scala sbt and corporate proxy - SunCertPathBuilderException

Question

When I try to use SBT some files cannot be downloaded with the following error:

Server access Error: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target url=https://repo1.maven.org/maven2/org/scala-sbt/sbt/1.0.0-M4/sbt-1.0.0-M4.jar

I have followed some advice on Stack Overflow and imported the corporate proxy SSL certificate with the java keytool as described in: SSL certificate problem in a web service proxy

It does not seems to affect the SBT tool. Does it look in a different keystore? Any ideas?

If I paste the URL on the browser the file downloads.

I get this error when simply running the SBT tool I have installed. When I try to create a SBT project on IntelliJ Idea and update it, it gives me the same error with different URLs. Same thing when trying to use the lightbend activator.

score 13 · Answer 1 · edited Feb 05 '20 at 16:12

13

So this happens when you are behind a proxy and we need the proxy server certificate to be added to the java truststore

cp $JAVA_HOME/jre/lib/security/cacerts <some accessible dir>/
# Get the certificate of the proxy server and store it in a file-proxy.pem
keytool -keystore cacerts -import -file proxy.pem -alias my_proxy
# Now we can invoke sbt with following config
sbt  "-Djavax.net.ssl.trustStore=/path/to/included/proxycert/cacerts" compile

edited Feb 05 '20 at 16:12

JulienD

6,730
9
48
77

answered Feb 07 '18 at 19:19

ameet chaubal

1,310
13
37

Added Step, Restart JVM or Computer to update the ssl certs – BCZmarts Jan 10 '19 at 21:59

score 5 · Answer 2 · answered Feb 01 '17 at 15:00

If I recall correctly, SBT indirectly uses an old version of apache commons httpclient (3.1) which doesn't respect the java system properties for specifying truststores by default.

I can think of three potential solutions:

Use a proxy repository like artifactory so SBT can only has to connect to the proxy and the proxy can take care of https outwards via the corporate proxy.
Install the corporate issuing certificate into the default truststore for the JVM (usually %JDK_HOME%/jre/lib/security/cacerts). You would have to do this each time you run a new JRE.
Try using coursier. It's a plugin for SBT which provides a different way of fetching dependencies that does not go through apache httpclient. It uses an http library which I think should respect the java system properties for truststore. It's also much faster.

score 4 · Answer 3 · edited May 23 '17 at 12:16

This solved the problem:

Add -Djavax.net.ssl.trustStore="C:\Program Files\Java\jre1.8.0_121\lib\security\cacerts" to the sbt config file (sbtconfig).

If using IntelliJ Idea, click on "SBT Settings" -> JVM Options -> VM Parameters and add the same line.

The path is the path to the cacerts file that resides on the JDK path -> lib -> security.

It is necessary to import the proxy certificate with the keystore tool, as described in: SSL certificate problem in a web service proxy

score 1 · Answer 4 · answered Nov 02 '19 at 09:15

This error can also happen if you use an outdated Java version. I've got this error using Java version 1.8.0_45-b14. Updating to Java version 11.0.2+7 (2018-10-16) solved it for me.

Just for reference, the full error message I got was:

[error] typesafe-ivy-releases: unable to get resource for com.geirsson#sbt-scalafmt;1.6.0-RC4: res=https://repo.typesafe.com/typesafe/ivy-releases/com.geirsson/sbt-scalafmt/1.6.0-RC4/jars/sbt-scalafmt.jar: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Switching to the newer Java version solved it instantly.

user1485864 · Answer 5 · 2022-05-30T14:09:17.100

1

Assuming you are under windows, which is of course configured correctly you can instead:

Download the certificate. Right-Click -> Install Certificate -> Local Machine -> Automatically.
Update C:\Program Files (x86)\sbt\conf\sbtconfig.txt

-Djavax.net.ssl.trustStore=C:\\Windows\\win.ini
-Djavax.net.ssl.trustStoreType=Windows-ROOT

Then if you use IntelliJ, you can add these parameters into the "VM parameter" of your sbt project settings.

edited May 30 '22 at 14:09

answered Jun 10 '21 at 09:11

user1485864

449
4
18

1

This fixed the certificate issues for me, no need to download the certificate, just added in the changes to the sbtconfig.txt file – Andy Long May 30 '22 at 10:28

score 0 · Answer 6 · answered Nov 03 '21 at 20:38

0

In my case it was the wrong content of SBT_OPTS environmental variable

answered Nov 03 '21 at 20:38

Ilya Yevlampiev

3,271
3
35
56

score -2 · Answer 7 · answered Mar 13 '20 at 19:07

-2

On MacOS, I solved it by running the sbt command with sudo.

answered Mar 13 '20 at 19:07

Vlad

777
1
10
21

For me, this was a problem inside IntelliJ only. Working from terminal allowed me to install the plugin and move on. – Ryan Deschamps Feb 22 '21 at 17:27

scala sbt and corporate proxy - SunCertPathBuilderException

7 Answers7

Linked