it look in a different keystore? Any ideas?

If I paste the URL on the browser the file downloads.

I get this error when simply running the SBT tool I have installed. When I try to create a SBT project on IntelliJ Idea and update it, it gives me the same error with different URLs. Same thing when trying to use the lightbend activator.